[strongSwan] issue with modpnull Diffie-Hellman group

Chinmaya Dwibedy ckdwibedy at yahoo.com
Thu Feb 27 15:05:14 CET 2014



Hi Andreas,

Thank you for your prompt response. I configured  the following at both the ends.
charon {
  send_vendor_id = yes
}

Still getting the same issue i.e., unable to establish the IPsec tunnel. Here goes the logs at both ends. Am I missing anything? 


IKE Responder


13[NET] <1> received packet: from 30.30.30.11[500] to 30.30.30.21[500] (196 bytes)
13[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
13[IKE] <1> received strongSwan vendor ID
13[IKE] <1> DH group MODP_NULL inacceptable, requesting MODP_NULL
13[ENC] <1> generating IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
13[NET] <1> sending packet: from 30.30.30.21[500] to 30.30.30.11[500] (58 bytes)
14[NET] <2> received packet: from 30.30.30.11[500] to 30.30.30.21[500] (176 bytes)
14[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
14[CFG] <2> an algorithm from private space would match, but peer implementation is unknown, skipped
14[CFG] <2> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_NULL
14[CFG] <2> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_NULL
14[IKE] <2> received proposals inacceptable
14[ENC] <2> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
14[NET] <2> sending packet: from 30.30.30.21[500] to 30.30.30.11[500] (36 bytes)


IKE Initiator 

10[ENC] <load-test|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
10[NET] <load-test|1> sending packet: from 30.30.30.11[500] to 30.30.30.21[500] (196 bytes)
13[NET] <load-test|1> received packet: from 30.30.30.21[500] to 30.30.30.11[500] (58 bytes)
13[ENC] <load-test|1> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) V ]
13[IKE] <load-test|1> received strongSwan vendor ID
13[IKE] <load-test|1> peer didn't accept DH group MODP_NULL, it requested MODP_NULL
13[ENC] <load-test|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
charon (1045) started after 40 ms
14[CFG] received stroke: add connection 'host-host'
14[CFG] left nor right host is our side, assuming left=local
14[CFG] adding virtual IP address pool 10.0.0.0/8
14[CFG] added configuration 'host-host'
13[NET] <load-test|1> sending packet: from 30.30.30.11[500] to 30.30.30.21[500] (176 bytes)
16[NET] <load-test|1> received packet: from 30.30.30.21[500] to 30.30.30.11[500] (36 bytes)
16[ENC] <load-test|1> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
16[IKE] <load-test|1> received NO_PROPOSAL_CHOSEN notify error


Regards,
Chinmaya







On Thursday, February 27, 2014 6:51 PM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
  
Hi,

since MODP_NULL is not an IANA-registered DH group but intended
for testing purposes only, You must send the strongSwan Vendor ID
by adding the following statements

charon {
  send_vendor_id = yes
}

in the /etc/strongswan.conf files of both endpoints.

Regards

Andreas


On 02/27/2014 12:25 PM, Chinmaya Dwibedy wrote:
> Hi ,
> 
> I am using the modpnull Diffie-Hellman gr to avoid the DH calculation
> overhead (strongswan-5.0.4). But it is unable to establish the security
> association. Here goes the logs at IKE responder end. Can anyone please
> suggest what is the wrong?  
> 
> 11[CFG] received stroke: add connection 'host-host'
> 11[CFG] adding virtual IP address pool 10.0.0.0/8
> 11[CFG] added configuration 'host-host'
> 13[NET] <1> received packet: from 30.30.30.11[500] to 30.30.30.21[500]
> (176 bytes)
> 13[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> 13[CFG] <1> an algorithm from private space would match, but peer
> implementation is unknown, skipped
> 13[CFG] <1> received proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_NULL
> 13[CFG] <1> configured proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_NULL
> 13[IKE] <1> received proposals inacceptable
> 13[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> 13[NET] <1> sending packet: from 30.30.30.21[500] to 30.30.30.11[500]
> (36 bytes)
> 
> Regards,
> Chinmaya

======================================================================
Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140227/7713bc6a/attachment.html>


More information about the Users mailing list