[strongSwan] Strongswan config different 'ike' values in end points

Andreas Steffen andreas.steffen at strongswan.org
Thu Nov 19 06:49:15 CET 2015 

Yes, this is expected behaviour. With

peer1: ike=aes128-sha1
peer2: ike=3des-md5

The peers just state their preferred algorithms but any other
supported algorithms are also accepted by default. If you don't
want this standard behaviour then you have to append the '!'
*strict* flag:

peer1: ike=aes128-sha1!
peer2: ike=3des-md5!

In this case the IKE negotiation will abort with "NO_COMMON_PROPOSAL".

Best regards

Andreas

On 19.11.2015 05:56, Jayapal Reddy wrote:
> Hi,
>
> I have the site to site  vpn config where ike in the config has
> different values. The vpn tunnel is coming up with this config. Is it
> expected behavior or something wrong.
>
> *  ike=aes128-sha1 **ike=3des-md5*
> Router104 ---------------public--------------Router103
>
> root at r-104-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.52.103.conf
> conn vpn-10.147.52.103
>    left=10.147.52.106
>    leftsubnet=10.10.0.0/16 <http://10.10.0.0/16>
>    leftnexthop=10.147.52.1
>    right=10.147.52.103
>    rightsubnet=192.168.0.0/16 <http://192.168.0.0/16>
>    type=tunnel
>    authby=secret
>    keyexchange=ikev1
> *  ike=aes128-sha1*
>    ikelifetime=86400s
>    esp=aes128-sha1
>    lifetime=3600s
>    pfs=no
>    keyingtries=2
>    auto=start
> root at r-104-QA:~#
> root at r-104-QA:~# ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
> 000 interface lo/lo 127.0.0.1:4500 <http://127.0.0.1:4500>
> 000 interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500>
> 000 interface eth0/eth0 169.254.2.237:4500 <http://169.254.2.237:4500>
> 000 interface eth0/eth0 169.254.2.237:500 <http://169.254.2.237:500>
> 000 interface eth1/eth1 10.147.52.106:4500 <http://10.147.52.106:4500>
> 000 interface eth1/eth1 10.147.52.106:500 <http://10.147.52.106:500>
> 000 %myid = '%any'
> 000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
> x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
> 000 debug options: none
> 000
> 000 "L2TP-PSK":
> 172.26.0.151[172.26.0.151]:17/1701---10.147.52.1...%any[%any]:17/%any==={10.0.0.0/8
> <http://10.0.0.0/8>}; unrouted; eroute owner: #0
> 000 "L2TP-PSK":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 3
> 000 "L2TP-PSK":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,8;
> interface: ;
> 000 "L2TP-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "vpn-10.147.52.103":
> 10.10.0.0/16===10.147.52.106[10.147.52.106]---10.147.52.1...10.147.52.103[10.147.52.103]===192.168.0.0/16
> <http://10.10.0.0/16===10.147.52.106[10.147.52.106]---10.147.52.1...10.147.52.103[10.147.52.103]===192.168.0.0/16>;
> erouted; eroute owner: #11
> 000 "vpn-10.147.52.103":   ike_life: 86400s; ipsec_life: 3600s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2
> 000 "vpn-10.147.52.103":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,16;
> interface: eth1;
> 000 "vpn-10.147.52.103":   newest ISAKMP SA: #8; newest IPsec SA: #11;
> *000 "vpn-10.147.52.103":   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1536*
> 000 "vpn-10.147.52.103":   ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A>
> 000
> 000 #11: "vpn-10.147.52.103" STATE_QUICK_I2 (sent QI2, IPsec SA
> established); EVENT_SA_REPLACE in 2366s; newest IPSEC; eroute owner
> 000 #11: "vpn-10.147.52.103" esp.ccd56ea8 at 10.147.52.103
> <mailto:esp.ccd56ea8 at 10.147.52.103> (0 bytes) esp.cd9efa23 at 10.147.52.106
> <mailto:esp.cd9efa23 at 10.147.52.106> (0 bytes); tunnel
> 000 #10: "vpn-10.147.52.103" STATE_QUICK_I2 (sent QI2, IPsec SA
> established); EVENT_SA_REPLACE in 2599s
> 000 #10: "vpn-10.147.52.103" esp.c96e6831 at 10.147.52.103
> <mailto:esp.c96e6831 at 10.147.52.103> (0 bytes) esp.c59d350e at 10.147.52.106
> <mailto:esp.c59d350e at 10.147.52.106> (0 bytes); tunnel
> 000 #9: "vpn-10.147.52.103" STATE_QUICK_I2 (sent QI2, IPsec SA
> established); EVENT_SA_REPLACE in 2674s
> 000 #9: "vpn-10.147.52.103" esp.c422c096 at 10.147.52.103
> <mailto:esp.c422c096 at 10.147.52.103> (0 bytes) esp.c1444f5f at 10.147.52.106
> <mailto:esp.c1444f5f at 10.147.52.106> (0 bytes); tunnel
> 000 #8: "vpn-10.147.52.103" STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 85088s; newest ISAKMP
> 000
> Status of IKEv2 charon daemon (strongSwan 4.5.2):
>    uptime: 13 minutes, since Nov 18 09:00:50 2015
>    malloc: sbrk 380928, mmap 0, used 245664, free 135264
>    worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
>    loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
> x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp
> agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve
> socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
> eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
> Listening IP addresses:
>    169.254.2.237
>    10.147.52.106
> Connections:
> Security Associations:
>    none
> root at r-104-QA:~#
>
>
>
> root at r-103-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.52.106.conf
> conn vpn-10.147.52.106
>    left=10.147.52.103
>    leftsubnet=192.168.0.0/16 <http://192.168.0.0/16>
>    leftnexthop=10.147.52.1
>    right=10.147.52.106
>    rightsubnet=10.10.0.0/16 <http://10.10.0.0/16>
>    type=tunnel
>    authby=secret
>    keyexchange=ikev1
> *  ike=3des-md5*
>    ikelifetime=86400s
>    esp=3des-md5
>    lifetime=3600s
>    pfs=no
>    keyingtries=2
>    auto=start
> root at r-103-QA:~#
> root at r-103-QA:~#
> root at r-103-QA:~# ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
> 000 interface lo/lo 127.0.0.1:4500 <http://127.0.0.1:4500>
> 000 interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500>
> 000 interface eth0/eth0 169.254.1.56:4500 <http://169.254.1.56:4500>
> 000 interface eth0/eth0 169.254.1.56:500 <http://169.254.1.56:500>
> 000 interface eth1/eth1 10.147.52.103:4500 <http://10.147.52.103:4500>
> 000 interface eth1/eth1 10.147.52.103:500 <http://10.147.52.103:500>
> 000 %myid = '%any'
> 000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
> x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
> 000 debug options: none
> 000
> 000 "L2TP-PSK":
> 172.26.0.151[172.26.0.151]:17/1701---10.147.52.1...%any[%any]:17/%any==={10.0.0.0/8
> <http://10.0.0.0/8>}; unrouted; eroute owner: #0
> 000 "L2TP-PSK":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 3
> 000 "L2TP-PSK":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,8;
> interface: ;
> 000 "L2TP-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "vpn-10.147.52.106":
> 192.168.0.0/16===10.147.52.103[10.147.52.103]---10.147.52.1...10.147.52.106[10.147.52.106]===10.10.0.0/16
> <http://192.168.0.0/16===10.147.52.103[10.147.52.103]---10.147.52.1...10.147.52.106[10.147.52.106]===10.10.0.0/16>;
> erouted; eroute owner: #15
> 000 "vpn-10.147.52.106":   ike_life: 86400s; ipsec_life: 3600s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2
> 000 "vpn-10.147.52.106":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,16;
> interface: eth1;
> 000 "vpn-10.147.52.106":   newest ISAKMP SA: #12; newest IPsec SA: #15;
> *000 "vpn-10.147.52.106":   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1536*
> 000 "vpn-10.147.52.106":   ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A>
> 000
> 000 #15: "vpn-10.147.52.106" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 2974s; newest IPSEC; eroute owner
> 000 #15: "vpn-10.147.52.106" esp.cd9efa23 at 10.147.52.106
> <mailto:esp.cd9efa23 at 10.147.52.106> (0 bytes) esp.ccd56ea8 at 10.147.52.103
> <mailto:esp.ccd56ea8 at 10.147.52.103> (0 bytes); tunnel
> 000 #14: "vpn-10.147.52.106" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 2974s
> 000 #14: "vpn-10.147.52.106" esp.c59d350e at 10.147.52.106
> <mailto:esp.c59d350e at 10.147.52.106> (0 bytes) esp.c96e6831 at 10.147.52.103
> <mailto:esp.c96e6831 at 10.147.52.103> (0 bytes); tunnel
> 000 #13: "vpn-10.147.52.106" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 2974s
> 000 #13: "vpn-10.147.52.106" esp.c1444f5f at 10.147.52.106
> <mailto:esp.c1444f5f at 10.147.52.106> (0 bytes) esp.c422c096 at 10.147.52.103
> <mailto:esp.c422c096 at 10.147.52.103> (0 bytes); tunnel
> 000 #12: "vpn-10.147.52.106" STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 85774s; newest ISAKMP
> 000
> Status of IKEv2 charon daemon (strongSwan 4.5.2):
>    uptime: 16 minutes, since Nov 18 08:59:07 2015
>    malloc: sbrk 380928, mmap 0, used 245648, free 135280
>    worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
>    loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
> x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp
> agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve
> socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
> eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
> Listening IP addresses:
>    169.254.1.56
>    10.147.52.103
> Connections:
> Security Associations:
>    none
>
> Thanks,
> Jayapal
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151119/3a7678d0/attachment-0001.bin>

More information about the Users mailing list