[strongSwan] VPN no longer working after update to 5.4
Andreas Steffen
andreas.steffen at strongswan.org
Sun Apr 17 13:56:01 CEST 2016
Hi Andreas,
starting with 5.4.0 strongSwan proposes a cipher suite with at least
128 bit security strength in th first place even though the weaker
algorithms are still proposed but with a lower priority. For esp the
default proposal is now
esp=aes128-sha256,...
followed by some more algorithms including 3des. But we certainly don't
propose md5 any more. So as a workaround please insert an explicit
statement for the esp proposal.
Regards
Andreas
On 04/17/2016 12:49 PM, Andreas Tscharner wrote:
> Hello World,
>
> After strongswan was updated to 5.4.0 on my Debian system my formerly
> working VPN connection does no longer work. I get the following message:
>
> initiating Main Mode IKE_SA vpn-metromec[1] to xxx.xxx.xxx.xxx
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from 192.168.0.12[500] to xxx.xxx.xxx.xxx[500] (212 bytes)
> received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.12[500] (248 bytes)
> parsed ID_PROT response 0 [ SA V V V V V V V V V ]
> received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
> received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
> received NAT-T (RFC 3947) vendor ID
> received XAuth vendor ID
> received DPD vendor ID
> received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from 192.168.0.12[500] to xxx.xxx.xxx.xxx[500] (236 bytes)
> received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.12[500] (220 bytes)
> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
> local host is behind NAT, sending keep alives
> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> sending packet: from 192.168.0.12[4500] to xxx.xxx.xxx.xxx[4500] (92 bytes)
> received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.12[500] (220 bytes)
> received retransmit of response with ID 0, but next request already sent
> received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.12[4500] (60 bytes)
> parsed ID_PROT response 0 [ ID HASH ]
> IKE_SA vpn-metromec[1] established between
> 192.168.0.12[192.168.0.12]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
> scheduling reauthentication in 27872s
> maximum IKE_SA lifetime 28412s
> generating QUICK_MODE request 221974855 [ HASH SA No ID ID NAT-OA NAT-OA ]
> sending packet: from 192.168.0.12[4500] to xxx.xxx.xxx.xxx[4500] (220 bytes)
> received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.12[4500] (116
> bytes)
> parsed INFORMATIONAL_V1 request 503827175 [ HASH N(NO_PROP) ]
> received NO_PROPOSAL_CHOSEN error notify
> establishing connection 'vpn-metromec' failed
>
> My /etc/ipsec.conf:
> conn vpn-metromec
> authby=secret
> rekey=yes
> keyingtries=3
> dpdaction=restart
> ikelifetime=8h
> keylife=1h
> keyexchange=ikev1
> ike=3des-md5-modp1024
> type=transport
> left=192.168.0.12
> leftsubnet=192.168.0.12[udp/1701]
> right=xxx.xxx.xxx.xxx
> rightsubnet=xxx.xxx.xxx.xxx[udp/1701]
> auto=add
>
> Any ideas? How do I have to update my configuration ti make it work again?
>
> TIA and best regards
> Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160417/88cd1888/attachment.bin>
More information about the Users
mailing list