[strongSwan] Problem: strongswan 5.4 with sha2

Noel Kuntze noel at familie-kuntze.de
Thu Oct 13 17:55:43 CEST 2016


On 13.10.2016 17:40, fatcharly at gmx.de wrote:
> conn siteA
>         left=my IP
>         leftsubnet=my Subnet
>         leftid=my IP
>         right=site A IP
>         rightsubnet=site A subnet
>         rightid=site A ip
>         authby=secret
>         auto=start
>         ikelifetime=28800s
>         keylife=3600s
>         keyexchange=ikev1
>         ike=aes256-sha256-ecp384
>         esp=aes256-sha256-modp2048
> 

> Oct 13 17:19:14 tia charon: 16[NET] received packet: from siteAIP[500] to myIP[500] (64 bytes)
> Oct 13 17:19:14 tia charon: 16[ENC] parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
> Oct 13 17:19:14 tia charon: 16[IKE] received NO_PROPOSAL_CHOSEN error notify
> Oct 13 17:19:14 tia charon: 16[IKE] IKE_SA siteA [6] state change: CONNECTING => DESTROYING
> 
> I can see that no proposal was chosen, so which part of the configuration do I have to change ?

The remote peer sends that. Pay attention to the exact order of events and what they say.
Try limiting the sent set to only the configured proposal by appending an exclamation mark
at the end of the cipher list. Maybe the software of the remote peer is broken in some way
in the cipher selection.

A remote peer can also send that message when it can't find a matching configuration,
besides the cipher suites.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161013/07ef850f/attachment.sig>


More information about the Users mailing list