[strongSwan] Antw: Re: NO_PROPOSAL_CHOSEN error notify

bjoern wahl bjoern.wahl at hospital-borken.de
Mon Nov 11 10:28:27 CET 2013


Hello Noel,

thanks for the fast response.

I did that already:

======================================================================
ike=aes128-sha1-modp1536,aes128-md5-modp1536,3des-md5-modp1024,aes128-sha1-modp1024,aes256-sha-modp1024,3des-md5-modp1024
esp=aes128-sha1,aes128-md5,aes256-md5,aes256-sha1,3des-sha1,3des-md5
======================================================================

Did not help.

björn


Mit freundlichen Grüßen

__________________________________

Björn Wahl
Leiter EDV-Abteilung
Betriebswirt Fachrichtung Wirtschaftsinformatik


St.-Marien Hospital Borken GmbH
Am Boltenhof 7 - D-46325 Borken
Telefon: +49 (0) 2861 97 - 1125
Telefax: +49 (0) 2861 97 - 5 1122
bjoern.wahl at hospital-borken.de
www.hospital-borken.de

Registergericht: Amtsgericht Coesfeld
Registernummer : HR B 4914
Vertretungsberechtigter Geschäftsführer: Dipl.-Kfm. Christoph Bröcker 
Umsatzsteuer-Identifikationsnummer gem  27 a Umsatzsteuergesetz: DE
307/5937/0049
_________________________________
>>> Noel Kuntze <noel at familie-kuntze.de> 11.11.13 10.16 Uhr >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Bjoern,

In this case, you need to set the cipher settings for IKE by hand.
You can do this using the "ike" statement (and maybe the esp" statement,
too) in ipsec.conf
See the manpage for further information.

Regards
Noel Kuntze

Am 11.11.2013 09:57, schrieb bjoern wahl:
> Hello!
> 
> Just after solving the problem with my Certs for WIN7 ( thanks to
Martin
> for the good hint) i hit the next Problem.
> 
> I would like to migrate old VPNs to my new VPN-GW.
> 
>>From Linux Openswan U2.4.4/K2.6.16.60-0.83.2-smp (netkey) to Linux
> strongSwan U5.1.1/K3.0.93-0.8-default.
> 
> With my first try i got a problem, the logs telling me:
> 
>
========================================================================
> 13[IKE] IKE_SA p123[1] established between
> 11.11.11.11[11.11.11.11]...22.22.22.22[22.22.22.22]
> 13[ENC] generating QUICK_MODE request 1243619134 [ HASH SA No ID ID ]
> 13[NET] sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (284
> bytes)
> 14[NET] received packet: from 22.22.22.22[500] to 11.11.11.11[500] (92
> bytes)
> 14[ENC] parsed INFORMATIONAL_V1 request 2876618417 [ HASH N(NO_PROP) ]
> 14[IKE] received NO_PROPOSAL_CHOSEN error notify
>
========================================================================
> 
> On my old GW everything till working fine:
> 
>
========================================================================
> 003 "p123" #13615: NAT-Traversal: Result using 3: no NAT detected
> 002 "p123" #13615: transition from state STATE_MAIN_I2 to state
> STATE_MAIN_I3
> 108 "p123" #13615: STATE_MAIN_I3: sent MI3, expecting MR3
> 002 "p123" #13615: Main mode peer ID is ID_IPV4_ADDR: '22.22.22.22'
> 002 "p123" #13615: transition from state STATE_MAIN_I3 to state
> STATE_MAIN_I4
> 004 "p123" #13615: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp1024}
> 002 "p123" #13616: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
> {using isakmp#13615}
> 117 "p123" #13616: STATE_QUICK_I1: initiate
> 003 "p123" #13616: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME
> 002 "p123" #13616: transition from state STATE_QUICK_I1 to state
> STATE_QUICK_I2
> 004 "p123" #13616: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0xeaaec3ed <0x3f7a355f xfrm=AES_256-HMAC_SHA1
> NATD=212.159.204.76:500 DPD=none}
>
========================================================================
> 
> I just tought it might be because the cipher is not included in my new
> Strongswan and so did look that up i did not find aes_256 in
> my new Strongswan, is that the problem ? 
> How to add that cipher ?
> 
>
========================================================================
> List of X.509 End Entity Certificates:
> 
>   altNames:  ....
> 
> List of X.509 CA Certif
icates:
> 
>   s....
> 
> List of registered IKE algorithm>   integrity:  HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] AES_XCBC_96[xcbc]
> HMAC_MD5_128[hmac] HMAC_SHA1_160[hmac]
>               AES_CMAC_96[cmac] HMAC_SHA2_256_128[hmac]
> HMAC_SHA2_384_192[hmac] HMAC_SHA2_512_256[hmac]
>               HMAC_SHA1_128[hmac] HMAC_SHA2_256_256[hmac]
> HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_512[hmac]
>   aead:      
>   hasher:     HASH_MD4[md4] HASH_MD5[md5] HASH_SHA1[sha1]
> HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2]
>               HASH_SHA512[sha2]
>   prf:        PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac]
> PRF_AES128_XCBC[xcbc] PRF_HMAC_SHA2_256[hmac]
>               PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac]
> PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf]
>               PRF_KEYED_SHA1[sha1]
>   dh-group:   MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp]
MODP_2048[gmp]
> MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]
>               MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp]
> MODP_2048_256[gmp] MODP_CUSTOM[gmp]
>   random-gen: RNG_STRONG[random] RNG_TRUE[random]
>   nonce-gen:  [nonce]
> 
> List of loaded Plugins:
> 
> charon:
>     CUSTOM:libcharon
>         NONCE_GEN
>         CUSTOM:libcharon-receiver
>         CUSTOM:kernel-ipsec
>         CUSTOM:kernel-net
>     CUSTOM:libcharon-receiver
>         HASHER:HASH_SHA1
>         RNG:RNG_STRONG
>         CUSTOM:socket
> aes:
>     CRYPTER:AES_CBC-16
>     CRYPTER:AES_CBC-24
>     CRYPTER:AES_CBC-32
> des:
>     CRYPTER:3DES_CBC-24
>     CRYPTER:DES_
> CBC-8
>     CRYPTER:DES_ECB-8
> rc2:
>     CRYPTER:RC2_CBC-0
> sha    HASHER:HASH_SHA384
>     HASHER:HASH_SHA512
> md4:
>     HASHER:HASH_MD4
> md5:
>     HASHER:HASH_MD5
> random:
>     RNG:RNG_STRONG
>     RNG:RNG_TRUE
> nonce:
>     NONCE_GEN
>         RNG:RNG_WEAK
> x509:
>     CERT_ENCODE:X509
>         HASHER:HASH_SHA1
>     CERT_DECODE:X509
>         HASHER:HASH_SHA1
>         PUBKEY:RSA (soft)
>         PUBKEY:ECDSA (soft)
>         PUBKEY:DSA (soft)
>     CERT_ENCODE:X509_AC
>     CERT_DECODE:X509_AC
>     CERT_ENCODE:X509_CRL
>     CERT_DECODE:X509_CRL
>     CERT_ENCODE:X509_OCSP_REQUEST
>         HASHER:HASH_SHA1
>         RNG:RNG_WEAK
>     CERT_DECODE:X509_OCSP_RESPONSE
>     CERT_ENCODE:PKCS10_REQUEST
>     CERT_DECODE:PKCS10_REQUEST
> revocation:
>     CUSTOM:revocation
>         CERT_ENCODE:X509_OCSP_REQUEST (soft)
>         CERT_DECODE:X509_OCSP_RESPONSE (soft)
>         CERT_DECODE:X509_CRL (soft)
>         CERT_DECODE:X509 (soft)
>         FETCHER:(null) (soft)
> constraints:
>     CUSTOM:constraints
>         CERT_DECODE:X509 (soft)
> pubkey:
>     CERT_ENCODE:TRUSTED_PUBKEY
>     CERT_DECODE:TRUSTED_PUBKEY
>         PUBKEY:RSA (soft)
>         PUBKEY:ECDSA (soft)
>         PUBKEY:DSA (soft)
> pkcs1:
>     PRIVKEY:RSA
>     PUBKEY:ANY
>     PUBKEY:RSA
> pkcs7:
>     CONTAINER_DECODE:PKCS7
>     CONTAINER_ENCODE:PKCS7_DATA
>     CONTAINER_ENCODE:PKCS7_SIGNED_DATA
>     CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA
> pkcs8:
>     PRIVKEY:ANY
>     PRIVKEY:RSA
>     PRIVKEY:ECDSA
> pkcs12:
>     CONTAINER_DECODE:PKCS12
>         CONTAINER_DECODE:PKCS7
>         CERT_DECODE:X509 (soft)
>         PRIVKEY:ANY (soft)
>         HASHER:HASH_SHA1 (soft)
>         CRYPTER:3DES_CBC-24 (soft)
>         CRYPTER:RC2_CBC-0 (soft)
> pgp:
>     PRIVKEY:ANY
>     PRIVKEY:RSA
>     PUBKEY:ANY
>     PUBKEY:RSA
>     CERT_DECODE:PGP
> dnskey:
>     PUBKEY:ANY
>     PUBKEY:RSA
> sshkey:
>     PUBKEY:ANY
> pem:
>     PRIVKEY:ANY
>         PRIVKEY:ANY
>         HASHER:HASH_MD5 (soft)
>     PRIVKEY:RSA
>         PRIVKEY:RSA
>         HASHER:HASH_MD5 (soft)
>     PRIVKEY:ECDSA
>         PRIVKEY:ECDSA
>         HASHER:HASH_MD5 (soft)
>     PRIVKEY:DSA (not loaded)
>         PRIVKEY:DSA
>         HASHER:HASH_MD5 (soft)
>     PUBKEY:ANY
>         PUBKEY:ANY
>     PUBKEY:RSA
>         PUBKEY:RSA
>     PUBKEY:ECDSA (not loaded)
>         PUBKEY:ECDSA
>     PUBKEY:DSA (not loaded)
>     
    PUBKEY:DSA
>     CERT_DECODE:ANY
>         CERT_DECOD>         CERT_DECODE:X509_CRL
>     CERT_DECODE:X509_OCSP_REQUEST (not loaded)
>         CERT_DECODE:X509_OCSP_REQUEST
>     CERT_DECODE:X509_OCSP_RESPONSE
>         CERT_DECODE:X509_OCSP_RESPONSE
>     CERT_DECODE:X509_AC
>         CERT_DECODE:X509_AC
>     CERT_DECODE:PKCS10_REQUEST
>         CERT_DECODE:PKCS10_REQUEST
>     CERT_DECODE:TRUSTED_PUBKEY
>         CERT_DECODE:TRUSTED_PUBKEY
>     CERT_DECODE:PGP
>         CERT_DECODE:PGP
>     CONTAINER_DECODE:PKCS12
>         CONTAINER_DECODE:PKCS12
> fips-prf:
>     PRF:PRF_FIPS_SHA1_160
>         PRF:PRF_KEYED_SHA1
> gmp:
>     DH:MODP_2048
>         RNG:RNG_STRONG
>     DH:MODP_2048_224
>         RNG:RNG_STRONG
>     DH:MODP_2048_256
>         RNG:RNG_STRONG
>     DH:MODP_1536
>         RNG:RNG_STRONG
>     DH:MODP_3072
>         RNG:RNG_STRONG
>     DH:MODP_4096
>         RNG:RNG_STRONG
>     DH:MODP_6144
>         RNG:RNG_STRONG
>     DH:MODP_8192
>         RNG:RNG_STRONG
>     DH:MODP_1024
>         RNG:RNG_STRONG
>     DH:MODP_1024_160
>         RNG:RNG_STRONG
>     DH:MODP_768
>         RNG:RNG_STRONG
>     DH:MODP_CUSTOM
>         RNG:RNG_STRONG
>     PRIVKEY:RSA
>     PRIVKEY_GEN:RSA
>         RNG:RNG_TRUE
>     PUBKEY:RSA
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
>         HASHER:HASH_SHA1
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
>         HASHER:HASH_SHA224
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
>         HASHER:HASH_SHA256
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
>         HASHER:HASH_SHA384
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
>         HASHER:HASH_SHA512
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
>         HASHER:HASH_MD5
>     PUBKEY_VERIFY:RS
> A_EMSA_PKCS1_NULL
>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
>      PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
>         HASHER:HASH_SHA384
>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
>         HASHER:HASH_SHA512
>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
>         HASHER:HASH_MD5
>     PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
>     PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
>         RNG:RNG_WEAK
> xcbc:
>     PRF:PRF_AES128_XCBC
>         CRYPTER:AES_CBC-16
>     PRF:PRF_CAMELLIA128_XCBC (not loaded)
>         CRYPTER:CAMELLIA_CBC-16
>     SIGNER:CAMELLIA_XCBC_96 (not loaded)
>         CRYPTER:CAMELLIA_CBC-16
>     SIGNER:AES_XCBC_96
>         CRYPTER:AES_CBC-16
> cmac:
>     PRF:PRF_AES128_CMAC
>         CRYPTER:AES_CBC-16
>     SIGNER:AES_CMAC_96
>         CRYPTER:AES_CBC-16
> hmac:
>     PRF:PRF_HMAC_SHA1
>         HASHER:HASH_SHA1
>     PRF:PRF_HMAC_MD5
>         HASHER:HASH_MD5
>     PRF:PRF_HMAC_SHA2_256
>         HASHER:HASH_SHA256
>     PRF:PRF_HMAC_SHA2_384
>         HASHER:HASH_SHA384
>     PRF:PRF_HMAC_SHA2_512
>         HASHER:HASH_SHA512
>     SIGNER:HMAC_SHA1_96
>         HASHER:HASH_SHA1
>     SIGNER:HMAC_SHA1_128
>         HASHER:HASH_SHA1
>     SIGNER:HMAC_SHA1_160
>         HASHER:HASH_SHA1
>     SIGNER:HMAC_MD5_96
>         HASHER:HASH_MD5
>     SIGNER:HMAC_MD5_128
>         HASHER:HASH_MD5
>     SIGNER:HMAC_SHA2_256_128
>         HASHER:HASH_SHA256
>     SIGNER:HMAC_SHA2_256_256
>         HASHER:HASH_SHA256
>     SIGNER:HMAC_SHA2_384_192
>         HASHER:HASH_SHA384
>     SIGNER:HMAC_SHA2_384_384
>         HASHER:HASH_SHA384
>     SIGNER:HMAC_SHA2_512_256
>         HASHER:HASH_SHA512
>     SIGNER:HMAC_SHA2_512_512
>         HASHER:HASH_SHA512
> attr:
>     CUSTOM:attr
> kernel-netlink:
>     CUSTOM:kernel-ipsec
>     CUSTOM:kernel-net
> resolve:
>     CUSTOM:resolve
> socket-default:
>     CUSTOM:socket
>         CUSTOM:kernel-ipsec (soft)
> stroke:
>     CUSTOM:stroke
>         PRIVKEY:RSA (soft)
>         PRIVKEY:ECDSA (soft)
>         PRIVKEY:DSA (soft)
>         CERT_DECODE:ANY (soft)
>         CERT_DECODE:X509 (soft)
>         CERT_DECODE:X509_CRL (soft)
>         CERT_DECODE:X509_AC (soft)
>         CERT_DECODE:TRUSTED_PUBKEY (soft)
> updown:
>     CUSTOM:updown
> eap-identity:
>     
EAP_SERVER:ID
>     EAP_CLIENT:ID
> eap-mschapv2:
>     EAP_SERVER:MSCHAPV2
>        >         CRYPTER:DES_ECB-8
>         HASHER:HASH_MD4
>         HASHER:HASH_SHA1
>         RNG:RNG_WEAK
> eap-radius:
>     EAP_SERVER:RAD
>         CUSTOM:eap-radius
>     XAUTH_SERVER:radius
>         CUSTOM:eap-radius
>     CUSTOM:eap-radius
>         HASHER:HASH_MD5
>         SIGNER:HMAC_MD5_128
>         RNG:RNG_WEAK
> eap-tls:
>     EAP_SERVER:TLS
>         HASHER:HASH_MD5
>         HASHER:HASH_SHA1
>         RNG:RNG_WEAK
>     EAP_CLIENT:TLS
>         HASHER:HASH_MD5
>         HASHER:HASH_SHA1
>         RNG:RNG_WEAK
>         RNG:RNG_STRONG
> xauth-generic:
>     XAUTH_SERVER:generic
>     XAUTH_CLIENT:generic
> 
>
========================================================================
> 
>
----------------------------------------------------------------------------------------------------
> Klinikverbund Westmünsterland gGmbH
>  Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken
>  Registergericht Coesfeld, HRB Nr. 8983
>  Ust.-Id.Nr.: DE 222740345
>  Hauptgeschäftsführer: Hermann Nientiedt
>  Geschäftsführer: Christoph Bröcker, Ludger Hellmann
>  
>  Diese E-Mail enthält vertrauliche oder rechtlich geschützte
> Informationen. Wenn Sie nicht der beabsichtige Empfänger sind,
> informieren Sie bitte sofort den Absender und löschen Sie diese
E-Mail.
>  
>  Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe
der
> enthaltenen Informationen ist nicht gestattet.
>  
>  Dem Klinikverbund Westmünsterland sind fünf Krankenhäuser mit 1.332
> Planbetten und mehrere Einrichtungen der Altenhilfe angeschlossen.
Mehr
> als 50 Fachbereiche orientieren sich an neusten medizinischen
Standards
> und erfüllen die hohen Anforderungen einer qualifizierten und
> zertifizierten Versorgung. Rund 50.000 Patienten werden jährlich in
den
> Krankenhäusern station�
> �r behandelt. Mit über 3.800 Mitarbeitern gehört
> der Verbund zu den größten Arbeitgebern der Region.
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSgKC0AAoJEDg5KY9j7GZY1z8P/jbOCJLXjA1R6dR/VrUCF1nc
KLHwtG9zEJYAnCtPIUfaGtiaRACE5Vunte1OIEAvs5NZQvl9sfRASvpwpmpZAAp9
FReP0oxq026ofGUMleqaB5Ug2YhgWYJmwzhZWRK/cveUYNn5xUjg5dzdsWU6JZsL
oX6rK0xgsolnaI61OSGq3X3boIitTE4fQgrQkGz4RDzYWtMkloRMN1MSjCG5iryT
KBil3bC/vAiZjfJ6Ebb2R/Ib/FNFVw9cVFInrbud6s/2Dy9YSJw6B/J1psTm0aDQ
Fzftrkvoj8g3BLxmrdVmNNQE1yon044OtMnv8mk9FOykXfIqpNQEVV8HRatQfBZD
6iptFA2up7BR0J0F6BZzoW0Pq0JochHlDiycQtzsfEBgMInQ1uKR95wdHn5Lce+4
onOj8f4U7jDRApyELrTp8n5ZTx2g+G7OTMBtY6Sl6lu6o+RYmwUqnfKHpb/hd/i5
0wx0RDBMagRu9Vj0nii67lV76JBXREf7E2egHuGJPG3hecGkbejbu0wDkcQdWwCZ
AlhBJYD22D5sTPTWpOYMyuiz7BkqPWXzCRBq44JR1t7k+vSy9tpjzceLe87NVJyL
n8UO8TZ+GMCGEg3h1PqsxkMpxKKxPMybRen0t4FxebqDJP3Rleb8c295l/PLmH+F
mqRPWEuUbEOyzf9HTpxv
=D3Fk
-----END PGP SIGNATURE-----









More information about the Users mailing list