[strongSwan] policy mismatch
ccsalway at yahoo.co.uk
Wed May 2 10:32:17 CEST 2018
Windows has got its setup all messed up then… it also offers the weakest ciphers first. What a pain! I notice OSX does it correctly though - strongest ciphers offered first.
For the record, the IKE proposals that work for OSX and Windows (with weak or strong ciphers enabled) is as follows
> On 2 May 2018, at 09:05, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Christian,
>> When Windows connects, strongSwan gives it the wrong policy and hence
>> Windows 10 reports a*policy match error*
>> May 1 21:53:12 08[CFG] *received proposals*:
>> May 1 21:53:12 08[CFG] *configured proposals*:
>> May 1 21:53:12 08[CFG] selected proposal:
>> Expected response (I'm guessing)
>> *AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 *(although
>> I dont know why it doesnt chose the better ciphers).
> No, with AES-GCM there is no integrity algorithm (HMAC_SHA* here) needed
> as combined-mode ciphers like AES-GCM provide both encryption and
> integrity protection (see section 8 in RFC 5282  and section 3.3 in
> RFC 7296 ).
> So the problem is that the client proposes invalid proposals and
> probably expects an invalid proposal back.
>  https://tools.ietf.org/html/rfc5282#section-8 <https://tools.ietf.org/html/rfc5282#section-8>
>  https://tools.ietf.org/html/rfc7296#section-3.3 <https://tools.ietf.org/html/rfc7296#section-3.3>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users