[strongSwan] disregarded diffie hellmann group
Marco Berizzi
pupilla at hotmail.com
Wed Jun 3 13:07:46 CEST 2020
Hello everyone,
I'm experimenting a problem with an IKEv2 tunnel to a customer.
I'm running strongswan 5.8.4, compiled from sources.
This is my configuration file:
children {
networks1 {
local_ts = 10.101.32.0/30
remote_ts = 10.101.10.0/25
start_action = trap
esp_proposals = aes256-sha512-ecp521
rekey_time = 3600
dpd_action = restart
}
networks2 {
local_ts = 10.101.32.0/30
remote_ts = 10.101.16.0/24
start_action = trap
esp_proposals = aes256-sha512-ecp521
rekey_time = 3600
dpd_action = restart
Sometimes the customer ipsec peer is acting as the initiator
and for some reason it is going to propose the aes256-sha512
without any diffie-hellmann group, and strongswan will
accept it. Here is the log message:
received proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/ECP_521/NO_EXT_SEQ
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
and this is the 'swanctl -l' output:
ESTABLISHED, IKEv2, 60de91499e6b7dfa_i 77c55b0c87bc1cae_r*
AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
established 885s ago, reauth in 79513s
networks1: #1849832, reqid 811, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_512_256
installed 722s ago, rekeying in 2532s, expires in 3238s
in c9057fde, 0 bytes, 0 packets
out 38bfaa76, 10320 bytes, 258 packets, 4s ago
local 10.101.32.0/30
remote 10.101.10.0/25
networks2: #1849845, reqid 813, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_512_256/ECP_521
installed 692s ago, rekeying in 2577s, expires in 3268s
in c53b9387, 7143044 bytes, 7957 packets, 1s ago
out 38bfaa77, 1337085 bytes, 7138 packets, 1s ago
local 10.101.32.0/30
remote 10.101.16.0/24
As you can see, one traffic selector is correctly established
(network2) and other (network1) is not correct.
Is there any configuration tweak that should be done to
reject the proposal without the diffie hellmann group?
Thanks
Marco
More information about the Users
mailing list