<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial, helvetica, sans-serif;font-size:12pt"><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; ">Thank you Andreas for your quick reply. Your suggestion did do something as I'm getting a different error now: TS_UNACCEPTABLE. I've been unable to glean anything so far from the mailing list concerning this error and a host to host setup such as mine. I'm including some more log information. </div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; ">Thanks again in advance for comments or suggestions anyone may have.</div><div style="color: black; font-family:
arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">[root@KAP8 etc]# ipsec up testipsec</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">initiating IKE_SA testipsec[3] to 10.168.65.1</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">sending packet: from 10.168.80.8[500] to 10.168.65.1[500]</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">received packet: from 10.168.65.1[500] to 10.168.80.8[500]</font></div><div><font
class="Apple-style-span" face="arial, helvetica, sans-serif">parsed IKE_SA_INIT response 0 [ N(COOKIE) ]</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">initiating IKE_SA testipsec[3] to 10.168.65.1</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">sending packet: from 10.168.80.8[500] to 10.168.65.1[500]</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">received packet: from 10.168.65.1[500] to 10.168.80.8[500]</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">received cert request for unknown ca
with keyid 00:00:00:00:00:00:00:02:00:14:00:00:10:04:d9:b8:10:04:d9:b8</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">authentication of '10.168.80.8' (myself) with pre-shared key</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">establishing CHILD_SA testipsec</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr N(EAP_ONLY) ]</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">sending packet: from 10.168.80.8[500] to 10.168.65.1[500]</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">received packet: from 10.168.65.1[500] to 10.168.80.8[500]</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">parsed IKE_AUTH response 1 [ IDr AUTH N(TS_UNACCEPT) ]</font></div><div><font
class="Apple-style-span" face="arial, helvetica, sans-serif">authentication of '10.168.65.1' with pre-shared key successful</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">IKE_SA testipsec[3] established between 10.168.80.8[10.168.80.8]...10.168.65.1[10.168.65.1]</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">scheduling reauthentication in 3315s</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">maximum IKE_SA lifetime 3495s</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">received TS_UNACCEPTABLE notify, no CHILD_SA built</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">[root@KAP8 etc]# </font></div><div><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; "><br></span></div><div><span class="Apple-style-span" style="font-family: arial, helvetica,
sans-serif; "><br></span></div><div><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; ">From Mocana log:</span></div><div><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; "><br></span></div><div><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; ">RECV 832 bytes from 10.168.80.8[500] at 10.168.65.1 (7376.217)</span></div><div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> spi={8562d7f0575052dd 0000000000000000} np=SA</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> exchange=IKE_SA_INIT msgid=0 len=832</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> <-- R</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Notify: COOKIE</font></div><div><font class="Apple-style-span" face="arial, helvetica,
sans-serif">SEND 56 bytes to 10.168.80.8[500] (7376.226)</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">RECV 860 bytes from 10.168.80.8[500] at 10.168.65.1 (7376.257)</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> spi={8562d7f0575052dd 0000000000000000} np=N</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> exchange=IKE_SA_INIT msgid=0 len=860</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> --> R</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Notify: COOKIE</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Proposal #1: IKE[4]</font></div><div><font class="Apple-style-span" face="arial, helvetica,
sans-serif"> ENCR_AES 128-BITS</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> AUTH_HMAC_SHA1_96</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> PRF_HMAC_SHA1</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> DH_14</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">==> ../Log/kern.log <==</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">Nov 15 14:40:40 cep kernel: 0:ipsec_ioctl[638]: 0:cmd = 0x3eb, value = 0x040432000:</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">==>
../Log/nanosec-ike.log <==</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Notify: NAT_DETECTION_SOURCE_IP</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Notify: NAT_DETECTION_DESTINATION_IP</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> SKEYSEED (20 bytes): 88aa0565daa02dff1febbbc10db446c589d3b0cb</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> SK_d (20 bytes): 26d9261618cce7954e12fc0dce541570b9bbb918</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> SK_ai (20 bytes): b86be01177a21425d8fc201a906af39f4f440ebf</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> SK_ar (20 bytes): 0c439701fa8c24baa96702135e1a440df477066d</font></div><div><font
class="Apple-style-span" face="arial, helvetica, sans-serif"> SK_ei (16 bytes): a776670d396e0c025b53f22600bbd3a1</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> SK_er (16 bytes): ac5e03572862a9b79fae695b5f908186</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> SK_pi (20 bytes): 65f4333cfbf0dbff972b45f08cc67ff2dd0e1f9b</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> SK_pr (20 bytes): 11d33c98f572ee0e700ddf72252dda67cd86913e</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> <-- R</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> NAT_D (us): 6c 9e 3c b8 79 6a a9 3e a5 51 9b 39 f6 96 0f fa </font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">35 01
c5 53 </font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> NAT_D (peer): d5 55 de cb 72 4c d6 42 b3 55 31 b1 af e6 b5 17 </font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">3e ea aa ec </font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">SEND 441 bytes to 10.168.80.8[500] (7379.93)</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">RECV 252 bytes from 10.168.80.8[500] at 10.168.65.1 (7379.128)</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> spi={8562d7f0575052dd 382c78998f61cd73} np=E{IDi}</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> exchange=IKE_AUTH msgid=1 len=252</font></div><div><font class="Apple-style-span"
face="arial, helvetica, sans-serif"> --> R</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Notify: USE_TRANSPORT_MODE</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> TSi: 10.168.80.8</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> TSr: 10.168.65.1</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Notify: 16417</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> prf(SK_pi,IDi') (20 bytes): 45ed7f17efa2d727ac3f0416ccd83493977c8676</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> prf(SS,"*") (20 bytes): 6a3dc0ae9834bef9e35ebac3ac23f02f78c5f93b</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> AUTH_i 91
19 66 53 b1 0e 98 5d 00 9b 56 c3 60 43 ba ff </font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">99 79 d1 ff </font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Proposal #1: ESP[2] spi=c9b5ce4d</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> ENCR_AES_GCM_16 256-BITS</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> ESN_0</font></div><div><span class="Apple-style-span" style="font-family: arial, helvetica, sans-serif; "> <-- R</span></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> prf(SK_pr,IDr') (20 bytes): d1d6c3d9ee6e3273d0d4ab9580a7e2e0935840c6</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> prf(SS,"*") (20 bytes):
6a3dc0ae9834bef9e35ebac3ac23f02f78c5f93b</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> AUTH_r f6 a0 7c e5 dd 18 4b be c9 dc 06 de c7 c7 41 2d </font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">da 22 88 bc </font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Notify: TS_UNACCEPTABLE (ESP spi=c9b5ce4d)</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">SEND 124 bytes to 10.168.80.8[500] (7379.182)</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> IKE_SA Created [v2 R](id=0xbd946a9e)</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> CHILD_SA failed [v2 R], status = -8855</font></div><div style="font-family: arial, helvetica, sans-serif; "><br></div></div><div style="font-family: arial, helvetica,
sans-serif; "><br></div><div style="font-family: arial, helvetica, sans-serif; "><br></div><div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">[root@KAP8 etc]# cat ipsec.conf</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"># ipsec.conf - strongSwan IPsec configuration file</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"># basic configuration</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">config setup</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">#
plutodebug=all</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif"># crlcheckinterval=600</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif"># strictcrlpolicy=yes</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif"># cachecrls=yes</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">#
nat_traversal=yes</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif"># charonstart=no</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">plutostart=no</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"># Add connections here.</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">conn %default</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font
class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">ikelifetime=60m</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">keylife=20m</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">rekeymargin=3m</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">keyingtries=1</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span"
face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">mobike=no</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">authby=secret</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">keyexchange=ikev2</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">#ike=aes256-sha256-ecp256,aes128-sha256-ecp256!</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span"
face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">#esp=aes256gcm16,aes128gcm16!</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048!</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">conn testipsec</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">type=transport </font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span"
face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">left=10.168.80.8</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">#leftprotoport=icmp</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">#leftid=kap</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">right=10.168.65.1</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica,
sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">#rightprotoport=icmp</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">#rightid=cep</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="arial, helvetica, sans-serif"> </font></span><font class="Apple-style-span" face="arial, helvetica, sans-serif">auto=add</font></div><div style="font-family: arial, helvetica, sans-serif; "><br></div></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="font-family: arial, helvetica, sans-serif; font-size: 13px; color: black; "><font size="2" face="Tahoma"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Andreas Steffen
<andreas.steffen@strongswan.org><br><b><span style="font-weight: bold;">To:</span></b> William Greene <wgreene9617@yahoo.com><br><b><span style="font-weight: bold;">Cc:</span></b> users@lists.strongswan.org<br><b><span style="font-weight: bold;">Sent:</span></b> Sat, November 13, 2010 12:44:15 PM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] No acceptable DIFFIE_HELLMAN_GROUP found<br></font><br>
Hello Bill,<br><br>it seems that the Mocana client wants to do Perfect Forward Secrecy<br>(PFS) in the CHILD_SA but strongSwan hasn't enabled PFS:<br><br>esp=aes256gcm16,aes128gcm16!<br><br>Try<br><br>esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048!<br><br>Regards<br><br>Andreas<br><br>On 11/13/2010 04:16 PM, William Greene wrote:<br>><br>> I am perplexed. It looks to me like both sides could agree on a proposal<br>> but do not for some reason. I'm trying to set up an ipsec connection<br>> between StrongSwan on CentOS linux and a Mocana stack implementation on<br>> an embedded Linux device. I'm new to StrongSwan and if anyone can<br>> provide some guidance or suggestions, I'd be mucho appreciative. I've<br>> attached some relevant information below.<br>><br>> Thanks in advance,<br>> Bill<br>><br>><br>> Nov 12 16:50:17 13[ENC] found payload of type TRAFFIC_SELECTOR_RESPONDER<br>> Nov 12 16:50:17
13[ENC] parsed CREATE_CHILD_SA request 13 [<br>> N(USE_TRANSP) SA No KE TSi TSr ]<br>> Nov 12 16:50:17 13[LIB] size of DH secret exponent: 1023 bits<br>> Nov 12 16:50:17 13[CFG] looking for a child config for<br>> 10.168.80.8/32[icmp] === 10.168.65.1/32[icmp]<br>> Nov 12 16:50:17 13[CFG] proposing traffic selectors for us:<br>> Nov 12 16:50:17 13[CFG] 10.168.80.8/32 (derived from dynamic)<br>> Nov 12 16:50:17 13[CFG] proposing traffic selectors for other:<br>> Nov 12 16:50:17 13[CFG] 10.168.65.1/32 (derived from dynamic)<br>> Nov 12 16:50:17 13[CFG] candidate "testipsec" with prio 1+1<br>> Nov 12 16:50:17 13[CFG] found matching child config "testipsec" with prio 2<br>> Nov 12 16:50:17 13[CFG] selecting proposal:<br>> Nov 12 16:50:17 13[CFG] no acceptable DIFFIE_HELLMAN_GROUP found<br>> Nov 12 16:50:17 13[CFG] selecting proposal:<br>> Nov 12 16:50:17 13[CFG] no acceptable DIFFIE_HELLMAN_GROUP found<br>> Nov 12
16:50:17 13[CFG] received proposals:<br>> ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/HMAC_SHA2_256_128/MODP_1024/MODP_768/MODP_1536/MODP_2048/MODP_NONE/NO_EXT_SEQ<br>> Nov 12 16:50:17 13[CFG] configured proposals:<br>> ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ<br>> Nov 12 16:50:17 13[IKE] no acceptable proposal found<br>> Nov 12 16:50:17 13[ENC] added payload of type NOTIFY to message<br>> Nov 12 16:50:17 13[ENC] added payload of type NOTIFY to message<br>> Nov 12 16:50:17 13[ENC] generating CREATE_CHILD_SA response 13 [<br>> N(NO_PROP) ]<br>> Nov 12 16:50:17 13[ENC] insert payload NOTIFY to encryption payload<br>> Nov 12 16:50:17 13[ENC] generating payload of type HEADER<br>><br>><br>> [root@KAP8 etc]# ipsec statusall<br>> Status of IKEv2 charon daemon (strongSwan 4.5.0):<br>> uptime: 4 minutes, since Nov 12 16:48:36 2010<br>> malloc: sbrk 253952, mmap 0, used 175408, free
78544<br>> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2<br>> loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey<br>> pkcs1 pgp pem openssl gcrypt fips-prf gmp xcbc hmac gcm attr<br>> kernel-netlink resolve socket-raw stroke updown<br>> Listening IP addresses:<br>> 10.168.80.8<br>> 2005:a8::21e:c9ff:feff:124<br>> 2004:a8::21e:c9ff:feff:124<br>> Connections:<br>> testipsec: 10.168.80.8...10.168.65.1<br>> testipsec: local: [10.168.80.8] uses pre-shared key authentication<br>> testipsec: remote: [10.168.65.1] uses any authentication<br>> testipsec: child: dynamic === dynamic<br>> Security Associations:<br>> testipsec[1]: ESTABLISHED 3 minutes ago,<br>> 10.168.80.8[10.168.80.8]...10.168.65.1[10.168.65.1]<br>> testipsec[1]: IKE SPIs: 94ffc82723b04b1b_i* 07df56bf80bfe16f_r,<br>> pre-shared key reauthentication in 52 minutes<br>> testipsec[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>> [root@KAP8 etc]#<br>> [root@KAP8 etc]#<br>> [root@KAP8 etc]#<br>> [root@KAP8 etc]# ipsec listall<br>><br>> List of registered IKEv2 Algorithms:<br>><br>> encryption: AES_CBC 3DES_CBC DES_CBC DES_ECB CAMELLIA_CBC RC5_CBC<br>> IDEA_CBC CAST_CBC BLOWFISH_CBC NULL AES_CTR CAMELLIA_CTR SERPENT_CBC<br>> TWOFISH_CBC<br>> integrity: AES_XCBC_96 CAMELLIA_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128<br>> HMAC_SHA1_160 HMAC_SHA2_256_128 HMAC_SHA2_256_256 HMAC_MD5_96<br>> HMAC_MD5_128 HMAC_SHA2_384_192 HMAC_SHA2_384_384 HMAC_SHA2_512_256<br>> aead: AES_GCM_8 AES_GCM_12 AES_GCM_16<br>> hasher: HASH_SHA1 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512<br>> HASH_MD5 HASH_MD2 HASH_MD4<br>> prf: PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_XCBC<br>> PRF_CAMELLIA128_XCBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5<br>> PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512<br>> dh-group:
MODP_2048 MODP_2048_224 MODP_2048_256 MODP_1536 ECP_256<br>> ECP_384 ECP_521 ECP_224 ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192<br>> MODP_1024 MODP_1024_160 MODP_768 MODP_CUSTOM<br>> [root@KAP8 etc]#<br>><br>><br>> [root@KAP8 etc]# cat ipsec.conf<br>> # ipsec.conf - strongSwan IPsec configuration file<br>><br>> # basic configuration<br>><br>> config setup<br>> # plutodebug=all<br>> # crlcheckinterval=600<br>> # strictcrlpolicy=yes<br>> # cachecrls=yes<br>> # nat_traversal=yes<br>> # charonstart=no<br>> plutostart=no<br>><br>> # Add connections here.<br>><br>> conn %default<br>> ikelifetime=60m<br>> keylife=20m<br>> rekeymargin=3m<br>> keyingtries=1<br>> mobike=no<br>> authby=secret<br>> keyexchange=ikev2<br>> #ike=aes256-sha256-ecp256,aes128-sha256-ecp256!<br>> esp=aes256gcm16,aes128gcm16!<br>><br>> conn testipsec<br>> type=transport<br>>
left=10.168.80.8<br>> #leftprotoport=icmp<br>> #leftid=kap<br>> right=10.168.65.1<br>> #rightprotoport=icmp<br>> #rightid=cep<br>> auto=add<br>> [root@KAP8 etc]#<br>><br>> [root@KAP8 etc]# ipsec version<br>> Linux strongSwan U4.5.0/K2.6.36-1<br>> Institute for Internet Technologies and Applications<br>> University of Applied Sciences Rapperswil, Switzerland<br>> See 'ipsec --copyright' for copyright information.<br>> [root@KAP8 etc]#<br>> [root@KAP8 etc]# openssl version<br>> OpenSSL 0.9.8n 24 Mar 2010<br>> [root@KAP8 etc]#<br><br>======================================================================<br>Andreas Steffen <a ymailto="mailto:andreas.steffen@strongswan.org" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution!
<a target="_blank" href="http://www.strongswan.org">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></div></div><div style="position: fixed; color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "></div>
</div><br>
</body></html>