Bug #4042
closedAES-GCM should not be an option in P1
0%
Description
Strongswan's documentation shows AES-GCM ciphers are valid for both IKEv1 and IKEv2.
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
But if you try to use them on IKEv1, you end up failing negotiation with no matching proposal and the following log.
Nov 24 23:57:51 charon: 11[CFG] received proposals: IKE:HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_8192 Nov 24 23:57:51 charon: 11[CFG] configured proposals: IKE:AES_GCM_16_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_8192 Nov 24 23:57:51 charon: 11[IKE] <201> no proposal found Nov 24 23:57:51 charon: 11[IKE] no proposal found
The underlying config files are correct, and match on both sides.
Updated by Ermal Luçi about 10 years ago
The other side is not sending AES-GCM in its list of supported algos hence you end up with no proposal found.
Updated by Chris Buechler about 10 years ago
- Status changed from New to Confirmed
right, the problem is it's configured to send it, but it's not doing so.
Updated by Ermal Luçi about 10 years ago
- Status changed from Confirmed to Feedback
This was because AES-GCM was being used on Phase1 which is not recommended.
The options are removed now from the GUI and this should not happen anymore.
For me is solved but should be confirmed.
Updated by Chris Buechler about 10 years ago
- Subject changed from AES-GCM only works with IKEv2 to AES-GCM should not be an option in P1
- Status changed from Feedback to Resolved
- Assignee changed from Ermal Luçi to Chris Buechler
fixed, updated subject to reflect actual issue