[strongSwan] IKE Connection on iOS 12 Only Able to Use DH Group 2 (modp1024)

brian.g.colby at gmail.com brian.g.colby at gmail.com
Tue Feb 19 00:14:14 CET 2019 

Hello,

 

I have an iOS configuration profile that is proposing make the Phase 1
connection with Diffie-Hellman Group 21 (ecp521).

 

I have opened the profile in an XML editor and confirmed that the settings
show DH Group 21:

 

<key>IKESecurityAssociationParameters</key>

<dict>

<key>DiffieHellmanGroup</key>

                <integer>21</integer>

                <key>EncryptionAlgorithm</key>

                <string>AES-256</string>

                <key>IntegrityAlgorithm</key>

                <string>SHA2-256</string>

                <key>LifeTimeInMinutes</key>

                <integer>1440</integer>

</dict>

 

The same settings are reflected in my ipsec.conf file:

 

conn GPIT

    keyexchange=ike

    ike=aes256-sha256-ecp521!

    esp=aes256-sha256-ecp521!

    dpdaction=clear

    dpddelay=300s

    rekey=no

    left=%any

    leftsubnet=0.0.0.0/0

    leftcert=vpn03generalpurposeitcom.pem

    leftfirewall=yes

    leftid=vpn03.generalpurposeit.com

    leftauth=pubkey

    leftsendcert=always

    right=%any

    rightid=%any

    rightauth=eap-radius

    rightsendcert=never

    rightsourceip=172.16.10.1/24

    auto=add

 

The log file shows the following:

 

Dec 19 13:41:15 vpn03 strongswan: 10[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

Dec 19 13:41:15 vpn03 strongswan: 10[CFG] configured proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521

Dec 19 13:41:15 vpn03 strongswan: 10[IKE] received proposals unacceptable

 

Without changing the configuration profile, if I change my ipsec.conf file
to read "ike=aes256-sha256-modp1024!" it will connect.but since DH Group 2
is deprecated, I obviously cannot keep this long term.  The Phase 2
connection works fine with the "esp=aes256-sha256-ecp521!" line in my
ipsec.conf file.

 

I have read in the strongSwan wiki a reference to a known bug in iOS in iOS
9+ which reads "For manual configurations, specify only DH group 2
(modp1024) in the ike configuration. Although the iOS client claims to
support modp1536, an unfixed bug prevents these connections from
succeeding."
(https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients)  Is this
still the case?  I opened up a bug fix with Apple regarding this, but I
haven't seen any response yet.  Thank you.

 

R/s,

Brian

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190218/8d9bfe61/attachment-0001.html>

More information about the Users mailing list