[strongSwan] Problem: strongswan 5.4 with sha2

fatcharly at gmx.de fatcharly at gmx.de
Thu Oct 13 17:40:54 CEST 2016 


> Gesendet: Donnerstag, 13. Oktober 2016 um 17:32 Uhr
> Von: "Noel Kuntze" <noel at familie-kuntze.de>
> An: fatcharly at gmx.de, "Users strongswan" <users at lists.strongswan.org>
> Betreff: Re: [strongSwan] Problem: strongswan 5.4 with sha2
>
> On 13.10.2016 17:28, fatcharly at gmx.de wrote:
> > Hi,
> > 
> > I´m using a strongswan-5.4.0-2.el7.x86_64 on a CentOS 7. I´m trying to build a VPN connection with the following proposals: 
> > ike: RSA, DH20, AES256/SHA-2
> > esp: DH-14, AES256/SHA-2
> > 
> > I`ve tried it with this:
> > ike=aes256-sha256-ecp384
> > esp=aes256-sha256-modp2048
> > 
> > but its not working. WHich would be the right setting for this ?
> > 
> 
> Please provide configs and logs. My crystal balls are getting repaired right now.
> 
conn siteA
        left=my IP
        leftsubnet=my Subnet
        leftid=my IP
        right=site A IP
        rightsubnet=site A subnet
        rightid=site A ip
        authby=secret
        auto=start
        ikelifetime=28800s
        keylife=3600s
        keyexchange=ikev1
        ike=aes256-sha256-ecp384
        esp=aes256-sha256-modp2048





the is shown in the log, when I try to start up the connection:
Oct 13 17:19:14 tia charon: 13[CFG] received stroke: initiate 'siteA'
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_VENDOR task
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_CERT_PRE task
Oct 13 17:19:14 tia charon: 14[IKE] queueing MAIN_MODE task
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_CERT_POST task
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_NATD task
Oct 13 17:19:14 tia charon: 14[IKE] queueing QUICK_MODE task
Oct 13 17:19:14 tia charon: 14[IKE] activating new tasks
Oct 13 17:19:14 tia charon: 14[IKE]   activating ISAKMP_VENDOR task
Oct 13 17:19:14 tia charon: 14[IKE]   activating ISAKMP_CERT_PRE task
Oct 13 17:19:14 tia charon: 14[IKE]   activating MAIN_MODE task
Oct 13 17:19:14 tia charon: 14[IKE]   activating ISAKMP_CERT_POST task
Oct 13 17:19:14 tia charon: 14[IKE]   activating ISAKMP_NATD task
Oct 13 17:19:14 tia charon: 14[IKE] sending XAuth vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] sending DPD vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] initiating Main Mode IKE_SA siteA [6] to IP siteA
Oct 13 17:19:14 tia charon: 14[IKE] IKE_SA siteA [6] state change: CREATED => CONNECTING
Oct 13 17:19:14 tia charon: 14[ENC] generating ID_PROT request 0 [ SA V V V V ]
Oct 13 17:19:14 tia charon: 14[NET] sending packet: from myIP[500] to siteAIP[500] (216 bytes)
Oct 13 17:19:14 tia charon: 16[NET] received packet: from siteAIP[500] to myIP[500] (64 bytes)
Oct 13 17:19:14 tia charon: 16[ENC] parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
Oct 13 17:19:14 tia charon: 16[IKE] received NO_PROPOSAL_CHOSEN error notify
Oct 13 17:19:14 tia charon: 16[IKE] IKE_SA siteA [6] state change: CONNECTING => DESTROYING

I can see that no proposal was chosen, so which part of the configuration do I have to change ?

Kind regards

fatcharly

More information about the Users mailing list