[strongSwan] No acceptable DIFFIE_HELLMAN_GROUP found

William Greene wgreene9617 at yahoo.com
Sat Nov 13 16:07:24 CET 2010



I am perplexed.  It looks to me like both sides could agree on a proposal but do 
not for some reason.  I'm trying to set up an ipsec connection between 
StrongSwan on CentOS linux and a Mocana stack implementation on an embedded 
Linux device.  I'm new to StrongSwan and if anyone can provide some guidance or 
suggestions, I'd be mucho appreciative.  I've attached some relevant information 
below.

Thanks in advance,
Bill



Nov 12 16:50:17 13[ENC] found payload of type TRAFFIC_SELECTOR_RESPONDER
Nov 12 16:50:17 13[ENC] parsed CREATE_CHILD_SA request 13 [ N(USE_TRANSP) SA No 
KE TSi TSr ]
Nov 12 16:50:17 13[LIB] size of DH secret exponent: 1023 bits
Nov 12 16:50:17 13[CFG] looking for a child config for 10.168.80.8/32[icmp] === 
10.168.65.1/32[icmp] 
Nov 12 16:50:17 13[CFG] proposing traffic selectors for us:
Nov 12 16:50:17 13[CFG]  10.168.80.8/32 (derived from dynamic)
Nov 12 16:50:17 13[CFG] proposing traffic selectors for other:
Nov 12 16:50:17 13[CFG]  10.168.65.1/32 (derived from dynamic)
Nov 12 16:50:17 13[CFG]   candidate "testipsec" with prio 1+1
Nov 12 16:50:17 13[CFG] found matching child config "testipsec" with prio 2
Nov 12 16:50:17 13[CFG] selecting proposal:
Nov 12 16:50:17 13[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov 12 16:50:17 13[CFG] selecting proposal:
Nov 12 16:50:17 13[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov 12 16:50:17 13[CFG] received proposals: 
ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/HMAC_SHA2_256_128/MODP_1024/MODP_768/MODP_1536/MODP_2048/MODP_NONE/NO_EXT_SEQ

Nov 12 16:50:17 13[CFG] configured proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ, 
ESP:AES_GCM_16_128/NO_EXT_SEQ
Nov 12 16:50:17 13[IKE] no acceptable proposal found
Nov 12 16:50:17 13[ENC] added payload of type NOTIFY to message
Nov 12 16:50:17 13[ENC] added payload of type NOTIFY to message
Nov 12 16:50:17 13[ENC] generating CREATE_CHILD_SA response 13 [ N(NO_PROP) ]
Nov 12 16:50:17 13[ENC] insert payload NOTIFY to encryption payload
Nov 12 16:50:17 13[ENC] generating payload of type HEADER


[root at KAP8 etc]# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.0):
  uptime: 4 minutes, since Nov 12 16:48:36 2010
  malloc: sbrk 253952, mmap 0, used 175408, free 78544
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
  loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp 
pem openssl gcrypt fips-prf gmp xcbc hmac gcm attr kernel-netlink resolve 
socket-raw stroke updown 
Listening IP addresses:
  10.168.80.8
  2005:a8::21e:c9ff:feff:124
  2004:a8::21e:c9ff:feff:124
Connections:
   testipsec:  10.168.80.8...10.168.65.1
   testipsec:   local:  [10.168.80.8] uses pre-shared key authentication
   testipsec:   remote: [10.168.65.1] uses any authentication
   testipsec:   child:  dynamic === dynamic 
Security Associations:
   testipsec[1]: ESTABLISHED 3 minutes ago, 
10.168.80.8[10.168.80.8]...10.168.65.1[10.168.65.1]
   testipsec[1]: IKE SPIs: 94ffc82723b04b1b_i* 07df56bf80bfe16f_r, pre-shared 
key reauthentication in 52 minutes
   testipsec[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
[root at KAP8 etc]# 
[root at KAP8 etc]# 
[root at KAP8 etc]# 
[root at KAP8 etc]# ipsec listall

List of registered IKEv2 Algorithms:

  encryption: AES_CBC 3DES_CBC DES_CBC DES_ECB CAMELLIA_CBC RC5_CBC IDEA_CBC 
CAST_CBC BLOWFISH_CBC NULL AES_CTR CAMELLIA_CTR SERPENT_CBC TWOFISH_CBC 
  integrity:  AES_XCBC_96 CAMELLIA_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 
HMAC_SHA1_160 HMAC_SHA2_256_128 HMAC_SHA2_256_256 HMAC_MD5_96 HMAC_MD5_128 
HMAC_SHA2_384_192 HMAC_SHA2_384_384 HMAC_SHA2_512_256 
  aead:       AES_GCM_8 AES_GCM_12 AES_GCM_16 
  hasher:     HASH_SHA1 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD5 
HASH_MD2 HASH_MD4 
  prf:        PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_XCBC 
PRF_CAMELLIA128_XCBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 
PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512 
  dh-group:   MODP_2048 MODP_2048_224 MODP_2048_256 MODP_1536 ECP_256 ECP_384 
ECP_521 ECP_224 ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024 
MODP_1024_160 MODP_768 MODP_CUSTOM 
[root at KAP8 etc]# 


[root at KAP8 etc]# cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
plutostart=no

# Add connections here.

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
mobike=no
authby=secret
keyexchange=ikev2
#ike=aes256-sha256-ecp256,aes128-sha256-ecp256!
esp=aes256gcm16,aes128gcm16!

conn testipsec
type=transport 
left=10.168.80.8
#leftprotoport=icmp
#leftid=kap
right=10.168.65.1
#rightprotoport=icmp
#rightid=cep
auto=add


[root at KAP8 etc]# 



[root at KAP8 etc]# ipsec version
Linux strongSwan U4.5.0/K2.6.36-1
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
[root at KAP8 etc]# 
[root at KAP8 etc]# openssl version
OpenSSL 0.9.8n 24 Mar 2010
[root at KAP8 etc]# 



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101113/65a7ece3/attachment.html>


More information about the Users mailing list