[strongSwan] IKE proposals with the load-tester plugin

Fri Jun 22 16:20:52 CEST 2012

Hello,

I am using the plugin load-tester with strongswan-4.6.4, against a remote host.
The initiator host has the following configurations (extracted from its strongswan.conf file) :
--------
initiators = 1
iterations = 1
proposal = aes256-sha1-modp2048,aes128-sha1-modp2048
--------

for the responder  (extracted from its  ipsec.conf file) :
--------
conn %default
        ike=aes256-sha1-modp2048,aes128-sha1-modp2048
--------

Both strongswan.conf and ipsec.conf files are attached.

My problem deals with the IKE proposals. I have the following error in the logs :

on the initiator host :
--------
Jun 22 15:03:27 vm-test-amd64-linux-squeeze-03.showroom.nss.thales charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.4)
Jun 22 15:03:27 vm-test-amd64-linux-squeeze-03.showroom.nss.thales charon: 00[CFG] algorithm 'modp2048,aes128' not recognized
--------

on the responder host :
--------
Jun 22 11:42:50 vm-test-amd64-linux-squeeze-05.showroom.nss.thales charon: 13[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768
Jun 22 11:42:50 vm-test-amd64-linux-squeeze-05.showroom.nss.thales charon: 13[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192
Jun 22 11:42:50 vm-test-amd64-linux-squeeze-05.showroom.nss.thales charon: 13[IKE] received proposals inacceptable
Jun 22 11:42:50 vm-test-amd64-linux-squeeze-05.showroom.nss.thales charon: 13[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
--------

I would want to know why the proposal "aes256-sha1-modp2048,aes128-sha1-modp2048" are not recognized when using the load-tester plugin.

By the way, this proposal is accepted when I mount a simple IPSec tunnel without the plugin load-tester :
--------
Security Associations (1 up, 0 connecting):
        home[2]: ESTABLISHED 7 seconds ago, 192.168.21.123[C=FR, O=Thales, CN=vmtest03]...192.168.21.125[C=FR, O=Thales, CN=vmtest05]
        home[2]: IKE SPIs: a083061ad063edce_i* 74d4a4238fe4f0e9_r, public key reauthentication in 52 minutes
        home[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
        home{1}:  INSTALLED, TUNNEL, ESP SPIs: 01000000_i ced44884_o
        home{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (1830345s ago), 0 bytes_o (1830345s ago), rekeying in 16 minutes
        home{1}:   192.168.21.123/32 === 192.168.21.125/32
--------

Regards,

Stéphanie

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120622/9f18d3b0/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: strongswan_conf_initiator.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120622/9f18d3b0/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec_conf_responder.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120622/9f18d3b0/attachment-0001.txt>