[strongSwan] strongswan with mikrotik

Andreas Steffen andreas.steffen at strongswan.org
Tue Jul 27 12:50:38 CEST 2010


Setting

  ike=3des-md5-modp1024

means that strongSwan as an initiator is proposing only the md5
hash to the mikrotik box and therefore fails but as a responder
strongSwan accepts any supported algorithm and therefore succeeds.
In order to avoid such asymmetries I propose to set the strict
flag '!' as in

  ike=3des-sha1-modp1024!

so that strongSwan as initiator proposes SHA-1 and as a responder
accepts SHA-1 only.

Regards

Andreas

On 27.07.2010 12:44, zux wrote:
> yeah, that did it. thanks. but i still don't get what was the catch?
> probably because i don't completely understand how to translate how they
> name options on mikrotik and how they are named in strongswan
> 
> On 07/27/2010 12:49 PM, Andreas Steffen wrote:
>> And if you set
>>
>> ike=3des-sha1-modp1024
>> esp=3des-md5
>>
>> Regards
>>
>> Andreas
>>
>> On 27.07.2010 10:34, zux wrote:
>>   
>>> Hello,
>>> I'm new to strongswan and ipsec and I'm having problems with configuring
>>> strongswan to work with mikrotik router, the strange thing is that
>>> mikrotik is able to initiate the connection and everything works then,
>>> but strongswan can not initiate the connection. The problem is, that if
>>> the strongswan box is rebooted, the connection is not reestablished
>>> until I reset it from the mikrotik side. The configuration on the
>>> mikrotik is the same as other, that work well between other mikrotik
>>> boxes. Besides, I have changed the lifetime on mikrotik from 1 day to
>>> one hour, and then if i reboot strongswan, the connection is established
>>> after that hour. (or less, if the connection was up for some time)
>>> I'm sorry if this problem has nothing to do with strongswan, but maybe
>>> someone can give some useful tips.
>>>
>>> The error on Mikrotik, when strongswan tries to connect is this:
>>>
>>> Recieved ISAKMP packet from<strongswan IP>, phase 1, Identity Protection
>>> responding phase 1, starting mode Identity Protection (local<mikrotik
>>> IP>:500)(remote<strongswan IP>)
>>> no acceptable proposal found (remote unknown)
>>> failed to process packet
>>>
>>> This is the mikrotik configuration:
>>>
>>> Ipsec Policy:
>>>       Src. Address: 192.168.1.0/24
>>>       Dst. Address: 192.168.156.0/24
>>>       Action: encrypt
>>>       Level: require
>>>       IPsec Protocols: esp
>>>       Tunnel = yes
>>>       SA Src. Address:<mikrotik IP>
>>>       SA Dst. Address:<strongswan IP>
>>>       Proposal: pleskava
>>>       Manual SA: None
>>>
>>> IPsec Peer:
>>>       Address:<strongswan IP>
>>>       Port: 500
>>>       Secret:<password>
>>>       Exchange Mode: main
>>>       Send initial Contact = yes
>>>       Proposal Check: obey
>>>       Hash Algoritm: sha
>>>       Encrypt Algorithm: 3des
>>>       DH Group: modp1024
>>>       Generate policy = yes
>>>       Lifetime: 1d 00:00:00
>>>
>>> Ipsec Proposal:
>>>       Name: pleskava
>>>       Auth. Algorithms: md5
>>>       Encr. Algorithms: 3des
>>>       Lifetime: 01:00:00
>>>       PFS Goup: none
>>>
>>>
>>> and this ir strongswan configuration:
>>> root at kristaps:~# cat /etc/ipsec.conf
>>> # ipsec.conf - strongSwan IPsec configuration file
>>>
>>> # basic configuration
>>>
>>> config setup
>>>       interfaces="ipsec0=eth0"
>>>       klipsdebug=none
>>>       plutodebug=all
>>>        uniqueids=yes
>>>
>>> conn %default
>>>       keyingtries=0
>>>       authby=rsasig
>>>
>>> conn riga
>>>       left=<stronswan IP>
>>>       leftsubnet=192.168.156.0/24
>>>       right=<mikrotik IP>
>>>       rightsubnet=192.168.1.0/24
>>>       keyexchange=ike
>>>       authby=secret
>>>       auth=esp
>>>       ike=3des-md5-modp1024
>>>       esp=3des-md5-modp1024
>>>       pfs=no
>>>       type=tunnel
>>>       auto=start
>>>
>>>
>>> root at kristaps:~# cat /etc/ipsec.secrets
>>> <strongswan IP>  <mikrotik IP>  : PSK "password"
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list