[strongSwan] Strong swan IKE issue.

[Andrii Petrenko]

Hello Tobias,

Thank you for details.
I’ve already tased with 

esp=aes256-sha1!
esp=aes128-sha1! 
esp=3des-md5! 

No luck.  Requested logs and configs from ASA by

debug crypto ikev1 127 
debug crypto ipsec 127 

show crypto ipsec sa

Thank you,

Andrii Petrenko
aplsms at gmail.com <mailto:aplsms at gmail.com>	

> On Mar 20, 2018, at 12:45 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> 
> Hi Andrii,
> 
> ike-scan won't help you here as it only reports on Phase 1 (IKE SA), but
> your problem is during Phase 2 (Quick Mode, IPsec SA).
> 
>> Remote side is not supporting pfs.
>> 
>> IKE Phase One Parameters:	
>> Encryption Algorithm: 	AES 256
>> Hash Algorithm: 	SHA
>> Authentication Method:	Pre-shared key
>> Key Exchange:	Diffie Hellman Group 5
>> IKE SA Lifetime: 	86400 (Cisco default)
>> 	
>> IKE Phase Two Parameters (IPSEC):	
>> Authentication:	ESP with SHA-HMAC
>> Encryption Algorithm: 	ESP-AES 256
>> SA Establishment: 	ipsec-isakmp (IKE negotiated)
>> IPSEC Mode	Tunnel (Cisco default)
>> IPSEC SA Lifetime (time)	3600 seconds
>> IPSEC SA Lifetime (volume) 	4608000 kilobytes
>> PFS (Perfect Forward Secrecy)	No
>> 	
>> Optional encryption if requirements differ from above:	
>> esp-3des esp-md5-hmac	
>> esp-aes 256 esp-sha-hmac	
>> esp-aes 128 esp-sha-hmac	
>> 
>> This information I have from remote side. 
> 
> Looks like esp=aes256-sha1! should be correct then.  You could also try
> esp=aes128-sha1! or esp=3des-md5! (not recommended though).  And if this
> doesn't work, ask the remote admins for the correct settings (they
> should see in the log why the proposal was rejected).
> 
>> Is it possible to se what offer remote side?
> 
> No (unless you do what ike-scan does i.e. try a number of possible
> combinations).
> 
> Regards,
> Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180320/823e8402/attachment.html>