Hi Martin, thanks for your quick reply. With the ! it sends only the configured proposal, as I intended.
Regards Gerald > -----Ursprüngliche Nachricht----- > Von: Martin Willi [mailto:[email protected]] > Gesendet: Donnerstag, 20. Juni 2013 14:27 > An: Gerald Richter > Cc: [email protected] > Betreff: Re: [strongSwan] weird configured proposals > > Hi Gerald, > > > ike="3des-sha1-modp1536" > > > > configured proposals: > > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, > > > IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/[... > ] > > > Any idea what might be wrong here? > > If you configure a proposal in ipsec.conf non-strict (without a "!"), charon > appends its "default proposal". This additional proposal is used as fallback, > and includes all algorithms that are supported and are considered safe. > > You can omit this "default proposal" by appending an exclamation mark to > your proposal. > > This fallback proposal works very well for IKEv2. However, with IKEv1, it is > not > possible to include multiple algorithms of the same kind > (encryption/hash) in a single proposal. As we can't include a proposal for > each combination, we currently just pick the first algorithm of each kind to > form that fallback proposal. Depending on your configured plugins, this might > or might not result in a usable combination. > > It's on my TODO list to change that "default proposal" when using IKEv1 to > something more predictable. Just not sure yet what the best approach would > be. > > Regards > Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
