[strongSwan] Microsoft Azure Virtual Network?

Martin Willi martin at strongswan.org
Fri Aug 3 11:14:01 CEST 2012


Hi John,

> > 10[CFG] <2> looking for pre-shared key peer configs matching  
> > 192.168.199.10...168.63.60.212[10.4.1.4]
> > 10[IKE] <2> no peer config found
> 
> Is this an artifact of the charon / pluto merge in strongSwan 5?  Or is
> "keyexchange=ikev2" not sufficient to cause IKEv2 to be used?

The keyexchange parameter is connection specific, so your connection
will use IKEv2.

Your peer, however, seems to initiate with IKEv1. You don't have a
matching connection for IKEv1, hence the negotiation fails with "no peer
config found".

> IKE Phase I Parameters:
>      Mode: Main mode
>      Encryption: AES128 or 3DES
>      Integrity: SHA1
>      Diffie-Hellman group: Group 2 (1024 bit)
>      Authentication Method: Pre-shared key
>      Security Association Lifetime: 28800 seconds

Phase 1 proposal is what we define with the "ike" keyword:

  ike=aes128-sha1-modp1024!
  leftauth=psk
  rightauth=psk

> IKE Phase II Parameters:
>      Mode: ESP tunnel mode
>      Encryption: AES128 or 3DES
>      Integrity: SHA1
>      Perfect Forward Secrecy: OFF
>      Diffie-Hellman group: Group 2 (1024 bit)

This seems bogus to me, either you have a DH group and use PFS, or not.
The "esp" keyword in your connection is either

  esp=aes128-sha1!

or

  esp=aes128-sha1-modp1024!

Regards
Martin





More information about the Users mailing list