[strongSwan] Planning an upgrade of strongswan from 4.4.1 to 5.2.1

Rayson Zhu vfreex at gmail.com
Sat Jan 9 07:15:51 CET 2016 

Hi, try specifying IKE & ESP cipher suits explicitly for all peers. For
example
ike = aes128-sha256-modp2048!
esp = aes128-sha256-modp2048!

On Sat, Jan 9, 2016 at 2:04 PM, CJ Fearnley <cjf at linuxforce.net> wrote:

> Well, my upgrade from strongswan 4.4.1-5.7 to 5.2.1-6+deb8u1 (Debian
> Squeeze to Jessie on new hardware) is not going well. No connections
> have re-established.
>
> I'm using the same ipsec.conf that worked on 4.4.1-5.7. See the referenced
> e-mail from Dec 9th when I asked about the upgrade process.
>
> Each client is generating this pattern in the logs over and over:
>
> Jan  9 01:01:07 cw1 charon: 06[IKE] 67.151.55.146 is initiating a Main
> Mode IKE_SA
> Jan  9 01:01:07 cw1 charon: 06[CFG] received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Jan  9 01:01:07 cw1 charon: 06[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> Jan  9 01:01:07 cw1 charon: 06[IKE] no proposal found
> Jan  9 01:01:07 cw1 charon: 06[ENC] generating INFORMATIONAL_V1 request
> 3117715548 [ N(NO_PROP) ]
>
> I have double checked that I copied from backups the contents of
> /etc/ipsec.d/cacerts
> /etc/ipsec.d/certs
> /etc/ipsec.d/private
>
> Do I need to add some encryption plugins? Or can I simply specify using
> the ike= configuration option for the actual algorithm used by the
> Netgears FVG318?
>
> I tried adding the sha1 hmac xcbc and x509 modules to the load = line
> in /etc/strongswan.d/charon.conf. No go.
>
> The output of
> $ sudo ipsec version
> Linux strongSwan U5.2.1/K3.16.0-4-amd64
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
>
> On Wed, Dec 09, 2015 at 08:12:42PM -0500, CJ Fearnley wrote:
> > I have a working strongswan system running the Debian package at version
> > 4.4.1-5.7 (Squeeze oldoldstable). In a week or so, I'll be replacing
> > the box with a fresh install of Debian running 5.2.1-6+deb8u1 (Jessie).
> >
> > I have two questions:
> >
> > 1. Have any config options changed in strongswan that I need to study?
> >
> > 2. Are there any issues with strongswan in connecting with a Netgear
> >    FVG318 of various vintages. All of our clients connect with this
> >    model of Netgear which is the only thing we've been able to get
> >    working with certificates.
> >
> > Here is a cleaned up version of /etc/ipsec.conf:
> >
> > config setup
> >     charonstart=yes
> >     plutostart=yes
> >     virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.101.0/24
> >     uniqueids=no
> >
> > conn %default
> >     mobike=no
> >     keyexchange=ikev1
> >     left=xxx.xxx.xxx.xx
> >     leftsubnet=192.168.xxx.0/24
> >     auto=add
> >
> > conn someplace
> >     rightsubnet=192.168.yyy.0/24
> >     right=%any
> >     leftid="C=US, ST=ST, L=Some City, O=Some Company, CN=
> something.example.com, E=some at example.com"
> >     leftcert=something.crt
> >     leftsendcert=always
> >
> > plus a half-dozen others of similar nature.
> >
> > All of the systems that connect to this are various vintages of the
> > Netgear FVG318.
> >
> > Are there any known compatibility issues with strongswan 5.2.1 and the
> > Netgear FVG318?
> >
> > Have there been any relevant changes to the syntax of ipsec.conf since
> > 4.4.1 and 5.2.1-6+deb8u1?
> >
> > Any general strongswan relevant advice for planning such an upgrade?
>
> --
> CJ Fearnley                 |   LinuxForce Inc.
> cjf at LinuxForce.net          |   IT Projects & Systems Maintenance
> http://www.LinuxForce.net   |   http://blog.remoteresponder.net
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160109/3b223fc9/attachment-0001.html>

More information about the Users mailing list