<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial, helvetica, sans-serif;font-size:12pt"><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; ">Andreas,</div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; ">My apologies as my last email was incorrect. My test set up got blinkered some how and the error TS_UNACCEPTABLE was well... incorrect.</div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; ">I have fixed my set up and I'm back to getting "received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built", but it is now getting farther. Your previous suggestion of using "<span
class="Apple-style-span" style="font-size: 13px; ">esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048!</span>" solved my "<span class="Apple-style-span" style="font-size: 13px; ">no acceptable DIFFIE_HELLMAN_GROUP found</span>". But still the ipsec connect eludes me.</div><meta charset="utf-8"><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; ">On the mocana side I can see in the logs:</div><div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> I --></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Notify: USE_TRANSPORT_MODE</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> TSi:
10.168.65.1 icmp</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> TSr: 10.168.80.8 icmp</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> spi={1f4d8f80069c25cf 6cfe69d01046128a} np=E{N}</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> exchange=CREATE_CHILD_SA msgid=1 len=396</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">SEND 396 bytes to 10.168.80.8[500] (2229.766)</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"><br></font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">RECV 348 bytes from 10.168.80.8[500] at 10.168.65.1 (2229.794)</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> spi={1f4d8f80069c25cf 6cfe69d01046128a} np=E{N}</font></div><div><font class="Apple-style-span"
face="arial, helvetica, sans-serif"> exchange=CREATE_CHILD_SA msgid=1 len=348</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> I <--</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Notify: USE_TRANSPORT_MODE</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> Proposal #1: ESP[3] spi=ca883928</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> ENCR_AES_GCM_16 256-BITS</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> DH_2</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> ESN_0</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif"> <b>AUTH_ALG missing</b></font></div><div><font
class="Apple-style-span" face="arial, helvetica, sans-serif"> CHILD_SA failed [v2 I], status = -8961</font></div></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; ">The mocana side is configured for gcm and sha256. I've tried inserting "-sha256" to the esp line in Strongswan's ipsec.conf file and restarting ipsec. No luck as sha265 never shows up in the proposals. I've tried setting both sides to use sha1, but have the same negative result. The log from the StrongSwan side:</div><meta charset="utf-8"><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">Nov 15 13:48:18
05[CFG] received proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/HMAC_SHA1_96/MODP_1024/MODP_768/MODP_1536/MODP_2048/MODP_NONE/NO_EXT_SEQ</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">Nov 15 13:48:18 05[CFG] configured proposals: ESP:AES_GCM_16_256/MODP_1024/MODP_2048/NO_EXT_SEQ</font></div><div><font class="Apple-style-span" face="arial, helvetica, sans-serif">Nov 15 13:48:18 05[CFG] selected proposal: ESP:AES_GCM_16_256/MODP_1024/NO_EXT_SEQ</font></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "> </div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; ">If I set the mocana side for gcm and any, the ipsec connection comes up fine and dandy. So obviously I must be misconfiguring the StrongSwan side? How do I specify in the ipsec.conf file for the connection to use some version of sha, preferably
sha256?</div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; ">Thanks again for all your help and patience,</div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; ">Bill</div><div style="color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "><br></div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: black; "><br><div style="font-family:arial, helvetica, sans-serif;font-size:13px"><font size="2" face="Tahoma"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Andreas Steffen <andreas.steffen@strongswan.org><br><b><span style="font-weight: bold;">To:</span></b> William Greene <wgreene9617@yahoo.com><br><b><span
style="font-weight: bold;">Cc:</span></b> users@lists.strongswan.org<br><b><span style="font-weight: bold;">Sent:</span></b> Mon, November 15, 2010 11:12:58 AM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] No acceptable DIFFIE_HELLMAN_GROUP found<br></font><br>
Hello Bill,<br><br>it seems that Mocana doesn't like the traffic selectors:<br><br> Notify: USE_TRANSPORT_MODE<br> TSi: 10.168.80.8<br> TSr: 10.168.65.1<br><br>Does Mocana support IPsec Transport Mode at all?<br>Try if type=tunnel works!<br><br>Regards<br><br>Andreas<br><br>On 11/15/2010 04:01 PM, William Greene wrote:<br>><br>> Thank you Andreas for your quick reply. Your suggestion did do something<br>> as I'm getting a different error now: TS_UNACCEPTABLE. I've been unable<br>> to glean anything so far from the mailing list concerning this error and<br>> a host to host setup such as mine. I'm including some more log information.<br>><br>> Thanks again in advance for comments or suggestions anyone may have.<br>><br>><br>><br>> [root@KAP8 etc]# ipsec up testipsec<br>> initiating IKE_SA testipsec[3] to 10.168.65.1<br>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]<br>> sending packet: from 10.168.80.8[500] to 10.168.65.1[500]<br>> received packet: from 10.168.65.1[500] to 10.168.80.8[500]<br>> parsed IKE_SA_INIT response 0 [ N(COOKIE) ]<br>> initiating IKE_SA testipsec[3] to 10.168.65.1<br>> generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP)<br>> N(NATD_D_IP) ]<br>> sending packet: from 10.168.80.8[500] to 10.168.65.1[500]<br>> received packet: from 10.168.65.1[500] to 10.168.80.8[500]<br>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]<br>> received cert request for unknown ca with keyid<br>> 00:00:00:00:00:00:00:02:00:14:00:00:10:04:d9:b8:10:04:d9:b8<br>> authentication of '10.168.80.8' (myself) with pre-shared key<br>> establishing CHILD_SA testipsec<br>> generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr<br>> N(EAP_ONLY) ]<br>> sending packet: from 10.168.80.8[500] to
10.168.65.1[500]<br>> received packet: from 10.168.65.1[500] to 10.168.80.8[500]<br>> parsed IKE_AUTH response 1 [ IDr AUTH N(TS_UNACCEPT) ]<br>> authentication of '10.168.65.1' with pre-shared key successful<br>> IKE_SA testipsec[3] established between<br>> 10.168.80.8[10.168.80.8]...10.168.65.1[10.168.65.1]<br>> scheduling reauthentication in 3315s<br>> maximum IKE_SA lifetime 3495s<br>> received TS_UNACCEPTABLE notify, no CHILD_SA built<br>> [root@KAP8 etc]#<br>><br>><br>> From Mocana log:<br>><br>> RECV 832 bytes from 10.168.80.8[500] at 10.168.65.1 (7376.217)<br>> spi={8562d7f0575052dd 0000000000000000} np=SA<br>> exchange=IKE_SA_INIT msgid=0 len=832<br>> <-- R<br>> Notify: COOKIE<br>> SEND 56 bytes to 10.168.80.8[500] (7376.226)<br>><br>> RECV 860 bytes from 10.168.80.8[500] at 10.168.65.1 (7376.257)<br>> spi={8562d7f0575052dd 0000000000000000} np=N<br>>
exchange=IKE_SA_INIT msgid=0 len=860<br>> --> R<br>> Notify: COOKIE<br>> Proposal #1: IKE[4]<br>> ENCR_AES 128-BITS<br>> AUTH_HMAC_SHA1_96<br>> PRF_HMAC_SHA1<br>> DH_14<br>><br>> ==> ../Log/kern.log <==<br>> Nov 15 14:40:40 cep kernel: 0:ipsec_ioctl[638]: 0:cmd = 0x3eb, value =<br>> 0x040432000:<br>><br>> ==> ../Log/nanosec-ike.log <==<br>> Notify: NAT_DETECTION_SOURCE_IP<br>> Notify: NAT_DETECTION_DESTINATION_IP<br>> SKEYSEED (20 bytes): 88aa0565daa02dff1febbbc10db446c589d3b0cb<br>> SK_d (20 bytes): 26d9261618cce7954e12fc0dce541570b9bbb918<br>> SK_ai (20 bytes): b86be01177a21425d8fc201a906af39f4f440ebf<br>> SK_ar (20 bytes): 0c439701fa8c24baa96702135e1a440df477066d<br>> SK_ei (16 bytes): a776670d396e0c025b53f22600bbd3a1<br>> SK_er (16 bytes): ac5e03572862a9b79fae695b5f908186<br>> SK_pi (20 bytes): 65f4333cfbf0dbff972b45f08cc67ff2dd0e1f9b<br>> SK_pr (20 bytes):
11d33c98f572ee0e700ddf72252dda67cd86913e<br>> <-- R<br>> NAT_D (us): 6c 9e 3c b8 79 6a a9 3e a5 51 9b 39 f6 96 0f fa<br>> 35 01 c5 53<br>> NAT_D (peer): d5 55 de cb 72 4c d6 42 b3 55 31 b1 af e6 b5 17<br>> 3e ea aa ec<br>> SEND 441 bytes to 10.168.80.8[500] (7379.93)<br>><br>> RECV 252 bytes from 10.168.80.8[500] at 10.168.65.1 (7379.128)<br>> spi={8562d7f0575052dd 382c78998f61cd73} np=E{IDi}<br>> exchange=IKE_AUTH msgid=1 len=252<br>> --> R<br>> Notify: USE_TRANSPORT_MODE<br>> TSi: 10.168.80.8<br>> TSr: 10.168.65.1<br>> Notify: 16417<br>> prf(SK_pi,IDi') (20 bytes): 45ed7f17efa2d727ac3f0416ccd83493977c8676<br>> prf(SS,"*") (20 bytes): 6a3dc0ae9834bef9e35ebac3ac23f02f78c5f93b<br>> AUTH_i 91 19 66 53 b1 0e 98 5d 00 9b 56 c3 60 43 ba ff<br>> 99 79 d1 ff<br>> Proposal #1: ESP[2] spi=c9b5ce4d<br>> ENCR_AES_GCM_16 256-BITS<br>> ESN_0<br>> <-- R<br>> prf(SK_pr,IDr') (20 bytes):
d1d6c3d9ee6e3273d0d4ab9580a7e2e0935840c6<br>> prf(SS,"*") (20 bytes): 6a3dc0ae9834bef9e35ebac3ac23f02f78c5f93b<br>> AUTH_r f6 a0 7c e5 dd 18 4b be c9 dc 06 de c7 c7 41 2d<br>> da 22 88 bc<br>> Notify: TS_UNACCEPTABLE (ESP spi=c9b5ce4d)<br>> SEND 124 bytes to 10.168.80.8[500] (7379.182)<br>> IKE_SA Created [v2 R](id=0xbd946a9e)<br>> CHILD_SA failed [v2 R], status = -8855<br>><br>><br>><br>> [root@KAP8 etc]# cat ipsec.conf<br>> # ipsec.conf - strongSwan IPsec configuration file<br>><br>> # basic configuration<br>><br>> config setup<br>> # plutodebug=all<br>> # crlcheckinterval=600<br>> # strictcrlpolicy=yes<br>> # cachecrls=yes<br>> # nat_traversal=yes<br>> # charonstart=no<br>> plutostart=no<br>><br>> # Add connections here.<br>><br>> conn %default<br>> ikelifetime=60m<br>> keylife=20m<br>> rekeymargin=3m<br>> keyingtries=1<br>> mobike=no<br>>
authby=secret<br>> keyexchange=ikev2<br>> #ike=aes256-sha256-ecp256,aes128-sha256-ecp256!<br>> #esp=aes256gcm16,aes128gcm16!<br>> esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048!<br>><br>> conn testipsec<br>> type=transport<br>> left=10.168.80.8<br>> #leftprotoport=icmp<br>> #leftid=kap<br>> right=10.168.65.1<br>> #rightprotoport=icmp<br>> #rightid=cep<br>> auto=add<br><br>======================================================================<br>Andreas Steffen <a ymailto="mailto:andreas.steffen@strongswan.org" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! <a target="_blank" href="http://www.strongswan.org">www.strongswan.org</a><br>Institute for Internet Technologies and
Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></div></div><div style="position: fixed; color: black; font-family: arial, helvetica, sans-serif; font-size: 12pt; "></div>
</div><br>
</body></html>