[strongSwan] Fwd: Re: FritzBox to Strongswan
post at daniel-pomrehn.de
post at daniel-pomrehn.de
Fri Nov 25 14:55:17 CET 2016
Am 2016-11-25 14:09, schrieb Mirko Parthey:
> On Fri, Nov 25, 2016 at 10:34:20AM +0100, post at daniel-pomrehn.de wrote:
>> I did some further google research and changed some settings. Now I
>> another error:
>> sending packet: from 127.0.1.1 to 126.96.36.199 (1188 bytes)
>> sending packet: from 127.0.1.1 to 188.8.131.52
>> error writing to socket: Invalid argument
> I cannot answer this, maybe someone else can help.
Using your advices for configuration I am back at my first error:
Nov 25 14:53:25 srv charon: 03[NET] received packet: from
184.108.40.206 to 220.127.116.11
Nov 25 14:53:25 srv charon: 03[NET] waiting for data on sockets
Nov 25 14:53:25 srv charon: 08[NET] received packet: from
18.104.22.168 to 22.214.171.124 (264 bytes)
Nov 25 14:53:25 srv charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V
V V V ]
Nov 25 14:53:25 srv charon: 08[CFG] looking for an ike config for
Nov 25 14:53:25 srv charon: 08[CFG] ike config match: 0 (126.96.36.199
Nov 25 14:53:25 srv charon: 08[IKE] no IKE config found for
188.8.131.52...184.108.40.206, sending NO_PROPOSAL_CHOSEN
Nov 25 14:53:25 srv charon: 08[ENC] generating INFORMATIONAL_V1 request
2285023278 [ N(NO_PROP) ]
Nov 25 14:53:25 srv charon: 08[NET] sending packet: from
220.127.116.11 to 18.104.22.168 (40 bytes)
Nov 25 14:53:25 srv charon: 08[IKE] IKE_SA (unnamed) state change:
CREATED => DESTROYING
Nov 25 14:53:25 srv charon: 04[NET] sending packet: from
22.214.171.124 to 126.96.36.199
I tried to use keyexchange=ike, keyexchange=ikev1, keyexchange=ikev2 in
But the message still appears.
>> Nov 25 10:30:59 srv charon: 09[IKE] initiating IKE_SA fritz2swan to
> strongSwan is the initiator here, and your config is set to Main Mode
> (the default).
> With strongSwan as the initiator and FritzBox as the responder, only
> aggressive mode will work reliably. This mode is insecure because it
> the PSK to dictionary attacks. Maybe you could make strongSwan
> and stay with main mode? Remove right=dyn.fritzbox to go this route.
> Otherwise, if you want to use aggressive mode despite the risks, at
> least use a
> long and randomly generated PSK.
I removed the right=dyn.fritzbox
Now the fritzbox is the initiator.
Thank you very much for your security advice!
>> conn fritz2swan
>> It is a fritzbox 7490 with the latest Firmware 6.60
> modp1024 does not provide enough security, modp2048 or more would be
> The FritzBox 7490 can be configured for modp2048 as follows:
> phase1ss = "dh14/aes/sha";
> The FritzBox uses a lifetime of 1h for IKE and IPsec SAs.
> IKEv1 does not negotiate SA lifetimes, so I would recommend to
> set both to 1h in strongSwan too.
I changed the modp1024 to modp2048 and phase1ss, too.
lifetime is now 1h both.
More information about the Users