Recent change by Maris in Wiki, 6 June 2017

msatter · June 7, 2017, 2:59pm

I regularly look at the changes in the Wiki to see what is changing. I noticed this change by Maris and am puzzled by it:

When connecting Android StrongSwan clients, make sure that on RouterOS proposal settings DH group is disabled, otherwise phase2 will fail.

When I go to Proposal in IPSEC I only see PFS Group (perfectly forward secrecy) what it can be and using Android StrongSwan I have no connection problem on IKE2 if I have selected “none” or a value.

Clicking around on this wiki entry I also saw this:

auth-algorithms (md5|sha1|null|sha256|sha512; Default: sha1) Allowed algorithms for authorization. sha1 is stronger, but slower algorithm.

and I assume that SHA1 is stronger then md5 and null but is it also stronger than sha256 and sha512 (SHA2)? I looked at this other wiki for more information: https://en.wikipedia.org/wiki/SHA-1

mrz · June 8, 2017, 9:16am

After recent upgrade (strongswan 5.5.1rc) was unable to connect with PFS enabled, one of the older strongswan versions that we used had no problems just as you mentioned.

msatter · June 8, 2017, 12:17pm

Thanks for updating the SHA1 part. On the PFS Group I understand that also works on no value and so it will also will working in the next version of StrongSwan. Excellent work!

I difussed by writing about an other piece of information about using the same names in the Wiki as in the RouterOS screen. You write “DH group” and “disable”, the interface states “PFS Group” and as value “None” or a number. This not match up an leads to misunderstandings.

I can deduct that you mean and convert it to what it is in the interface. But only after I went through all the tabs under IPSEC to be sure that was not an other setting in there.