Project

General

Profile

Actions

Bug #4042

closed

AES-GCM should not be an option in P1

Added by Chris Buechler over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
11/24/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

Strongswan's documentation shows AES-GCM ciphers are valid for both IKEv1 and IKEv2.

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

But if you try to use them on IKEv1, you end up failing negotiation with no matching proposal and the following log.

Nov 24 23:57:51    charon: 11[CFG] received proposals: IKE:HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_8192
Nov 24 23:57:51    charon: 11[CFG] configured proposals: IKE:AES_GCM_16_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_8192
Nov 24 23:57:51    charon: 11[IKE] <201> no proposal found
Nov 24 23:57:51    charon: 11[IKE] no proposal found

The underlying config files are correct, and match on both sides.

Actions #1

Updated by Ermal Luçi over 9 years ago

The other side is not sending AES-GCM in its list of supported algos hence you end up with no proposal found.

Actions #2

Updated by Chris Buechler over 9 years ago

  • Status changed from New to Confirmed

right, the problem is it's configured to send it, but it's not doing so.

Actions #3

Updated by Jim Thompson over 9 years ago

  • Assignee set to Ermal Luçi
Actions #4

Updated by Ermal Luçi over 9 years ago

  • Status changed from Confirmed to Feedback

This was because AES-GCM was being used on Phase1 which is not recommended.
The options are removed now from the GUI and this should not happen anymore.

For me is solved but should be confirmed.

Actions #5

Updated by Chris Buechler over 9 years ago

  • Subject changed from AES-GCM only works with IKEv2 to AES-GCM should not be an option in P1
  • Status changed from Feedback to Resolved
  • Assignee changed from Ermal Luçi to Chris Buechler

fixed, updated subject to reflect actual issue

Actions

Also available in: Atom PDF