[strongSwan] No acceptable DIFFIE_HELLMAN_GROUP found
William Greene
wgreene9617 at yahoo.com
Mon Nov 15 22:13:58 CET 2010
That is quite definitive. :-) And I'm not crazy. We will go back and address
our mocana implementation.
Thank you very much for your help.
Bill
________________________________
From: Andreas Steffen <andreas.steffen at strongswan.org>
To: William Greene <wgreene9617 at yahoo.com>
Cc: users at lists.strongswan.org
Sent: Mon, November 15, 2010 2:56:18 PM
Subject: Re: [strongSwan] No acceptable DIFFIE_HELLMAN_GROUP found
Hi Bill,
the error message on the Mocana side is:
AUTH_ALG missing
Section 8 "IKEv2 Algorithm Selection" of RFC 5282
http://tools.ietf.org/html/rfc5282#section-8
explicitly states:
This document updates [RFC4306] to
require that when an authenticated encryption algorithm is selected
as the encryption algorithm for any SA (IKE or ESP), an integrity
algorithm MUST NOT be selected for that SA.
Thus Mocana probably does not implement RFC 5282 correctly by
expecting an authentication algorithm.
Kind regards
Andreas
On 11/15/2010 08:09 PM, William Greene wrote:
> Andreas,
>
> My apologies as my last email was incorrect. My test set up got
> blinkered some how and the error TS_UNACCEPTABLE was well... incorrect.
>
> I have fixed my set up and I'm back to getting "received
> NO_PROPOSAL_CHOSEN notify, no CHILD_SA built", but it is now getting
> farther. Your previous suggestion of using
> "esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048!"
> solved my "no acceptable DIFFIE_HELLMAN_GROUP found". But still the
> ipsec connect eludes me.
>
> On the mocana side I can see in the logs:
>
> I -->
> Notify: USE_TRANSPORT_MODE
> TSi: 10.168.65.1 icmp
> TSr: 10.168.80.8 icmp
> spi={1f4d8f80069c25cf 6cfe69d01046128a} np=E{N}
> exchange=CREATE_CHILD_SA msgid=1 len=396
> SEND 396 bytes to 10.168.80.8[500] (2229.766)
>
> RECV 348 bytes from 10.168.80.8[500] at 10.168.65.1 (2229.794)
> spi={1f4d8f80069c25cf 6cfe69d01046128a} np=E{N}
> exchange=CREATE_CHILD_SA msgid=1 len=348
> I <--
> Notify: USE_TRANSPORT_MODE
> Proposal #1: ESP[3] spi=ca883928
> ENCR_AES_GCM_16 256-BITS
> DH_2
> ESN_0
> *AUTH_ALG missing*
> CHILD_SA failed [v2 I], status = -8961
>
>
> The mocana side is configured for gcm and sha256. I've tried inserting
> "-sha256" to the esp line in Strongswan's ipsec.conf file and restarting
> ipsec. No luck as sha265 never shows up in the proposals. I've tried
> setting both sides to use sha1, but have the same negative result. The
> log from the StrongSwan side:
>
> Nov 15 13:48:18 05[CFG] received proposals:
>ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/HMAC_SHA1_96/MODP_1024/MODP_768/MODP_1536/MODP_2048/MODP_NONE/NO_EXT_SEQ
>Q
> Nov 15 13:48:18 05[CFG] configured proposals:
> ESP:AES_GCM_16_256/MODP_1024/MODP_2048/NO_EXT_SEQ
> Nov 15 13:48:18 05[CFG] selected proposal:
> ESP:AES_GCM_16_256/MODP_1024/NO_EXT_SEQ
>
> If I set the mocana side for gcm and any, the ipsec connection comes up
> fine and dandy. So obviously I must be misconfiguring the StrongSwan
> side? How do I specify in the ipsec.conf file for the connection to use
> some version of sha, preferably sha256?
>
>
> Thanks again for all your help and patience,
> Bill
>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101115/2bbfec2d/attachment.html>
More information about the Users
mailing list