Hi Team,<br> I hope , ah mode in strongswan is supported for Ikev1. But I tried to form a tunnel<br>using AH mode with ikev1, but strongswan was expecting ESP proposal even i configured <br>auth=ah. If ah mode is supported for Ikev1 , please correct me if there any syntax error in <br>
the below configuration file which makes thing not working.<br><br><b>ipsec.conf</b><br>
____________<br># basic configuration<br>ca vpnca<br> cacert=ca1Cert.pem<br> #crluri=crl.pem<br> auto=add<br><br>config setup<br> plutostart=yes<br> plutodebug=all<br> charonstart=yes<br>
charondebug=all<br> nat_traversal=yes<br> crlcheckinterval=10m<br> strictcrlpolicy=no<br><br>conn %default<br> ikelifetime=1h<br> keylife=2h<br> keyingtries=1<br><br>
conn fqdn_vr<br> auth=ah<br> type=transport<br> keyexchange=ikev1<br> left=172.31.114.227<br> right=%any<br> rightid=172.31.114.211<br> pfs=no<br> rekey=no<br> auto=add<br><br><b>logs</b><br>_____<br>
May 28 18:48:07 uxcasxxx pluto[32284]: | ******parse ISAKMP IPsec DOI attribute:<br>May 28 18:48:07 uxcasxxx pluto[32284]: | af+type: ENCAPSULATION_MODE<br>May 28 18:48:07 uxcasxxx pluto[32284]: | length/value: 1<br>
May 28 18:48:07 uxcasxxx pluto[32284]: | [1 is ENCAPSULATION_MODE_TUNNEL]<br>May 28 18:48:07 uxcasxxx pluto[32284]: | ******parse ISAKMP IPsec DOI attribute:<br>May 28 18:48:07 uxcasxxx pluto[32284]: | af+type: AUTH_ALGORITHM<br>
May 28 18:48:07 uxcasxxx pluto[32284]: | length/value: 2<br>May 28 18:48:07 uxcasxxx pluto[32284]: | [2 is HMAC_SHA1]<br><b><span style="color:rgb(255,0,0)">May 28 18:48:07 uxcasxxx pluto[32284]: | policy for "fqdn_vr" requires encryption but ESP not in Proposal from 172.31.114.211<br>
May 28 18:48:07 uxcasxxx pluto[32284]: "fqdn_vr"[1] 172.31.114.211 #2: no acceptable Proposal in IPsec SA<br>May 28 18:48:07 uxcasxxx pluto[32284]: "fqdn_vr"[1] 172.31.114.211 #2: sending encrypted notification </span></b>NO_PROPOSAL_CHOSEN to <a href="http://172.31.114.211:500">172.31.114.211:500</a><br>
May 28 18:48:07 uxcasxxx pluto[32284]: | **emit ISAKMP Message:<br>May 28 18:48:07 uxcasxxx pluto[32284]: | initiator cookie:<br>May 28 18:48:07 uxcasxxx pluto[32284]: | 39 e8 20 f0 36 bb c5 63<br>May 28 18:48:07 uxcasxxx pluto[32284]: | responder cookie:<br>
May 28 18:48:07 uxcasxxx pluto[32284]: | 1b 60 45 9a ac b4 b9 d9<br>May 28 18:48:07 uxcasxxx pluto[32284]: | next payload type: ISAKMP_NEXT_HASH<br>May 28 18:48:07 uxcasxxx pluto[32284]: | ISAKMP version: ISAKMP Version 1.0<br>
May 28 18:48:07 uxcasxxx pluto[32284]: | exchange type: ISAKMP_XCHG_INFO<br>May 28 18:48:07 uxcasxxx pluto[32284]: | flags: ISAKMP_FLAG_ENCRYPTION<br>May 28 18:48:07 uxcasxxx pluto[32284]: | message ID: 4a 6d 47 56<br>
May 28 18:48:07 uxcasxxx pluto[32284]: | ***emit ISAKMP Hash Payload:<br>May 28 18:48:07 uxcasxxx pluto[32284]: | next payload type: ISAKMP_NEXT_N<br>May 28 18:48:07 uxcasxxx pluto[32284]: | emitting 20 zero bytes of HASH into ISAKMP Hash Payload<br>
May 28 18:48:07 uxcasxxx pluto[32284]: | emitting length of ISAKMP Hash Payload: 24<br>May 28 18:48:07 uxcasxxx pluto[32284]: | ***emit ISAKMP Notification Payload:<br>May 28 18:48:07 uxcasxxx pluto[32284]: | next payload type: ISAKMP_NEXT_NONE<br>
May 28 18:48:07 uxcasxxx pluto[32284]: | DOI: ISAKMP_DOI_IPSEC<br>May 28 18:48:07 uxcasxxx pluto[32284]: | protocol ID: 1<br>May 28 18:48:07 uxcasxxx pluto[32284]: | SPI size: 0<br>May 28 18:48:07 uxcasxxx pluto[32284]: | Notify Message Type: NO_PROPOSAL_CHOSEN<br>
May 28 18:48:07 uxcasxxx pluto[32284]: | emitting 0 raw bytes of spi into ISAKMP Notification Payload<br>May 28 18:48:07 uxcasxxx pluto[32284]: | spi<br>May 28 18:48:07 uxcasxxx pluto[32284]: | emitting length of ISAKMP Notification Payload: 12<br>
<br><br>Regards,<br>Saravanan N<br><br>