[strongSwan] How to allow AES256GCM and diffieHellmanGroup 19

Houman houmie at gmail.com
Thu Oct 15 12:41:40 CEST 2020


Hello,

(Sorry about the previous message without a subject line)

I would like to change the encryption to support the following on iOS:

ikev2.ikeSecurityAssociationParameters.encryptionAlgorithm =
.algorithmAES256GCM
ikev2.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA384
ikev2.ikeSecurityAssociationParameters.diffieHellmanGroup = .group19
ikev2.childSecurityAssociationParameters.encryptionAlgorithm =
.algorithmAES256GCM
ikev2.childSecurityAssociationParameters.integrityAlgorithm = .SHA384
ikev2.childSecurityAssociationParameters.diffieHellmanGroup = .group19

This is how the server is setup:
config setup
  strictcrlpolicy=yes
  uniqueids=never
conn ${SERVERNAME}
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048!
  esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
  dpdaction=clear
  dpddelay=180s
  dpdtimeout=3600s
  rekey=no
  left=%any
  leftid=@${VPNHOST}
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0, ::/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=${DNS1},${DNS2}
  rightsourceip=${VPNIPPOOL},${VPNIP6POOL}
  leftfirewall=no

But I can't connect, what do I have to change to make this possible,
please?
Thanks
Houman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201015/ffcfb210/attachment.html>


More information about the Users mailing list