[Pkg-swan-devel] Bug#883072: strongswan-libcharon: Upgrade to 5.6.1-2 changed cypher proposals, can't connect to VPN anymore

[Luca Niccoli]

Package: strongswan-libcharon
Version: 5.6.1-2
Severity: normal

Dear Maintainer,

I've recently upgraded from strongswan 5.6.0-2 to 5.6.1-2, and two
of my existing VPN configurations, pointing to pfSense servers, stopped
working with an "Invalid secrets" error.
Digging in the computer and pfSense logs I found that the needed
aes256-sha256-prfsha256-modp1024 proposal, that was previously offered
by the initiator, was not offered anymore.
I use the network-manager interface, so I added it back as a custom
proposal in the VPN settings window, and the VPN connection started
working again.

The pfSense IPSec VPN is configured following the official tutorial
on the pfSense Wiki, and my understanding is that it's the required
configuration for having the VPN be accessible by Linux, Windows and
macOS, so I think this change could break existing VPN configurations
for several people.
Is there a specific reason the default cipher proposal by
strongswan doesn't offer aes256-sha256-prfsha256-modp1024 anymore?
Would it be possible to add it back? 

Best,

Luca

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages strongswan-libcharon depends on:
ii  libc6          2.25-1
ii  libstrongswan  5.6.1-2

strongswan-libcharon recommends no packages.

Versions of packages strongswan-libcharon suggests:
ii  libcharon-extra-plugins  5.6.1-2

-- no debconf information