<div dir="ltr">Worked perfectly with<div><div>  ike=aes256-sha1-modp1024!</div><div>  esp=aes256-sha1-modp2048!</div></div><div>I'm sorry I missed that, sorry for wasting your time.</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Feb 20, 2017 at 9:01 AM Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg">The remote side probably uses PFS.<br class="gmail_msg">
Either set the correct DH group that corresponds to the configuration of the remote side or disable PFS there.<br class="gmail_msg">
<br class="gmail_msg">
aes256-sha1 != aes256-sha1-modp2048</div><div class="gmail_msg"><br class="gmail_msg"><br class="gmail_msg"><div class="gmail_quote gmail_msg">Am 19. Februar 2017 16:31:08 MEZ schrieb Andrei-Florian Staicu <<a href="mailto:andrei.staicu@gmail.com" class="gmail_msg" target="_blank">andrei.staicu@gmail.com</a>>:<blockquote class="gmail_quote gmail_msg" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr" class="gmail_msg"><div class="gmail_msg">Hi,</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">I have a site-to-site tunnel to a private classic Azure.</div><div class="gmail_msg">It starts and works perfectly but, after after approx 43 minutes (i think it's the child rekeying interval), it starts looping like this:</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">08[KNL] creating rekey job for CHILD_SA ESP/0x066cf00c/<remote></div><div class="gmail_msg">06[IKE] establishing CHILD_SA CONNECTION{1}</div><div class="gmail_msg">06[IKE] establishing CHILD_SA CONNECTION{1}</div><div class="gmail_msg">06[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ]</div><div class="gmail_msg">06[NET] sending packet: from <local>[4500] to <remote>[4500] (220 bytes)</div><div class="gmail_msg">14[NET] received packet: from <remote>[4500] to <local>[4500] (76 bytes)</div><div class="gmail_msg">14[ENC] parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]</div><div class="gmail_msg">14[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built</div><div class="gmail_msg">14[IKE] failed to establish CHILD_SA, keeping IKE_SA</div><div class="gmail_msg">14[IKE] CHILD_SA rekeying failed, trying again in 30 seconds</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">strongswan statusall:</div><div class="gmail_msg">Status of IKE charon daemon (strongSwan 5.4.0, Linux 3.10.0-514.2.2.el7.x86_64, x86_64):</div><div class="gmail_msg">  uptime: 57 minutes, since Feb 19 16:17:21 2017</div><div class="gmail_msg">  malloc: sbrk 2703360, mmap 0, used 522128, free 2181232</div><div class="gmail_msg">  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5</div><div class="gmail_msg">  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp</div><div class="gmail_msg">Listening IP addresses:</div><div class="gmail_msg">  <local></div><div class="gmail_msg">Connections:</div><div class="gmail_msg">CONNECTION:  <local>...<remote>  IKEv2, dpddelay=30s</div><div class="gmail_msg">CONNECTION:   local:  [<local>] uses pre-shared key authentication</div><div class="gmail_msg">CONNECTION:   remote: [<remote>] uses pre-shared key authentication</div><div class="gmail_msg">CONNECTION:   child:  <a href="http://0.0.0.0/0" class="gmail_msg" target="_blank">0.0.0.0/0</a> === <a href="http://10.254.254.0/29" class="gmail_msg" target="_blank">10.254.254.0/29</a> <a href="http://10.200.0.0/16" class="gmail_msg" target="_blank">10.200.0.0/16</a> TUNNEL, dpdaction=restart</div><div class="gmail_msg">Security Associations (1 up, 0 connecting):</div><div class="gmail_msg">CONNECTION[2]: ESTABLISHED 57 minutes ago, <local>[<local>]...<remote>[<remote>]</div><div class="gmail_msg">CONNECTION[2]: IKEv2 SPIs: 01e5013ada90fe24_i 0fa0482414130fad_r*, rekeying in 6 hours</div><div class="gmail_msg">CONNECTION[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div class="gmail_msg">CONNECTION{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c62f2d74_i 066cf00c_o</div><div class="gmail_msg">CONNECTION{2}:  AES_CBC_256/HMAC_SHA1_96, 37046 bytes_i (739 pkts, 2s ago), 36233 bytes_o (741 pkts, 420s ago), rekeying active</div><div class="gmail_msg">CONNECTION{2}:   <a href="http://0.0.0.0/0" class="gmail_msg" target="_blank">0.0.0.0/0</a> === <a href="http://10.200.0.0/16" class="gmail_msg" target="_blank">10.200.0.0/16</a> <a href="http://10.254.254.0/29" class="gmail_msg" target="_blank">10.254.254.0/29</a></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">Any idea why it would be doing that, even though the initial connection succeeds?</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">Thanks. </div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">ipsec.conf:</div><div class="gmail_msg">config setup</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">conn CONNECTION</div><div class="gmail_msg">  closeaction=restart</div><div class="gmail_msg">  dpdaction=restart</div><div class="gmail_msg">  ike=aes256-sha1-modp1024!</div><div class="gmail_msg">  esp=aes256-sha1!</div><div class="gmail_msg">  reauth=no</div><div class="gmail_msg">  keyexchange=ikev2</div><div class="gmail_msg">  ikelifetime=28800s</div><div class="gmail_msg">  keylife=3600s</div><div class="gmail_msg">  keyingtries=%forever</div><div class="gmail_msg">  authby=secret</div><div class="gmail_msg">  type=tunnel</div><div class="gmail_msg">  forceencaps=yes</div><div class="gmail_msg">  left=<local></div><div class="gmail_msg">  leftid=<local></div><div class="gmail_msg">  leftsubnet=<a href="http://0.0.0.0/0" class="gmail_msg" target="_blank">0.0.0.0/0</a></div><div class="gmail_msg">  right=<remote></div><div class="gmail_msg">  rightid=<remote></div><div class="gmail_msg">  rightsubnet=<a href="http://10.254.254.0/29,10.200.0.0/16" class="gmail_msg" target="_blank">10.254.254.0/29,10.200.0.0/16</a></div><div class="gmail_msg">  auto=start</div></div><div dir="ltr" class="gmail_msg">-- <br class="gmail_msg"></div><div data-smartmail="gmail_signature" class="gmail_msg"><div dir="ltr" class="gmail_msg">Beware of programmers who carry screwdrivers.<br class="gmail_msg"></div></div>
</blockquote></div></div></blockquote></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr">Beware of programmers who carry screwdrivers.<br></div></div>