-
Notifications
You must be signed in to change notification settings - Fork 750
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
StrongSwan 6 beta 5 | Failed to generate a common proposal even though there is an acceptable choice #2048
Comments
The KE algorithm parser goes through the seven KE rounds in one pass only, i.e. first the algorithm of KE1 is determined, then KE2, KE3, ... up to KE7, eliminating duplicate algorithm definitions on the way. You also have to consider the setting of the
which by default is set to
Adding |
@strongX509 , Does the implementation in the form of 'one pass only' result only from a consideration of optimization? I assume that there are reasons for certain vendors to define proposals in different forms so that the above scenario may happen many times |
RFC 9370 does not specify how the proposed transform algorithms are selected, so we opted for a simpler one pass solution. |
StrongSwan 6 beta 5 | Failed to generate a common proposal even though there is an acceptable choice
Logs output:
15[NET] received packet: from 172.23.43.14[500] to 172.23.43.12[500] (376 bytes) 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(IKE_INT_SUP) ] 15[IKE] 172.23.43.14 is initiating an IKE_SA 15[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256/MODP_1536/MODP_1024/KE1_KYBER_L5/KE1_KYBER_L3/KE1_KE_NONE/KE2_KYBER_L3/KE3_KYBER_L1/KE4_KYBER_L5/KE5_KYBER_L5/KE5_KE_NONE/KE6_MODP_6144/KE6_MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 15[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/MODP_1536/MODP_2048/KE1_KYBER_L5/KE1_KE_NONE/KE2_KYBER_L3/KE2_MODP_2048/KE3_KYBER_L1/KE4_KYBER_L5/KE5_KYBER_L1/KE5_KE_NONE/KE6_MODP_3072/KE6_MODP_4096/KE6_MODP_6144/KE6_MODP_8192 15[IKE] received proposals unacceptable 15[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Note that the following choice should be acceptable to both peers:
Encryption: AES_CBC_256
Integrity: HMAC_SHA1_96
PRF: PRF_HMAC_SHA1
KE: MODP_1536
AKE1: KE1_KE_NONE
AKE2: KE2_KYBER_L3
AKE3: KE3_KYBER_L1
AKE4: KE4_KYBER_L5
AKE5: KE5_KE_NONE
AKE6: KE6_MODP_6144
The text was updated successfully, but these errors were encountered: