Modp1024 is no longer supported by default compile options. It is simply too weak and can be cracked using academic size resources (eg a small cluster at a university)
Microsoft really needs to step up their IPsec maintenance. Paul Sent from my iPhone > On Oct 4, 2019, at 14:29, Computerisms Corporation <[email protected]> > wrote: > > Hi Again, > > Turns out that brand new laptop still does connect so long as I do not > specify an ike/esp line. in the debug logs, it seems to choose this proposal: > > IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match] > > Not sure how that helps me get the other ones connected, but it is > interesting, at least... > > In the debug logs, I think this is the line that indicates what windows is > proposing that libreswan is rejecting: > > pluto[30250]: "rw-ikev2"[1] 50.117.137.129 #5: no local proposal matches > remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED > 2:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED > > so I put this in my conn: > > esp=aes256-sha1-modp1024 > > and the connection worked. > > so I go back to the wiki, which tells me to use this: > > esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024 > > and I believe from reading the man page on the topic that this should also > match the aes256-sha1-modp1024 proposal, however evidence clearly indicates > it does not. > > I tried messing with the syntax of the wiki line a bit, but nothing I did > worked, really not clear what I am missing. Did I find a problem that isn't > supposed to be there? Or am I just stuck with only accepting the single esp > proposal? > > > > How do I interpret this and translate it to > >> On 2019-10-04 9:30 a.m., Computerisms Corporation wrote: >> Hi Nels and Paul, >> Apologies for the delayed reply, I was overly busy at the moment and duct >> taped the immediate issue with some iptables rules and port forwarding. But >> need something better and I am back to trying to solve this now. >> I tried setting ikev2 from yes to no, sadly did not change the situation. >> Oddly enough I put a brand new setup together about a week ago, with a brand >> new laptop, and it connected fine. Yesterday I configured a bunch of other >> laptops to connect to that same firewall, and now nothing connects to it. >> That causes me to wonder if a windows update that wasn't installed to begin >> with is there now on the brand new laptop. >> Regardless, I faced this problem with windows7 way back, and I managed to >> solve it that time with a post I found on the strong swan list. So my >> instinct is telling me I need to find the correct ike=/esp= lines to fix >> this problem. I did find a post from strong swan from Oct/Nov 2018: >> https://wiki.strongswan.org/issues/2808 >> But none of those cipher lines worked. >> Similarly there are a set of ciphers listed on the libreswan wiki under the >> no_proposal_chosen section, and those are not working either. >> I am thinking the next task is to go through the debug log and find out what >> proposals windows is expecting, and try to construct appropriate ike=/esp= >> lines. I found the parts of the man page that explain how to write the >> ciphers, but having a hard time translating the log entries into valid >> cipher descriptions for the conf file. >> Posting the debug log here in case any one is interested in having a look... > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
