<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial, helvetica, sans-serif;font-size:12pt"><div><br></div><div>That is quite definitive. :-) And I'm not crazy. We will go back and address our mocana implementation.</div><div><br></div><div>Thank you very much for your help.</div><div><br></div><div>Bill</div><div><br></div><div style="font-family:arial, helvetica, sans-serif;font-size:12pt"><br><div style="font-family:arial, helvetica, sans-serif;font-size:13px"><font size="2" face="Tahoma"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Andreas Steffen <andreas.steffen@strongswan.org><br><b><span style="font-weight: bold;">To:</span></b> William Greene <wgreene9617@yahoo.com><br><b><span style="font-weight: bold;">Cc:</span></b> users@lists.strongswan.org<br><b><span style="font-weight: bold;">Sent:</span></b> Mon, November 15, 2010 2:56:18
PM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] No acceptable DIFFIE_HELLMAN_GROUP found<br></font><br>
Hi Bill,<br><br>the error message on the Mocana side is:<br><br> AUTH_ALG missing<br><br>Section 8 "IKEv2 Algorithm Selection" of RFC 5282<br><br><span> <a target="_blank" href="http://tools.ietf.org/html/rfc5282#section-8">http://tools.ietf.org/html/rfc5282#section-8</a></span><br><br>explicitly states:<br><br> This document updates [RFC4306] to<br> require that when an authenticated encryption algorithm is selected<br> as the encryption algorithm for any SA (IKE or ESP), an integrity<br> algorithm MUST NOT be selected for that SA.<br><br>Thus Mocana probably does not implement RFC 5282 correctly by<br>expecting an authentication algorithm.<br><br>Kind regards<br><br>Andreas<br><br>On 11/15/2010 08:09 PM, William Greene wrote:<br>> Andreas,<br>> <br>> My apologies as my last email was incorrect. My test set up got<br>> blinkered some how and the error TS_UNACCEPTABLE was well...
incorrect.<br>> <br>> I have fixed my set up and I'm back to getting "received<br>> NO_PROPOSAL_CHOSEN notify, no CHILD_SA built", but it is now getting<br>> farther. Your previous suggestion of using<br>> "esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048!"<br>> solved my "no acceptable DIFFIE_HELLMAN_GROUP found". But still the<br>> ipsec connect eludes me.<br>> <br>> On the mocana side I can see in the logs:<br>> <br>> I --><br>> Notify: USE_TRANSPORT_MODE<br>> TSi: 10.168.65.1 icmp<br>> TSr: 10.168.80.8 icmp<br>> spi={1f4d8f80069c25cf 6cfe69d01046128a} np=E{N}<br>> exchange=CREATE_CHILD_SA msgid=1 len=396<br>> SEND 396 bytes to 10.168.80.8[500] (2229.766)<br>> <br>> RECV 348 bytes from 10.168.80.8[500] at 10.168.65.1 (2229.794)<br>> spi={1f4d8f80069c25cf 6cfe69d01046128a} np=E{N}<br>>
exchange=CREATE_CHILD_SA msgid=1 len=348<br>> I <--<br>> Notify: USE_TRANSPORT_MODE<br>> Proposal #1: ESP[3] spi=ca883928<br>> ENCR_AES_GCM_16 256-BITS<br>> DH_2<br>> ESN_0<br>> *AUTH_ALG missing*<br>> CHILD_SA failed [v2 I], status = -8961<br>> <br>> <br>> The mocana side is configured for gcm and sha256. I've tried inserting<br>> "-sha256" to the esp line in Strongswan's ipsec.conf file and restarting<br>> ipsec. No luck as sha265 never shows up in the proposals. I've tried<br>> setting both sides to use sha1, but have the same negative result. The<br>> log from the StrongSwan side:<br>> <br>> Nov 15 13:48:18 05[CFG] received proposals:<br>>
ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/HMAC_SHA1_96/MODP_1024/MODP_768/MODP_1536/MODP_2048/MODP_NONE/NO_EXT_SEQ<br>> Nov 15 13:48:18 05[CFG] configured proposals:<br>> ESP:AES_GCM_16_256/MODP_1024/MODP_2048/NO_EXT_SEQ<br>> Nov 15 13:48:18 05[CFG] selected proposal:<br>> ESP:AES_GCM_16_256/MODP_1024/NO_EXT_SEQ<br>> <br>> If I set the mocana side for gcm and any, the ipsec connection comes up<br>> fine and dandy. So obviously I must be misconfiguring the StrongSwan<br>> side? How do I specify in the ipsec.conf file for the connection to use<br>> some version of sha, preferably sha256?<br>> <br>> <br>> Thanks again for all your help and patience,<br>> Bill<br>> <br><br>======================================================================<br>Andreas Steffen <a
ymailto="mailto:andreas.steffen@strongswan.org" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! <a target="_blank" href="http://www.strongswan.org">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></div></div><div style="position:fixed"></div>
</div><br>
</body></html>