[strongSwan] Tunnel established, but 'no acceptable ENCRYPTION_ALGORITHM found'
Jafar Al-Gharaibeh
jafar at atcorp.com
Mon Apr 30 16:22:05 CEST 2018
It is weird! As you pointed out, right after the ''no acceptable... "
line, you have "proposal matches", and obviously that works. What is
your config config on the phone?
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting proposal:
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting proposal:
Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] proposal matches:
...
--Jafar
On 4/29/2018 3:40 PM, G. S. wrote:
> I have an ikev2 roadwarrior setup with public key authentication
> between my android phone with strongswan android client, and my home
> router(WAN IP: host.dyndns.org, lan ip: 192.168.1.1) in gateway mode
> (running openwrt + strongSwan 5.6.2, Linux 4.14.34, armv7l). I can
> connect and transmit/receive data just fine between the roadwarrior -
> gateway - lan, and roadwarrior - gateway - internet. I see an error
> in the strongswan logs and I'm not sure what is going on here, and
> what I should do to correct this:
>
>
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] candidate
> "androidphone" with prio 15+3
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] found matching child
> config "androidphone" with prio 18
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting proposal:
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> ...
> ...
> ...
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selected proposal:
> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
>
>
>
>
> Here is how I generated and signed the keys, my config, and full
> system log:
>
> ipsec pki --gen --outform pem > caKey.pem
> ipsec pki --self --in caKey.pem --dn "C=CA, O=none, CN=My-CA-Auth"
> --san="My-CA-Auth" --ca --outform pem > caCert.pem
> ipsec pki --gen --outform pem > userKey.pem
> ipsec pki --pub --in userKey.pem | ipsec pki --issue --cacert
> caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=androidphone"
> --san "androidphone at host.dyndns.org" --flag clientAuth --outform pem
> > userCert.pem
> ipsec pki --gen --outform pem > serverKey.pem
> ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert
> caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=host.dyndns.org"
> --san="host.dyndns.org" --flag serverAuth --outform pem > serverCert.pem
>
>
>
>
> IPSEC.CONF
>
> config setup
> charondebug="ike 2, knl 3, cfg 3"
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
>
> conn androidphone
> mobike=yes
> leftfirewall=yes
> left=host.dyndns.org
> leftid="C=CA, O=none, CN=host.dyndns.org"
> leftsubnet=0.0.0.0/0,::/0
> leftcert=serverCert.pem
> rightcert=userCert.pem
> right=%any
> rightsourceip=10.10.10.2,fec3::/120
> rightid="C=CA, O=none, CN=androidphone"
> rightauth=pubkey
> leftauth=pubkey
> auto=start
> rightdns=192.168.1.1
>
>
>
>
> SYSTEM LOG:
>
> Sun Apr 29 15:47:19 2018 daemon.info : 14[NET] received packet: from
> 25.142.133.53[24076] to 213.100.100.31[500] (704 bytes)
> Sun Apr 29 15:47:19 2018 daemon.info : 14[ENC] parsed IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
> N(REDIR_SUP) ]
> Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] looking for an ike
> config for 213.100.100.31...25.142.133.53
> Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] ike config match: 1052
> (213.100.100.31 25.142.133.53 IKEv2)
> Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] candidate:
> host.dyndns.org...%any, prio 1052
> Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] found matching ike
> config: host.dyndns.org...%any with prio 1052
> Sun Apr 29 15:47:19 2018 daemon.info : 14[IKE] 25.142.133.53 is
> initiating an IKE_SA
> Sun Apr 29 15:47:19 2018 authpriv.info : 14[IKE] 25.142.133.53 is
> initiating an IKE_SA
> Sun Apr 29 15:47:19 2018 daemon.info : 14[IKE] IKE_SA (unnamed)[5]
> state change: CREATED => CONNECTING
> Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] selecting proposal:
> Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] proposal matches
> Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] received proposals:
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048,
> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048
> Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] configured proposals:
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
> Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] selected proposal:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
> Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] received supported
> signature hash algorithms: sha256 sha384 sha512 identity
>
> Sun Apr 29 15:47:19 2018 daemon.info : 14[IKE] remote host is behind NAT
> Sun Apr 29 15:47:19 2018 daemon.info : 14[IKE] shared Diffie Hellman
> secret => 32 bytes @ 0x01ed31d0
> Sun Apr 29 15:47:19 2018 daemon.info : 14[CFG] sending supported
> signature hash algorithms: sha256 sha384 sha512 identity
> Sun Apr 29 15:47:19 2018 daemon.info : 14[IKE] sending cert request
> for "C=CA, O=none, CN=My-CA-Auth"
> Sun Apr 29 15:47:19 2018 daemon.info : 14[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP)
> N(HASH_ALG) N(MULT_AUTH) ]
> Sun Apr 29 15:47:19 2018 daemon.info : 14[NET] sending packet: from
> 213.100.100.31[500] to 25.142.133.53[24076] (297 bytes)
> Sun Apr 29 15:47:19 2018 daemon.info : 04[NET] received packet: from
> 25.142.133.53[24077] to 213.100.100.31[4500] (1364 bytes)
> Sun Apr 29 15:47:19 2018 daemon.info : 04[ENC] parsed IKE_AUTH request
> 1 [ EF(1/2) ]
> Sun Apr 29 15:47:19 2018 daemon.info : 04[ENC] received fragment #1 of
> 2, waiting for complete IKE message
> Sun Apr 29 15:47:19 2018 daemon.info : 06[NET] received packet: from
> 25.142.133.53[24077] to 213.100.100.31[4500] (404 bytes)
> Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] parsed IKE_AUTH request
> 1 [ EF(2/2) ]
> Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] received fragment #2 of
> 2, reassembling fragmented IKE message
> Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] parsed IKE_AUTH request
> 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6)
> N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
> N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] received cert request
> for "C=CA, O=none, CN=My-CA-Auth"
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] received end entity
> cert "C=CA, O=none, CN=androidphone"
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] looking for peer
> configs matching 213.100.100.31[%any]...25.142.133.53[C=CA, O=none,
> CN=androidphone]
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] peer config match
> local: 1 (ID_ANY -> )
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] peer config match
> remote: 20 (ID_DER_ASN1_DN ->
> 30:2a:31:0b:30:09:06:03:55:04:06:13:02:43:41:31:0d:30:0b:06:03:55:04:0a:13:04:6e:6f:6e:65:31:0c:30:0a:06:03:55:04:03:13:03:64:36:30)
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] ike config match: 1052
> (213.100.100.31 25.142.133.53 IKEv2)
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] candidate
> "androidphone", match: 1/20/1052 (me/other/ike)
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selected peer config
> 'androidphone'
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] certificate "C=CA,
> O=none, CN=androidphone" key: 2048 bit RSA
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] using trusted ca
> certificate "C=CA, O=none, CN=My-CA-Auth"
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] checking certificate
> status of "C=CA, O=none, CN=androidphone"
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] ocsp check skipped, no
> ocsp found
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] certificate status is
> not available
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] certificate "C=CA,
> O=none, CN=My-CA-Auth" key: 2048 bit RSA
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] reached self-signed
> root ca with a path length of 0
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] using trusted
> certificate "C=CA, O=none, CN=androidphone"
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] authentication of
> 'C=CA, O=none, CN=androidphone' with RSA_EMSA_PKCS1_SHA2_256 successful
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] processing
> INTERNAL_IP4_ADDRESS attribute
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] processing
> INTERNAL_IP6_ADDRESS attribute
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] processing
> INTERNAL_IP4_DNS attribute
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] processing
> INTERNAL_IP6_DNS attribute
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] peer supports MOBIKE
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] authentication of
> 'C=CA, O=none, CN=host.dyndns.org' (myself) with
> RSA_EMSA_PKCS1_SHA2_256 successful
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] IKE_SA androidphone[5]
> established between 213.100.100.31[C=CA, O=none,
> CN=host.dyndns.org]...25.142.133.53[C=CA, O=none, CN=androidphone]
> Sun Apr 29 15:47:19 2018 authpriv.info : 06[IKE] IKE_SA
> androidphone[5] established between 213.100.100.31[C=CA, O=none,
> CN=host.dyndns.org]...25.142.133.53[C=CA, O=none, CN=androidphone]
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] IKE_SA androidphone[5]
> state change: CONNECTING => ESTABLISHED
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] scheduling
> reauthentication in 3286s
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] maximum IKE_SA lifetime
> 3466s
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] sending end entity cert
> "C=CA, O=none, CN=host.dyndns.org"
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] peer requested virtual
> IP %any
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] reassigning offline
> lease to 'C=CA, O=none, CN=androidphone'
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] assigning virtual IP
> 10.10.10.2 to peer 'C=CA, O=none, CN=androidphone'
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] peer requested virtual
> IP %any6
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] reassigning offline
> lease to 'C=CA, O=none, CN=androidphone'
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] assigning virtual IP
> fec3::1 to peer 'C=CA, O=none, CN=androidphone'
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] building
> INTERNAL_IP4_DNS attribute
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] looking for a child
> config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] proposing traffic
> selectors for us:
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] 0.0.0.0/0
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] ::/0
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] proposing traffic
> selectors for other:
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] 10.10.10.2/32
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] fec3::1/128
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] candidate
> "androidphone" with prio 15+3
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] found matching child
> config "androidphone" with prio 18
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting proposal:
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting proposal:
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] proposal matches
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] received proposals:
> ESP:AES_GCM_16_128/AES_GCM_16_256/CHACHA20_POLY1305_256/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ,
> ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] configured proposals:
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selected proposal:
> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting traffic
> selectors for us:
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] config: 0.0.0.0/0,
> received: 0.0.0.0/0 => match: 0.0.0.0/0
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] config: 0.0.0.0/0,
> received: ::/0 => no match
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] config: ::/0,
> received: 0.0.0.0/0 => no match
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] config: ::/0,
> received: ::/0 => match: ::/0
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] selecting traffic
> selectors for other:
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] config: 10.10.10.2/32,
> received: 0.0.0.0/0 => match: 10.10.10.2/32
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] config: 10.10.10.2/32,
> received: ::/0 => no match
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] config: fec3::1/128,
> received: 0.0.0.0/0 => no match
> Sun Apr 29 15:47:19 2018 daemon.info : 06[CFG] config: fec3::1/128,
> received: ::/0 => match: fec3::1/128
> Sun Apr 29 15:47:19 2018 daemon.info : 06[IKE] CHILD_SA
> androidphone{4} established with SPIs c1c5413e_i efe45f14_o and TS
> 0.0.0.0/0 ::/0 === 10.10.10.2/32 fec3::1/128
> Sun Apr 29 15:47:19 2018 authpriv.info : 06[IKE] CHILD_SA
> androidphone{4} established with SPIs c1c5413e_i efe45f14_o and TS
> 0.0.0.0/0 ::/0 === 10.10.10.2/32 fec3::1/128
> Sun Apr 29 15:47:19 2018 local0.notice vpn: + C=CA, O=none,
> CN=androidphone 10.10.10.2/32 == 25.142.133.53 -- 213.100.100.31 ==
> 0.0.0.0/0
> Sun Apr 29 15:47:19 2018 local0.notice vpn: + C=CA, O=none,
> CN=androidphone fec3::1/128 == 25.142.133.53 -- 213.100.100.31 == ::/0
> Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] generating IKE_AUTH
> response 1 [ IDr CERT AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(AUTH_LFT)
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
> Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] splitting IKE message
> with length of 1568 bytes into 2 fragments
> Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] generating IKE_AUTH
> response 1 [ EF(1/2) ]
> Sun Apr 29 15:47:19 2018 daemon.info : 06[ENC] generating IKE_AUTH
> response 1 [ EF(2/2) ]
> Sun Apr 29 15:47:19 2018 daemon.info : 06[NET] sending packet: from
> 213.100.100.31[4500] to 25.142.133.53[24077] (1236 bytes)
> Sun Apr 29 15:47:19 2018 daemon.info : 06[NET] sending packet: from
> 213.100.100.31[4500] to 25.142.133.53[24077] (420 bytes)
> Sun Apr 29 15:47:19 2018 daemon.info : 05[NET] received packet: from
> 25.142.133.53[24077] to 213.100.100.31[4500] (80 bytes)
> Sun Apr 29 15:47:19 2018 daemon.info : 05[ENC] parsed INFORMATIONAL
> request 2 [ N(NO_ADD_ADDR) ]
> Sun Apr 29 15:47:19 2018 daemon.info : 05[ENC] generating
> INFORMATIONAL response 2 [ ]
> Sun Apr 29 15:47:19 2018 daemon.info : 05[NET] sending packet: from
> 213.100.100.31[4500] to 25.142.133.53[24077] (80 bytes)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180430/87e51444/attachment-0001.html>
More information about the Users
mailing list