[strongSwan] Tunnel established, but 'no acceptable ENCRYPTION_ALGORITHM found'

G. S. gawd0wns at yahoo.com
Sun Apr 29 22:40:43 CEST 2018


I have an ikev2 roadwarrior setup with public key authentication between my android phone with strongswan android client, and my home router(WAN IP: host.dyndns.org,  lan ip: 192.168.1.1) in gateway mode (running openwrt + strongSwan 5.6.2, Linux 4.14.34, armv7l). I can connect and transmit/receive data just fine between the roadwarrior - gateway - lan, and roadwarrior - gateway - internet.  I see an error in the strongswan logs and I'm not sure what is going on here, and what I should do to correct this:


Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]   candidate "androidphone" with prio 15+3
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] found matching child config "androidphone" with prio 18
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting proposal:
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]   no acceptable ENCRYPTION_ALGORITHM found
...
...
...
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ




Here is how I generated and signed the keys, my config, and full system log:

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=CA, O=none, CN=My-CA-Auth" --san="My-CA-Auth" --ca --outform pem > caCert.pem
ipsec pki --gen --outform pem > userKey.pem
ipsec pki --pub --in userKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=androidphone" --san "androidphone at host.dyndns.org"  --flag clientAuth --outform pem > userCert.pem
ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=host.dyndns.org" --san="host.dyndns.org" --flag serverAuth --outform pem > serverCert.pem



IPSEC.CONF

config setup
        charondebug="ike 2, knl 3, cfg 3"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear

conn androidphone
        mobike=yes
        leftfirewall=yes
        left=host.dyndns.org
        leftid="C=CA, O=none, CN=host.dyndns.org"
        leftsubnet=0.0.0.0/0,::/0
        leftcert=serverCert.pem
        rightcert=userCert.pem
        right=%any
        rightsourceip=10.10.10.2,fec3::/120
        rightid="C=CA, O=none, CN=androidphone"
        rightauth=pubkey
        leftauth=pubkey
        auto=start
        rightdns=192.168.1.1




SYSTEM LOG:

Sun Apr 29 15:47:19 2018 daemon.info : 14[NET] received packet: from 25.142.133.53[24076] to 213.100.100.31[500] (704 bytes)
Sun Apr 29 15:47:19 2018 daemon.info : 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] looking for an ike config for 213.100.100.31...25.142.133.53
Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] ike config match: 1052 (213.100.100.31 25.142.133.53 IKEv2)
Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG]   candidate: host.dyndns.org...%any, prio 1052
Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] found matching ike config: host.dyndns.org...%any with prio 1052
Sun Apr 29 15:47:19 2018 daemon.info : 14[IKE] 25.142.133.53 is initiating an IKE_SA
Sun Apr 29 15:47:19 2018 authpriv.info : 14[IKE] 25.142.133.53 is initiating an IKE_SA
Sun Apr 29 15:47:19 2018 daemon.info : 14[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] selecting proposal:
Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG]   proposal matches
Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048
Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity

Sun Apr 29 15:47:19 2018 daemon.info : 14[IKE] remote host is behind NAT
Sun Apr 29 15:47:19 2018 daemon.info : 14[IKE] shared Diffie Hellman secret => 32 bytes @ 0x01ed31d0
Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
Sun Apr 29 15:47:19 2018 daemon.info : 14[IKE] sending cert request for "C=CA, O=none, CN=My-CA-Auth"
Sun Apr 29 15:47:19 2018 daemon.info : 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sun Apr 29 15:47:19 2018 daemon.info : 14[NET] sending packet: from 213.100.100.31[500] to 25.142.133.53[24076] (297 bytes)
Sun Apr 29 15:47:19 2018 daemon.info : 04[NET] received packet: from 25.142.133.53[24077] to 213.100.100.31[4500] (1364 bytes)
Sun Apr 29 15:47:19 2018 daemon.info : 04[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Sun Apr 29 15:47:19 2018 daemon.info : 04[ENC] received fragment #1 of 2, waiting for complete IKE message
Sun Apr 29 15:47:19 2018 daemon.info : 06[NET] received packet: from 25.142.133.53[24077] to 213.100.100.31[4500] (404 bytes)
Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] received cert request for "C=CA, O=none, CN=My-CA-Auth"
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] received end entity cert "C=CA, O=none, CN=androidphone"
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] looking for peer configs matching 213.100.100.31[%any]...25.142.133.53[C=CA, O=none, CN=androidphone]
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] peer config match local: 1 (ID_ANY -> )
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] peer config match remote: 20 (ID_DER_ASN1_DN -> 30:2a:31:0b:30:09:06:03:55:04:06:13:02:43:41:31:0d:30:0b:06:03:55:04:0a:13:04:6e:6f:6e:65:31:0c:30:0a:06:03:55:04:03:13:03:64:36:30)
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] ike config match: 1052 (213.100.100.31 25.142.133.53 IKEv2)
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]   candidate "androidphone", match: 1/20/1052 (me/other/ike)
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selected peer config 'androidphone'
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]   certificate "C=CA, O=none, CN=androidphone" key: 2048 bit RSA
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]   using trusted ca certificate "C=CA, O=none, CN=My-CA-Auth"
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] checking certificate status of "C=CA, O=none, CN=androidphone"
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] ocsp check skipped, no ocsp found
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] certificate status is not available
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]   certificate "C=CA, O=none, CN=My-CA-Auth" key: 2048 bit RSA
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]   reached self-signed root ca with a path length of 0
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]   using trusted certificate "C=CA, O=none, CN=androidphone"
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] authentication of 'C=CA, O=none, CN=androidphone' with RSA_EMSA_PKCS1_SHA2_256 successful
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] processing INTERNAL_IP4_ADDRESS attribute
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] processing INTERNAL_IP6_ADDRESS attribute
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] processing INTERNAL_IP4_DNS attribute
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] processing INTERNAL_IP6_DNS attribute
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] peer supports MOBIKE
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] authentication of 'C=CA, O=none, CN=host.dyndns.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] IKE_SA androidphone[5] established between 213.100.100.31[C=CA, O=none, CN=host.dyndns.org]...25.142.133.53[C=CA, O=none, CN=androidphone]
Sun Apr 29 15:47:19 2018 authpriv.info : 06[IKE] IKE_SA androidphone[5] established between 213.100.100.31[C=CA, O=none, CN=host.dyndns.org]...25.142.133.53[C=CA, O=none, CN=androidphone]
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] IKE_SA androidphone[5] state change: CONNECTING => ESTABLISHED
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] scheduling reauthentication in 3286s
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] maximum IKE_SA lifetime 3466s
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] sending end entity cert "C=CA, O=none, CN=host.dyndns.org"
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] peer requested virtual IP %any
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] reassigning offline lease to 'C=CA, O=none, CN=androidphone'
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] assigning virtual IP 10.10.10.2 to peer 'C=CA, O=none, CN=androidphone'
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] peer requested virtual IP %any6
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] reassigning offline lease to 'C=CA, O=none, CN=androidphone'
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] assigning virtual IP fec3::1 to peer 'C=CA, O=none, CN=androidphone'
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] building INTERNAL_IP4_DNS attribute
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] proposing traffic selectors for us:
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  0.0.0.0/0
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  ::/0
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] proposing traffic selectors for other:
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  10.10.10.2/32
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  fec3::1/128
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]   candidate "androidphone" with prio 15+3
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] found matching child config "androidphone" with prio 18
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting proposal:
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting proposal:
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]   proposal matches
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] received proposals: ESP:AES_GCM_16_128/AES_GCM_16_256/CHACHA20_POLY1305_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting traffic selectors for us:
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  config: 0.0.0.0/0, received: ::/0 => no match
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  config: ::/0, received: 0.0.0.0/0 => no match
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  config: ::/0, received: ::/0 => match: ::/0
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting traffic selectors for other:
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  config: 10.10.10.2/32, received: 0.0.0.0/0 => match: 10.10.10.2/32
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  config: 10.10.10.2/32, received: ::/0 => no match
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  config: fec3::1/128, received: 0.0.0.0/0 => no match
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG]  config: fec3::1/128, received: ::/0 => match: fec3::1/128
Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] CHILD_SA androidphone{4} established with SPIs c1c5413e_i efe45f14_o and TS 0.0.0.0/0 ::/0 === 10.10.10.2/32 fec3::1/128
Sun Apr 29 15:47:19 2018 authpriv.info : 06[IKE] CHILD_SA androidphone{4} established with SPIs c1c5413e_i efe45f14_o and TS 0.0.0.0/0 ::/0 === 10.10.10.2/32 fec3::1/128
Sun Apr 29 15:47:19 2018 local0.notice vpn: + C=CA, O=none, CN=androidphone 10.10.10.2/32 == 25.142.133.53 -- 213.100.100.31 == 0.0.0.0/0
Sun Apr 29 15:47:19 2018 local0.notice vpn: + C=CA, O=none, CN=androidphone fec3::1/128 == 25.142.133.53 -- 213.100.100.31 == ::/0
Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] splitting IKE message with length of 1568 bytes into 2 fragments
Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Sun Apr 29 15:47:19 2018 daemon.info : 06[NET] sending packet: from 213.100.100.31[4500] to 25.142.133.53[24077] (1236 bytes)
Sun Apr 29 15:47:19 2018 daemon.info : 06[NET] sending packet: from 213.100.100.31[4500] to 25.142.133.53[24077] (420 bytes)
Sun Apr 29 15:47:19 2018 daemon.info : 05[NET] received packet: from 25.142.133.53[24077] to 213.100.100.31[4500] (80 bytes)
Sun Apr 29 15:47:19 2018 daemon.info : 05[ENC] parsed INFORMATIONAL request 2 [ N(NO_ADD_ADDR) ]
Sun Apr 29 15:47:19 2018 daemon.info : 05[ENC] generating INFORMATIONAL response 2 [ ]
Sun Apr 29 15:47:19 2018 daemon.info : 05[NET] sending packet: from 213.100.100.31[4500] to 25.142.133.53[24077] (80 bytes)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180429/95cf238f/attachment-0001.html>


More information about the Users mailing list