Hi Jessie, The IKEv2 transform parameters are defined by IANA on the following page:
http://www.iana.org/assignments/ikev2-parameters With this least it is easy to fill in the UNKNOWN transforms (#### entries): Proposal Substructure: Last (U08): Yes/0 (0x00) Reserved (U08): 0 Proposal Length (U16): 188 (0xBC) bytes Proposal Number (U08): 3 Protocol ID (U08): IKE/1 (0x01) SPI Size (U08): 0 (0x0) bytes Number of Transforms (U08): 21 Transform Header #1 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 12 (0xC) bytes Transform Type (U08): ENCR/1 (0x01) Reserved (U08): 0 Transform ID (U16): ENCR_AES_CBC/12 (0x000C) Attribute Attribute AF (U01): 1 Attribute Type (U15): IKEV2_TS_ATTRIBUTE_TYPE_KEY_LENGTH/14 (0x0E) Attribute Value (U16): 128 (0x0080) Transform Header #2 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 12 (0xC) bytes Transform Type (U08): ENCR/1 (0x01) Reserved (U08): 0 Transform ID (U16): ENCR_AES_CBC/12 (0x000C) Attribute Attribute AF (U01): 1 Attribute Type (U15): IKEV2_TS_ATTRIBUTE_TYPE_KEY_LENGTH/14 (0x0E) Attribute Value (U16): 192 (0x00C0) Transform Header #3 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 12 (0xC) bytes Transform Type (U08): ENCR/1 (0x01) Reserved (U08): 0 Transform ID (U16): ENCR_AES_CBC/12 (0x000C) Attribute Attribute AF (U01): 1 Attribute Type (U15): IKEV2_TS_ATTRIBUTE_TYPE_KEY_LENGTH/14 (0x0E) Attribute Value (U16): 256 (0x0100) Transform Header #4 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 8 (0x8) bytes Transform Type (U08): ENCR/1 (0x01) Reserved (U08): 0 Transform ID (U16): ENCR_3DES/3 (0x0003) Transform Header #5 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 8 (0x8) bytes Transform Type (U08): INTEG/3 (0x03) Reserved (U08): 0 Transform ID (U16): AUTH_HMAC_SHA1_96/2 (0x0002) Transform Header #6 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 8 (0x8) bytes Transform Type (U08): INTEG/3 (0x03) Reserved (U08): 0 Transform ID (U16): UNKNOWN/12 (0x000C) ##### AUTH_HMAC_SHA2_256_128 Transform Header #7 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 8 (0x8) bytes Transform Type (U08): INTEG/3 (0x03) Reserved (U08): 0 Transform ID (U16): AUTH_HMAC_MD5_96/1 (0x0001) Transform Header #8 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 8 (0x8) bytes Transform Type (U08): INTEG/3 (0x03) Reserved (U08): 0 Transform ID (U16): UNKNOWN/13 (0x000D) ##### AUTH_HMAC_SHA2_384_192 Transform Header #9 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 8 (0x8) bytes Transform Type (U08): INTEG/3 (0x03) Reserved (U08): 0 Transform ID (U16): UNKNOWN/14 (0x000E) ##### AUTH_HMAC_SHA2_512_256 Transform Header #10 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 8 (0x8) bytes Transform Type (U08): INTEG/3 (0x03) Reserved (U08): 0 Transform ID (U16): AUTH_AES_XCBC_96/5 (0x0005) Transform Header #11 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 8 (0x8) bytes Transform Type (U08): PRF/2 (0x02) Reserved (U08): 0 Transform ID (U16): UNKNOWN/5 (0x0005) ##### PRF_HMAC_SHA2_256 Transform Header #12 Last (U08): No/3 (0x03) Reserved (U08): 0 Transform Length (U16): 8 (0x8) bytes Transform Type (U08): PRF/2 (0x02) Reserved (U08): 0 Transform ID (U16): PRF_HMAC_SHA1/2 (0x0002) If you want to suppress strongSwan's default proposal consisting of 21 transforms then you must use the strict '!' character: ike=aes-sha1! esp=aes-sha1! Best Regards Andreas Jessie Liu wrote: > Hi Daniel, Thanks very much. ^______^ we are doing a test with > others, so we do not know what kind of security gateway they are > using. But i could give you the logs. > > I am curious that why the third proposal in IKE_SA_INIT message (in > the attached wireshark log) has up to 21 Transform Payload. Their > security gateway could only accept at most 16 Transform Payload. even > if i specify the ike=aes-sha1 and esp=aes-sha1,,,,, the IKE_SA_INIT > message still contain up to 21 Transfrom Payload. > > Attached please find the client wireshark log and the security > gateway log. ipsec.pcap is client wireshark log. ipsec_failed.txt are > security gateway log. in ipsec_failed.txt, security gateway received > up to 21 Transform Payloads from client. ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
