<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hello Tobias,<div class=""><br class=""></div><div class="">Thank you for details.</div><div class="">I’ve already tased with </div><div class=""><br class=""></div><div class="">esp=aes256-sha1!</div><div class="">esp=aes128-sha1! </div><div class="">esp=3des-md5! </div><div class=""><br class=""></div><div class="">No luck. Requested logs and configs from ASA by</div><div class=""><br class=""></div><div class=""><div class="gmail_default" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);"><div class="gmail_default"><b class="">debug crypto ikev1 127 </b></div><div class="gmail_default"><b class="">debug crypto ipsec 127 </b></div></div><div class="gmail_default" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-size: small;"><br class=""></div><div class="gmail_default" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.8px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);"><b class="">show crypto ipsec sa</b></div></div><div class=""><br class=""></div><div class="">Thank you,</div><div class=""><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br class=""></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">Andrii Petrenko</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><a href="mailto:aplsms@gmail.com" class="">aplsms@gmail.com</a><span class="Apple-tab-span" style="white-space: pre;"> </span></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On Mar 20, 2018, at 12:45 AM, Tobias Brunner <<a href="mailto:tobias@strongswan.org" class="">tobias@strongswan.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hi Andrii,<br class=""><br class="">ike-scan won't help you here as it only reports on Phase 1 (IKE SA), but<br class="">your problem is during Phase 2 (Quick Mode, IPsec SA).<br class=""><br class=""><blockquote type="cite" class="">Remote side is not supporting pfs.<br class=""><br class="">IKE Phase One Parameters:<span class="Apple-tab-span" style="white-space:pre"> </span><br class="">Encryption Algorithm: <span class="Apple-tab-span" style="white-space:pre"> </span>AES 256<br class="">Hash Algorithm: <span class="Apple-tab-span" style="white-space:pre"> </span>SHA<br class="">Authentication Method:<span class="Apple-tab-span" style="white-space:pre"> </span>Pre-shared key<br class="">Key Exchange:<span class="Apple-tab-span" style="white-space:pre"> </span>Diffie Hellman Group 5<br class="">IKE SA Lifetime: <span class="Apple-tab-span" style="white-space:pre"> </span>86400 (Cisco default)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><br class="">IKE Phase Two Parameters (IPSEC):<span class="Apple-tab-span" style="white-space:pre"> </span><br class="">Authentication:<span class="Apple-tab-span" style="white-space:pre"> </span>ESP with SHA-HMAC<br class="">Encryption Algorithm: <span class="Apple-tab-span" style="white-space:pre"> </span>ESP-AES 256<br class="">SA Establishment: <span class="Apple-tab-span" style="white-space:pre"> </span>ipsec-isakmp (IKE negotiated)<br class="">IPSEC Mode<span class="Apple-tab-span" style="white-space:pre"> </span>Tunnel (Cisco default)<br class="">IPSEC SA Lifetime (time)<span class="Apple-tab-span" style="white-space:pre"> </span>3600 seconds<br class="">IPSEC SA Lifetime (volume) <span class="Apple-tab-span" style="white-space:pre"> </span>4608000 kilobytes<br class="">PFS (Perfect Forward Secrecy)<span class="Apple-tab-span" style="white-space:pre"> </span>No<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><br class="">Optional encryption if requirements differ from above:<span class="Apple-tab-span" style="white-space:pre"> </span><br class="">esp-3des esp-md5-hmac<span class="Apple-tab-span" style="white-space:pre"> </span><br class="">esp-aes 256 esp-sha-hmac<span class="Apple-tab-span" style="white-space:pre"> </span><br class="">esp-aes 128 esp-sha-hmac<span class="Apple-tab-span" style="white-space:pre"> </span><br class=""><br class="">This information I have from remote side. <br class=""></blockquote><br class="">Looks like esp=aes256-sha1! should be correct then. You could also try<br class="">esp=aes128-sha1! or esp=3des-md5! (not recommended though). And if this<br class="">doesn't work, ask the remote admins for the correct settings (they<br class="">should see in the log why the proposal was rejected).<br class=""><br class=""><blockquote type="cite" class="">Is it possible to se what offer remote side?<br class=""></blockquote><br class="">No (unless you do what ike-scan does i.e. try a number of possible<br class="">combinations).<br class=""><br class="">Regards,<br class="">Tobias<br class=""></div></div></blockquote></div><br class=""></div></body></html>