[strongSwan] Microsoft Azure Virtual Network?

John Connett jrc at skylon.demon.co.uk
Fri Aug 3 12:17:09 CEST 2012 

On Fri, 03 Aug 2012 10:14:01 +0100, Martin Willi <martin at strongswan.org>  
wrote:
>> > 10[CFG] <2> looking for pre-shared key peer configs matching
>> > 192.168.199.10...168.63.60.212[10.4.1.4]
>> > 10[IKE] <2> no peer config found
>>
>> Is this an artifact of the charon / pluto merge in strongSwan 5?  Or is
>> "keyexchange=ikev2" not sufficient to cause IKEv2 to be used?
>
> The keyexchange parameter is connection specific, so your connection
> will use IKEv2.
>
> Your peer, however, seems to initiate with IKEv1. You don't have a
> matching connection for IKEv1, hence the negotiation fails with "no peer
> config found".

I have tried "keyexchange=ike" which the ipsec.conf manual page says will
"use  IKEv2 when  initiating,  but accept any protocol version when
responding".  However, that doesn't seem to make a difference ...

>> IKE Phase I Parameters:
>>      Mode: Main mode
>>      Encryption: AES128 or 3DES
>>      Integrity: SHA1
>>      Diffie-Hellman group: Group 2 (1024 bit)
>>      Authentication Method: Pre-shared key
>>      Security Association Lifetime: 28800 seconds
>
> Phase 1 proposal is what we define with the "ike" keyword:
>
>   ike=aes128-sha1-modp1024!
>   leftauth=psk
>   rightauth=psk
>
>> IKE Phase II Parameters:
>>      Mode: ESP tunnel mode
>>      Encryption: AES128 or 3DES
>>      Integrity: SHA1
>>      Perfect Forward Secrecy: OFF
>>      Diffie-Hellman group: Group 2 (1024 bit)
>
> This seems bogus to me, either you have a DH group and use PFS, or not.
> The "esp" keyword in your connection is either
>
>   esp=aes128-sha1!
>
> or
>
>   esp=aes128-sha1-modp1024!

I have removed the 3des entries from ike and esp.  Either with or without
"-modp1024" I am still seeing "no peer config found".

Am I missing something fundamental such as needing two separate conn
section depending on which end initiates?  Or is there a way to ensure
that the right (remote) end always initiates and the left end listens?

Could I need "xauthpsk" rather than "psk".

Apologies if these have obvious answers but I am very new to this!

Many thanks for the help
--
John Connett

More information about the Users mailing list