<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=FR link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Hello,<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I am using the plugin load-tester with strongswan-4.6.4,
against a remote host.<o:p></o:p></p>
<p class=MsoNormal>The initiator host has the following configurations
(extracted from its <i>strongswan.conf</i> file) :<o:p></o:p></p>
<p class=MsoNormal>--------<o:p></o:p></p>
<p class=MsoNormal>initiators = 1<o:p></o:p></p>
<p class=MsoNormal>iterations = 1<o:p></o:p></p>
<p class=MsoNormal><b>proposal = aes256-sha1-modp2048,aes128-sha1-modp2048<o:p></o:p></b></p>
<p class=MsoNormal>--------<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>for the responder (extracted from its <i>ipsec.conf</i>
file) :<o:p></o:p></p>
<p class=MsoNormal>--------<o:p></o:p></p>
<p class=MsoNormal>conn %default<o:p></o:p></p>
<p class=MsoNormal> <b>ike=aes256-sha1-modp2048,aes128-sha1-modp2048</b><o:p></o:p></p>
<p class=MsoNormal>--------<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Both strongswan.conf and ipsec.conf files are attached.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>My problem deals with the IKE proposals. I have the
following error in the logs :<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>on the initiator host :<o:p></o:p></p>
<p class=MsoNormal>--------<o:p></o:p></p>
<p class=MsoNormal>Jun 22 15:03:27 vm-test-amd64-linux-squeeze-03.showroom.nss.thales
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.4)<o:p></o:p></p>
<p class=MsoNormal>Jun 22 15:03:27
vm-test-amd64-linux-squeeze-03.showroom.nss.thales charon: 00[CFG] algorithm
'modp2048,aes128' not recognized<o:p></o:p></p>
<p class=MsoNormal>--------<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>on the responder host :<o:p></o:p></p>
<p class=MsoNormal>--------<o:p></o:p></p>
<p class=MsoNormal>Jun 22 11:42:50
vm-test-amd64-linux-squeeze-05.showroom.nss.thales charon: 13[CFG] received
proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768<o:p></o:p></p>
<p class=MsoNormal>Jun 22 11:42:50
vm-test-amd64-linux-squeeze-05.showroom.nss.thales charon: 13[CFG] configured
proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192<o:p></o:p></p>
<p class=MsoNormal>Jun 22 11:42:50
vm-test-amd64-linux-squeeze-05.showroom.nss.thales charon: 13[IKE] received
proposals inacceptable<o:p></o:p></p>
<p class=MsoNormal>Jun 22 11:42:50
vm-test-amd64-linux-squeeze-05.showroom.nss.thales charon: 13[ENC] generating
IKE_SA_INIT response 0 [ N(NO_PROP) ]<o:p></o:p></p>
<p class=MsoNormal>--------<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I would want to know why the proposal
"aes256-sha1-modp2048,aes128-sha1-modp2048" are not recognized when
using the load-tester plugin.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>By the way, this proposal is accepted when I mount a simple
IPSec tunnel without the plugin load-tester :<o:p></o:p></p>
<p class=MsoNormal>--------<o:p></o:p></p>
<p class=MsoNormal>Security Associations (1 up, 0 connecting):<o:p></o:p></p>
<p class=MsoNormal> home[2]:
ESTABLISHED 7 seconds ago, 192.168.21.123[C=FR, O=Thales,
CN=vmtest03]...192.168.21.125[C=FR, O=Thales, CN=vmtest05]<o:p></o:p></p>
<p class=MsoNormal> home[2]: IKE
SPIs: a083061ad063edce_i* 74d4a4238fe4f0e9_r, public key reauthentication in 52
minutes<o:p></o:p></p>
<p class=MsoNormal> home[2]: <b>IKE
proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</b><o:p></o:p></p>
<p class=MsoNormal> home{1}:
INSTALLED, TUNNEL, ESP SPIs: 01000000_i ced44884_o<o:p></o:p></p>
<p class=MsoNormal> home{1}: AES_CBC_128/HMAC_SHA1_96,
0 bytes_i (1830345s ago), 0 bytes_o (1830345s ago), rekeying in 16 minutes<o:p></o:p></p>
<p class=MsoNormal>
home{1}: 192.168.21.123/32 === 192.168.21.125/32<o:p></o:p></p>
<p class=MsoNormal>--------<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Regards,<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Stéphanie<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>