<div dir="ltr">Both peers should use identical cipher algorithms.<div>The former message you got shows that your local peer uses aes128-sha256-modp2048 but the remote peer is configured to use 3des-sha1-modp1024.</div><div>The latter one shows your local peer doesn't support for 3des, maybe caused by lack of some libraries. By the way, 3des is an outdated encryption algorithm.</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jan 9, 2016 at 8:32 PM, CJ Fearnley <span dir="ltr"><<a href="mailto:cjf@linuxforce.net" target="_blank">cjf@linuxforce.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I added those two lines to the conn %default section. Then I ran "ipsec<br>
restart". There failure messages have changed slightly:<br>
<br>
Jan 9 07:23:18 cw1 ipsec[19452]: 12[IKE] 67.151.55.146 is initiating a Main Mode IKE_SA<br>
Jan 9 07:23:18 cw1 ipsec[19452]: 12[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA<br>
1/MODP_1024<br>
Jan 9 07:23:18 cw1 ipsec[19452]: 12[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PR<br>
F_HMAC_SHA2_256/MODP_2048<br>
Jan 9 07:23:18 cw1 ipsec[19452]: 12[IKE] no proposal found<br>
Jan 9 07:23:18 cw1 ipsec[19452]: 12[ENC] generating INFORMATIONAL_V1 request 1836105202 [ N(NO_PROP<br>
) ]<br>
<br>
So I tried<br>
ike = 3des-sha1-modp1024!<br>
esp = 3des-sha1-modp1024!<br>
<br>
But now I run into this:<br>
<br>
Jan 9 07:29:28 cw1 ipsec[19697]: 13[IKE] 67.151.55.146 is initiating a Main Mode IKE_SA<br>
Jan 9 07:29:29 cw1 charon: 15[NET] received packet: from 67.151.55.146[500] to 216.130.102.66[500] (200 bytes)<br>
Jan 9 07:29:29 cw1 charon: 15[ENC] parsed ID_PROT request 0 [ KE No V ]<br>
Jan 9 07:29:29 cw1 charon: 15[ENC] received unknown vendor ID: 70:03:cb:c1:09:7d:be:9c:26:00:ba:69:83:bc:8b:35<br>
Jan 9 07:29:29 cw1 charon: 15[IKE] sending cert request for "C=US, [redacted ...]"<br>
Jan 9 07:29:29 cw1 charon: 15[IKE] ENCRYPTION_ALGORITHM 3DES_CBC (key size 0) not supported!<br>
Jan 9 07:29:29 cw1 charon: 15[IKE] key derivation for RSA signature failed<br>
Jan 9 07:29:29 cw1 charon: 15[ENC] generating INFORMATIONAL_V1 request 1044526370 [ HASH N(INVAL_KE) ]<br>
<br>
And I'm stuck again.<br>
<div class="HOEnZb"><div class="h5"><br>
On Sat, Jan 09, 2016 at 02:15:51PM +0800, Rayson Zhu wrote:<br>
> Hi, try specifying IKE & ESP cipher suits explicitly for all peers. For<br>
> example<br>
> ike = aes128-sha256-modp2048!<br>
> esp = aes128-sha256-modp2048!<br>
><br>
> On Sat, Jan 9, 2016 at 2:04 PM, CJ Fearnley <<a href="mailto:cjf@linuxforce.net">cjf@linuxforce.net</a>> wrote:<br>
><br>
> > Well, my upgrade from strongswan 4.4.1-5.7 to 5.2.1-6+deb8u1 (Debian<br>
> > Squeeze to Jessie on new hardware) is not going well. No connections<br>
> > have re-established.<br>
> ><br>
> > I'm using the same ipsec.conf that worked on 4.4.1-5.7. See the referenced<br>
> > e-mail from Dec 9th when I asked about the upgrade process.<br>
> ><br>
> > Each client is generating this pattern in the logs over and over:<br>
> ><br>
> > Jan 9 01:01:07 cw1 charon: 06[IKE] 67.151.55.146 is initiating a Main<br>
> > Mode IKE_SA<br>
> > Jan 9 01:01:07 cw1 charon: 06[CFG] received proposals:<br>
> > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
> > Jan 9 01:01:07 cw1 charon: 06[CFG] configured proposals:<br>
> > IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,<br>
> > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,<br>
> > IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160<br>
> > Jan 9 01:01:07 cw1 charon: 06[IKE] no proposal found<br>
> > Jan 9 01:01:07 cw1 charon: 06[ENC] generating INFORMATIONAL_V1 request<br>
> > 3117715548 [ N(NO_PROP) ]<br>
> ><br>
> > I have double checked that I copied from backups the contents of<br>
> > /etc/ipsec.d/cacerts<br>
> > /etc/ipsec.d/certs<br>
> > /etc/ipsec.d/private<br>
> ><br>
> > Do I need to add some encryption plugins? Or can I simply specify using<br>
> > the ike= configuration option for the actual algorithm used by the<br>
> > Netgears FVG318?<br>
> ><br>
> > I tried adding the sha1 hmac xcbc and x509 modules to the load = line<br>
> > in /etc/strongswan.d/charon.conf. No go.<br>
> ><br>
> > The output of<br>
> > $ sudo ipsec version<br>
> > Linux strongSwan U5.2.1/K3.16.0-4-amd64<br>
> > Institute for Internet Technologies and Applications<br>
> > University of Applied Sciences Rapperswil, Switzerland<br>
> > See 'ipsec --copyright' for copyright information.<br>
> ><br>
> > On Wed, Dec 09, 2015 at 08:12:42PM -0500, CJ Fearnley wrote:<br>
> > > I have a working strongswan system running the Debian package at version<br>
> > > 4.4.1-5.7 (Squeeze oldoldstable). In a week or so, I'll be replacing<br>
> > > the box with a fresh install of Debian running 5.2.1-6+deb8u1 (Jessie).<br>
> > ><br>
> > > I have two questions:<br>
> > ><br>
> > > 1. Have any config options changed in strongswan that I need to study?<br>
> > ><br>
> > > 2. Are there any issues with strongswan in connecting with a Netgear<br>
> > > FVG318 of various vintages. All of our clients connect with this<br>
> > > model of Netgear which is the only thing we've been able to get<br>
> > > working with certificates.<br>
> > ><br>
> > > Here is a cleaned up version of /etc/ipsec.conf:<br>
> > ><br>
> > > config setup<br>
> > > charonstart=yes<br>
> > > plutostart=yes<br>
> > > virtual_private=%v4:<br>
> > <a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.101.0/24" rel="noreferrer" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.101.0/24</a><br>
> > > uniqueids=no<br>
> > ><br>
> > > conn %default<br>
> > > mobike=no<br>
> > > keyexchange=ikev1<br>
> > > left=xxx.xxx.xxx.xx<br>
> > > leftsubnet=192.168.xxx.0/24<br>
> > > auto=add<br>
> > ><br>
> > > conn someplace<br>
> > > rightsubnet=192.168.yyy.0/24<br>
> > > right=%any<br>
> > > leftid="C=US, ST=ST, L=Some City, O=Some Company, CN=<br>
> > <a href="http://something.example.com" rel="noreferrer" target="_blank">something.example.com</a>, E=<a href="mailto:some@example.com">some@example.com</a>"<br>
> > > leftcert=something.crt<br>
> > > leftsendcert=always<br>
> > ><br>
> > > plus a half-dozen others of similar nature.<br>
> > ><br>
> > > All of the systems that connect to this are various vintages of the<br>
> > > Netgear FVG318.<br>
> > ><br>
> > > Are there any known compatibility issues with strongswan 5.2.1 and the<br>
> > > Netgear FVG318?<br>
> > ><br>
> > > Have there been any relevant changes to the syntax of ipsec.conf since<br>
> > > 4.4.1 and 5.2.1-6+deb8u1?<br>
> > ><br>
> > > Any general strongswan relevant advice for planning such an upgrade?<br>
> ><br>
> > --<br>
> > CJ Fearnley | LinuxForce Inc.<br>
> > cjf@LinuxForce.net | IT Projects & Systems Maintenance<br>
> > <a href="http://www.LinuxForce.net" rel="noreferrer" target="_blank">http://www.LinuxForce.net</a> | <a href="http://blog.remoteresponder.net" rel="noreferrer" target="_blank">http://blog.remoteresponder.net</a><br>
> > _______________________________________________<br>
> > Users mailing list<br>
> > <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> > <a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
> ><br>
<br>
--<br>
CJ Fearnley | LinuxForce Inc.<br>
cjf@LinuxForce.net | IT Projects & Systems Maintenance<br>
<a href="http://www.LinuxForce.net" rel="noreferrer" target="_blank">http://www.LinuxForce.net</a> | <a href="http://blog.remoteresponder.net" rel="noreferrer" target="_blank">http://blog.remoteresponder.net</a><br>
</div></div></blockquote></div><br></div>