[strongSwan] policy mismatch

Tue, 01 May 2018 14:59:31 -0700 

version: strongSwan 5.6.2
When I connect from Windows 10, strongSwan replies with a different policy than 
requested, causing a policy mismatch
```connections {   default {      version = 2      send_cert = always      
encap = yes      pools = pool1      unique = replace      proposals = 
aes256gcm16-aes128gcm16-sha384-sha256-prfsha384-prfsha256-modp1024       local 
{         id = vpnserver         certs = vpnserver.crt      }      remote {     
    auth = eap-mschapv2         eap_id = %any      }
      children {         net {            local_ts = 10.0.0.0/20            
inactivity = 1h         }      }   }}```
When Windows connects, strongSwan gives it the wrong policy and hence Windows 
10 reports a policy match error

 
May  1 21:53:12 08[CFG] received proposals: 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, 
IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, 
IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024May  1 21:53:12 
08[CFG] configured proposals: 
IKE:AES_GCM_16_256/AES_GCM_16_128/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/MODP_1024May
  1 21:53:12 08[CFG] selected proposal: 
IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_1024


Expected response (I'm guessing) 
AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 (although I dont 
know why it doesnt chose the better ciphers).

Reply via email to