[strongSwan] No acceptable DIFFIE_HELLMAN_GROUP found
William Greene
wgreene9617 at yahoo.com
Sat Nov 13 16:16:57 CET 2010
I am perplexed. It looks to me like both sides could agree on a proposal but do
not for some reason. I'm trying to set up an ipsec connection between
StrongSwan on CentOS linux and a Mocana stack implementation on an embedded
Linux device. I'm new to StrongSwan and if anyone can provide some guidance or
suggestions, I'd be mucho appreciative. I've attached some relevant information
below.
Thanks in advance,
Bill
Nov 12 16:50:17 13[ENC] found payload of type TRAFFIC_SELECTOR_RESPONDER
Nov 12 16:50:17 13[ENC] parsed CREATE_CHILD_SA request 13 [ N(USE_TRANSP) SA No
KE TSi TSr ]
Nov 12 16:50:17 13[LIB] size of DH secret exponent: 1023 bits
Nov 12 16:50:17 13[CFG] looking for a child config for 10.168.80.8/32[icmp] ===
10.168.65.1/32[icmp]
Nov 12 16:50:17 13[CFG] proposing traffic selectors for us:
Nov 12 16:50:17 13[CFG] 10.168.80.8/32 (derived from dynamic)
Nov 12 16:50:17 13[CFG] proposing traffic selectors for other:
Nov 12 16:50:17 13[CFG] 10.168.65.1/32 (derived from dynamic)
Nov 12 16:50:17 13[CFG] candidate "testipsec" with prio 1+1
Nov 12 16:50:17 13[CFG] found matching child config "testipsec" with prio 2
Nov 12 16:50:17 13[CFG] selecting proposal:
Nov 12 16:50:17 13[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
Nov 12 16:50:17 13[CFG] selecting proposal:
Nov 12 16:50:17 13[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
Nov 12 16:50:17 13[CFG] received proposals:
ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/HMAC_SHA2_256_128/MODP_1024/MODP_768/MODP_1536/MODP_2048/MODP_NONE/NO_EXT_SEQ
Nov 12 16:50:17 13[CFG] configured proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ,
ESP:AES_GCM_16_128/NO_EXT_SEQ
Nov 12 16:50:17 13[IKE] no acceptable proposal found
Nov 12 16:50:17 13[ENC] added payload of type NOTIFY to message
Nov 12 16:50:17 13[ENC] added payload of type NOTIFY to message
Nov 12 16:50:17 13[ENC] generating CREATE_CHILD_SA response 13 [ N(NO_PROP) ]
Nov 12 16:50:17 13[ENC] insert payload NOTIFY to encryption payload
Nov 12 16:50:17 13[ENC] generating payload of type HEADER
[root at KAP8 etc]# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.0):
uptime: 4 minutes, since Nov 12 16:48:36 2010
malloc: sbrk 253952, mmap 0, used 175408, free 78544
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp
pem openssl gcrypt fips-prf gmp xcbc hmac gcm attr kernel-netlink resolve
socket-raw stroke updown
Listening IP addresses:
10.168.80.8
2005:a8::21e:c9ff:feff:124
2004:a8::21e:c9ff:feff:124
Connections:
testipsec: 10.168.80.8...10.168.65.1
testipsec: local: [10.168.80.8] uses pre-shared key authentication
testipsec: remote: [10.168.65.1] uses any authentication
testipsec: child: dynamic === dynamic
Security Associations:
testipsec[1]: ESTABLISHED 3 minutes ago,
10.168.80.8[10.168.80.8]...10.168.65.1[10.168.65.1]
testipsec[1]: IKE SPIs: 94ffc82723b04b1b_i* 07df56bf80bfe16f_r, pre-shared
key reauthentication in 52 minutes
testipsec[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
[root at KAP8 etc]#
[root at KAP8 etc]#
[root at KAP8 etc]#
[root at KAP8 etc]# ipsec listall
List of registered IKEv2 Algorithms:
encryption: AES_CBC 3DES_CBC DES_CBC DES_ECB CAMELLIA_CBC RC5_CBC IDEA_CBC
CAST_CBC BLOWFISH_CBC NULL AES_CTR CAMELLIA_CTR SERPENT_CBC TWOFISH_CBC
integrity: AES_XCBC_96 CAMELLIA_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128
HMAC_SHA1_160 HMAC_SHA2_256_128 HMAC_SHA2_256_256 HMAC_MD5_96 HMAC_MD5_128
HMAC_SHA2_384_192 HMAC_SHA2_384_384 HMAC_SHA2_512_256
aead: AES_GCM_8 AES_GCM_12 AES_GCM_16
hasher: HASH_SHA1 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5
HASH_MD2 HASH_MD4
prf: PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_XCBC
PRF_CAMELLIA128_XCBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5
PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512
dh-group: MODP_2048 MODP_2048_224 MODP_2048_256 MODP_1536 ECP_256 ECP_384
ECP_521 ECP_224 ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024
MODP_1024_160 MODP_768 MODP_CUSTOM
[root at KAP8 etc]#
[root at KAP8 etc]# cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
plutostart=no
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
mobike=no
authby=secret
keyexchange=ikev2
#ike=aes256-sha256-ecp256,aes128-sha256-ecp256!
esp=aes256gcm16,aes128gcm16!
conn testipsec
type=transport
left=10.168.80.8
#leftprotoport=icmp
#leftid=kap
right=10.168.65.1
#rightprotoport=icmp
#rightid=cep
auto=add
[root at KAP8 etc]#
[root at KAP8 etc]# ipsec version
Linux strongSwan U4.5.0/K2.6.36-1
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
[root at KAP8 etc]#
[root at KAP8 etc]# openssl version
OpenSSL 0.9.8n 24 Mar 2010
[root at KAP8 etc]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101113/41ad31c8/attachment.html>
More information about the Users
mailing list