Project

General

Profile

Actions
Copy link

Bug #4042

closed

AES-GCM should not be an option in P1

Added by Chris Buechler almost 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Chris Buechler
Category:
IPsec
Target version:
2.2
Start date:
11/24/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

Strongswan's documentation shows AES-GCM ciphers are valid for both IKEv1 and IKEv2.

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

But if you try to use them on IKEv1, you end up failing negotiation with no matching proposal and the following log.

Nov 24 23:57:51    charon: 11[CFG] received proposals: IKE:HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_8192
Nov 24 23:57:51    charon: 11[CFG] configured proposals: IKE:AES_GCM_16_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_8192
Nov 24 23:57:51    charon: 11[IKE] <201> no proposal found
Nov 24 23:57:51    charon: 11[IKE] no proposal found

The underlying config files are correct, and match on both sides.

Actions
Copy link

Also available in: Atom PDF