Sorry for the delayed response, think I have a new cloud spam filter that blocked the email notification from this site and only received the email notification at 6:00am this morning.
You seem to have a collection of secrets files from multiple connections that haven't been cleaned up when the corresponding connection is stopped. Issue the following to clean things up :
sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec-*.secrets
The following two lines of ./ike-scan.sh look interesting:
Also note there is no guarantee phase 2 is based on the algorithms used in phase 1, just that it is the most common approach to do so. Unfortunately it isn't possible to use ike-scan to query phase 2.
Sorry for the delayed response, think I have a new cloud spam filter that blocked the email notification from this site and only received the email notification at 6:00am this morning.
You seem to have a collection of secrets files from multiple connections that haven't been cleaned up when the corresponding connection is stopped. Issue the following to clean things up :
sudo rm -f /etc/ipsec. d/nm-l2tp- ipsec-* .secrets
The following two lines of ./ike-scan.sh look interesting:
SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=19 Auth=PSK LifeType=Seconds LifeDuration( 4)=0x00007080) 4)=0x00007080)
SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=20 Auth=PSK LifeType=Seconds LifeDuration(
ike-scan isn't providing the names for Diffie Hellman Groups 19 and 20, but they are listed on the following page: /wiki.strongswa n.org/projects/ strongswan/ wiki/IKEv1Ciphe rSuites
https:/
19 is ecp256 and 20 is ecp384, I've never encountered them before. So for phase 1 and 2 I would recommend :
Phase 1 : aes256- sha1-ecp384, aes128- sha1-ecp256, 3des-sha1- modp1024 sha1,aes128- sha1,3des- sha1
Phase 2 : aes256-
You could also try overriding and not just supplementing the default algorithms by putting an exclamation mark at the end, e.g. :
Phase 1 : aes256- sha1-ecp384, aes128- sha1-ecp256, 3des-sha1- modp1024! sha1,aes128- sha1,3des- sha1!
Phase 2 : aes256-
Also note there is no guarantee phase 2 is based on the algorithms used in phase 1, just that it is the most common approach to do so. Unfortunately it isn't possible to use ike-scan to query phase 2.