[strongSwan] Problem: strongswan 5.4 with sha2
fatcharly at gmx.de
fatcharly at gmx.de
Thu Oct 13 17:40:54 CEST 2016
> Gesendet: Donnerstag, 13. Oktober 2016 um 17:32 Uhr
> Von: "Noel Kuntze" <noel at familie-kuntze.de>
> An: fatcharly at gmx.de, "Users strongswan" <users at lists.strongswan.org>
> Betreff: Re: [strongSwan] Problem: strongswan 5.4 with sha2
>
> On 13.10.2016 17:28, fatcharly at gmx.de wrote:
> > Hi,
> >
> > I´m using a strongswan-5.4.0-2.el7.x86_64 on a CentOS 7. I´m trying to build a VPN connection with the following proposals:
> > ike: RSA, DH20, AES256/SHA-2
> > esp: DH-14, AES256/SHA-2
> >
> > I`ve tried it with this:
> > ike=aes256-sha256-ecp384
> > esp=aes256-sha256-modp2048
> >
> > but its not working. WHich would be the right setting for this ?
> >
>
> Please provide configs and logs. My crystal balls are getting repaired right now.
>
conn siteA
left=my IP
leftsubnet=my Subnet
leftid=my IP
right=site A IP
rightsubnet=site A subnet
rightid=site A ip
authby=secret
auto=start
ikelifetime=28800s
keylife=3600s
keyexchange=ikev1
ike=aes256-sha256-ecp384
esp=aes256-sha256-modp2048
the is shown in the log, when I try to start up the connection:
Oct 13 17:19:14 tia charon: 13[CFG] received stroke: initiate 'siteA'
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_VENDOR task
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_CERT_PRE task
Oct 13 17:19:14 tia charon: 14[IKE] queueing MAIN_MODE task
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_CERT_POST task
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_NATD task
Oct 13 17:19:14 tia charon: 14[IKE] queueing QUICK_MODE task
Oct 13 17:19:14 tia charon: 14[IKE] activating new tasks
Oct 13 17:19:14 tia charon: 14[IKE] activating ISAKMP_VENDOR task
Oct 13 17:19:14 tia charon: 14[IKE] activating ISAKMP_CERT_PRE task
Oct 13 17:19:14 tia charon: 14[IKE] activating MAIN_MODE task
Oct 13 17:19:14 tia charon: 14[IKE] activating ISAKMP_CERT_POST task
Oct 13 17:19:14 tia charon: 14[IKE] activating ISAKMP_NATD task
Oct 13 17:19:14 tia charon: 14[IKE] sending XAuth vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] sending DPD vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] initiating Main Mode IKE_SA siteA [6] to IP siteA
Oct 13 17:19:14 tia charon: 14[IKE] IKE_SA siteA [6] state change: CREATED => CONNECTING
Oct 13 17:19:14 tia charon: 14[ENC] generating ID_PROT request 0 [ SA V V V V ]
Oct 13 17:19:14 tia charon: 14[NET] sending packet: from myIP[500] to siteAIP[500] (216 bytes)
Oct 13 17:19:14 tia charon: 16[NET] received packet: from siteAIP[500] to myIP[500] (64 bytes)
Oct 13 17:19:14 tia charon: 16[ENC] parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
Oct 13 17:19:14 tia charon: 16[IKE] received NO_PROPOSAL_CHOSEN error notify
Oct 13 17:19:14 tia charon: 16[IKE] IKE_SA siteA [6] state change: CONNECTING => DESTROYING
I can see that no proposal was chosen, so which part of the configuration do I have to change ?
Kind regards
fatcharly
More information about the Users
mailing list