Thank you for your detailed answer. FYI: The aes256-aesxcbc-ecp521 algorithms are only used against two other Debian Squeeze/Strongswan configurations and is supported and working according to ipsec statusall.
Regards, *Hans-Kristian Bakke* On Mon, May 2, 2011 at 12:07, Andreas Steffen < [email protected]> wrote: > Hello Hans-Kristian, > > the problem is that strongSwan as a responder must select a > matching proposal upon the reception of the IKE_INIT_SA request > so that the following IKE_AUTH messages can be encrypted. > Since all connection definitions contain right=%any and > rightid will be transmitted within the IKE_AUTH payload, > strongSwan selects the first matching proposal. > > Thus the only solution is to define a joint list of accepted > crypto algorithms e.g. in the %default connection section > > ike=aes256-aesxcbc-ecp521,aes256-sha1-modp1024! > esp=aes256gcm16-ecp521,aes256-sha1! > > Kind regards > > Andreas > > BTW: To my knowledge the Windows 7 Agile VPN client does not > support Suite B Elliptic Curve Cryptography. Only Microsoft's > old IKEv1-based IPsec stack does. > > On 02.05.2011 11:46, Hans-Kristian Bakke wrote: > > Hi > > > > I have a problem using multiple strict flags in my ipsec.conf > > configuration on Debian Squeeze (strongswan package v4.4.1-5.1): > > > > > > ---- > > # ipsec.conf - strongSwan IPsec configuration file > > > > # basic configuration > > config setup > > charonstart=yes > > plutostart=no > > > > # Add connections here. > > conn %default > > keyexchange=ikev2 > > auth=esp > > leftauth=pubkey > > left=%defaultroute > > leftcert=vpn-serverCert.pem > > leftfirewall=no > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> > > reauth=no > > > > conn rw-uranus > > right=%any > > rightsourceip=10.0.1.2 > > rightid="C=NO, ST=Oppland, O=nixuser.net <http://nixuser.net>, > > OU=Backup server, CN=uranus.nixuser.net <http://uranus.nixuser.net>" > > auto=add > > ike=aes256-aesxcbc-ecp521! > > esp=aes256gcm16-ecp521! > > dpdaction=clear > > > > conn windows-7 > > right=%any > > rightsourceip=10.0.1.3 > > rightid="C=NO, ST=Oppland, O=nixuser.net <http://nixuser.net>, > > OU=Windows 7 klient, CN=klient.nixuser.net <http://klient.nixuser.net>" > > auto=add > > ike=aes256-sha1-modp1024! > > esp=aes256-sha1! > > dpdaction=clear > > rekey=no > > > > conn rw-europa > > right=%any > > rightsourceip=10.0.1.4 > > rightid="C=NO, ST=Oppland, O=nixuser.net <http://nixuser.net>, > > OU=Filserver, CN=europa.nixuser.net <http://europa.nixuser.net>" > > auto=add > > ike=aes256-aesxcbc-ecp521! > > esp=aes256gcm16-ecp521! > > dpdaction=clear > > > > include /var/lib/strongswan/ipsec.conf.inc > > ---- > > > > > > When I try to connect with the windows-7 client I get the following in > > syslog: > > configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521 > > which indicates to me that the first strict flag is probably globally > > overriding everything also in the connections other algorithms are > defined. > > The Windows 7 client can't connect as a result of this. > > If I remove the strict flags everything works as intented. > > > > Is it only possible to have one global (even if defined inside a > > connection) single ike/esp definition using strict flag in ipsec.conf? > > > > --- > > Regards, > > *Hans-Kristian Bakke* > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
