0

I've got this in my syslog

 470  Nov 22 11:32:23 mini31 ipsec[8820]: 13[IKE] 192.168.1.7 is initiating a Main Mode IKE_SA
   471  Nov 22 11:32:23 mini31 ipsec[8820]: 13[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
   472  Nov 22 11:32:23 mini31 ipsec[8820]: 13[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
   473  Nov 22 11:32:23 mini31 ipsec[8820]: 13[IKE] no proposal found

But clearly -- and very unhelpfully -- the format of the cypher names is different to that used in ipsec.conf

ike=aes-sha,3des-sha,aes128-aes256-sha1-modp3072-modp2048,3des-sha1-md5-modp1024,aes128-sha1-modp1536

The documentation for ipsec.conf (https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection) explains that the format is:

encryption-integrity[-prf]-dhgroup

How do I translate the cipher names in the syslog into this format?

My guess would be that it's something to do with chopping out the CBC/HMAC/PRF and sometimes the number and downcasing what's left and replacing slashes with hyphens -- which makes no sense.

Richard Barraclough
  • 101
  • 6
  • 1
    Did you check [IKEv1CipherSuites](https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites) (since you are using IKEv1) that's linked on the page you reference there? – ecdsa Nov 23 '20 at 08:21
  • So I need to guess which ones of those correspond to what's in ` syslog,`. That should narrow it down a bit, but it's still very irritating that it requires so much guesswork. – Richard Barraclough Nov 23 '20 at 08:42
  • (I hadn't realised that it was a link as it's not underlined.) – Richard Barraclough Nov 23 '20 at 08:43
  • There is not much to guess, the mapping is pretty straight-forward. But something with your config might be wrong. Because the proposals you claim to have configured are not the ones _logged_ as being configured (which look like the default proposals, which haven't included the weak modp1024 Diffie-Hellman group for years, hence the mismatch). While e.g. the first two proposals are clearly invalid for IKE (no DH groups) that shouldn't affect the rest of them. Could you post the complete config? Are there any errors logged when the config is loaded? – ecdsa Nov 23 '20 at 09:24

0 Answers0