I tried already adding the following line to my ipsec.conf: ike = AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
But as expected, this did not work because the syntax for specifying the ciphers is different from the syntax for the actually used proposals. I searched half the day for sort of a translation table or translation aid before I gave up and simply patched the sources. That said, what would be the correct ike directive for getting charon simply to accept the above proposal? Thank you ver much Rolf Jansen > Am 18.03.2018 um 20:01 schrieb Noel Kuntze > <noel.kuntze+strongswan-users-ml@thermi.consulting>: > > Hello, > > I know that everything looks like a nail, if you only got a hammer, but you > only needed to add a corresponding ike and/or esp line in ipsec.conf to > configure the right ciphers for that particular IKE SA configuration. The > ciphers were removed because they were insecure and now there's an RFC for > that. Take a look at the UsableExamples page. > > Kind regards > > Noel > > On 18.03.2018 23:48, Dr. Rolf Jansen wrote: >> I am still using an iPhone 4 with iOS 7.1.2 which cannot be updated to a >> more recent iOS. >> >> When I am on travel, I use the builtin L2TP/IPsec client in order to connect >> to my FreeBSD home server providing the respective VPN service via net/mpd5 >> + security/strongswan (both of which are installed from the ports >> collection). >> >> After a recent update from strongSwan 5.6.0 to v5.6.2, my iPhone 4 cannot >> connect anymore. In the server's log I see: >> >> Mar 18 18:33:05 example charon: 15[CFG] received proposals: >> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, >> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, >> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >> IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 >> Mar 18 18:33:05 example charon: 15[CFG] configured proposals: >> IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072, >> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, >> >> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 >> Mar 18 18:33:05 example charon: 15[IKE] no proposal found >> >> >> I dug into the strongSwan sources, and I found, that some ciphers were >> disabled. As a hot fix I added on my FreeBSD server a patch file to >> /usr/ports/security/strongswan/files/patch-zz-add-classic-ciphers.local (s. >> attachment), then I executed make deinstall install clean. For the time >> being, this restored the iPhone 4 L2TP/IPsec connectivity. >> >> I know the iPhone 4 is almost 8 years old, however, mine looks like I bought >> it yesterday, and the battery is still in a perfect shape, and I don't want >> to buy a new one in the foreseeable future. Please may I ask to pick the >> best cipher from the above list which iOS 7.1.2 is aware of, and add it to >> the list of proposals which strongSwan wants to accept. >> >> Best regards >> >> Rolf Jansen >> >
