[strongSwan] parsed ID_PROT response 0 [ KE No ]

Andreas Steffen andreas.steffen at strongswan.org
Tue Aug 2 11:56:42 CEST 2016 

Hi Lakshmi,

there must be a more detailed log somewhere. Just try

  grep charon /var/log/*

and see if you get any hits in a log file (usually either
daemon.log, syslog or messages).

Alternatively just start the daemon in the foreground so that
you get the complete log on in the console window:

  ipsec start --nofork

I suspect that the problem is not with the DH group but
with the selection of the PSK which is needed for Main Mode 3.

Regards

Andreas

On 02.08.2016 11:45, Lakshmi Prasanna wrote:
> bash-4.2# ipsec up 9.11.53.11-9.11.120.120-0-1812
> 
> initiating Main Mode IKE_SA 9.11.53.11-9.11.120.120-0-1812[1] to
> 9.11.120.120
> 
> generating ID_PROT request 0 [ SA V V V V ]
> 
> sending packet: from 9.11.53.11[500] to 9.11.120.120[500] (156 bytes)
> 
> received packet: from 9.11.120.120[500] to 9.11.53.11[500] (136 bytes)
> 
> parsed ID_PROT response 0 [ SA V V V ]
> 
> received strongSwan vendor ID
> 
> received XAuth vendor ID
> 
> received DPD vendor ID
> 
> generating ID_PROT request 0 [ KE No ]
> 
> sending packet: from 9.11.53.11[500] to 9.11.120.120[500] (132 bytes)
> 
> received packet: from 9.11.120.120[500] to 9.11.53.11[500] (116 bytes)
> 
> parsed ID_PROT response 0 [ KE No ]
> 
> There is no more logs beyond this and my wireshark capture stops at MM2. 
> 
> - Lakshmi
> 
> 
> On Tue, Aug 2, 2016 at 3:12 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
> 
>     Well then without a log to diagnose I cannot help you further.
> 
>     Andreas
> 
>     On 02.08.2016 11:38, Lakshmi Prasanna wrote:
>     > Hi Andreas,
>     >
>     > Thanks for the quick reply. I do see that the openssl plugin is loaded.
>     >
>     > *  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
>     > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
>     > pem _openssl_ fips-prf xcbc cmac hmac attr kernel-netlink resolve
>     > socket-default stroke updown xauth-generic*
>     >
>     > Do you think there is something else that I might need to check?
>     >
>     > Thanks,
>     >
>     > Lakshmi
>     >
>     >
>     > On Tue, Aug 2, 2016 at 2:56 PM, Andreas Steffen
>     > <andreas.steffen at strongswan.org
>     <mailto:andreas.steffen at strongswan.org>
>     <mailto:andreas.steffen at strongswan.org
>     <mailto:andreas.steffen at strongswan.org>>>
>     > wrote:
>     >
>     >     Hi Lakshmi,
>     >
>     >     ECP256 requires the openssl plugin which is not compiled by
>     default.
>     >     Make sure that the openssl plugin is present and has been loaded
>     >     by the charon daemon. The ipsec statusall command returns a
>     list of
>     >     all loaded plugins.
>     >
>     >     BTW - the pfs parameter has been deprecated. Please use the esp
>     >           parameter as you have correctly done.g
>     >
>     >     Regards
>     >
>     >     Andreas
>     >
>     >     On 02.08.2016 08:48, Lakshmi Prasanna wrote:
>     >     > Hello,
>     >     >
>     >     > While trying to test strongswan with IKE DH group-19, the
>     negotiation
>     >     > somehow doesn't go past main mode 2. There is however no log to
>     >     describe
>     >     > the error that prevents the negotiation.
>     >     >
>     >     > Could someone post some insight? My configs looks like this:
>     >     >
>     >     > keyexchange=ikev1
>     >     >
>     >     >         type=transport
>     >     >
>     >     >         ikelifetime=480m
>     >     >
>     >     > ike=aes256-sha256-ecp256!
>     >     >
>     >     > esp=aes256-sha256!
>     >     >
>     >     > left=9.11.120.120
>     >     >
>     >     >         leftprotoport=17/1812
>     >     >
>     >     >         right=9.11.53.11
>     >     >
>     >     >         rightprotoport=17/0-1812
>     >     >
>     >     >         pfs=no
>     >     >
>     >     >         authby=psk
>     >     >
>     >     >         auto=add
>     >     >
>     >     >
>     >     > Thanks,
>     >     >
>     >     > Lakshmi
>     >     >
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160802/75c02d4a/attachment.bin>

More information about the Users mailing list