what is the proposal string for aes-gem256 deffie helman group 20, esp

Question

As a developer tasked with connecting to a vpn without preconfigured profile scripts, i'm fumbling through setting up a strongswan ipsec.conf file. My current hurdle is an "invalid proposal string" message in my syslog after I launch the strongswan-starter service.

The administrator hosting the VPN has only provided a limited set of parameters and the connection profile is not available for download.

What is the correct proposal string to put in my ipsec.conf for connecting to a system that has the following parameters:

Phase 1 Transform: AES-GCM (256 bits)
Phase 1 Key Group: Diffie-Hellman Group20
Phase 2 IPSec Proposal: ESP-AES256-GCM
Phase 2 Perfect Forward Secrecy: Diffie-Hellman Group20

My ipsec.conf

conn PHS
     leftsubnet=x.x.x.x/25
     authby=secret
     ike=aes256gmac;ecp384
     right=x.x.x.x
     rightid=x.x.x.x
     leftid=GH_Remote

client: ubuntu 22 server (headless) host: ikev2 watchguard vpn

score 0 · Answer 1 · answered Aug 27 '23 at 20:54

A short stab at it; maybe this:

conn PHS
leftsubnet=x.x.x.x/25
authby=secret
ike=aes256gcm128-ecp384!
esp=aes256gcm128-ecp384!
right=x.x.x.x
rightid=x.x.x.x
leftid=GH_Remote
keyexchange=ikev2

The exclamation mark at the end forces this proposal string.

what is the proposal string for aes-gem256 deffie helman group 20, esp

1 Answers1

A short stab at it; maybe this: