[strongSwan] Strange error

Christian Salway christian.salway at naimuri.com
Sat Aug 11 23:52:51 CEST 2018


forgot to add the --enable-openssl to the ./configure


> On 11 Aug 2018, at 22:31, Christian Salway <christian.salway at naimuri.com> wrote:
> 
> I am unable to connect from StrongSwan client with an error that doesnt make sense:
> 
> 
> Aug 11 21:26:17 15[CFG] looking for an ike config for 10.0.1.216...x.x.x.x
> Aug 11 21:26:17 15[CFG]   candidate: %any...%any, prio 28
> Aug 11 21:26:17 15[CFG] found matching ike config: %any...%any with prio 28
> Aug 11 21:26:17 15[IKE] x.x.x.x is initiating an IKE_SA
> Aug 11 21:26:17 15[IKE] IKE_SA (unnamed)[21] state change: CREATED => CONNECTING
> Aug 11 21:26:17 15[CFG] selecting proposal:
> Aug 11 21:26:17 15[CFG]   proposal matches
> Aug 11 21:26:17 15[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
> Aug 11 21:26:17 15[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> Aug 11 21:26:17 15[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
> Aug 11 21:26:17 15[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
> Aug 11 21:26:17 15[IKE] local host is behind NAT, sending keep alives
> Aug 11 21:26:17 15[IKE] remote host is behind NAT
> Aug 11 21:26:17 15[IKE] DH group ECP_384 inacceptable, requesting ECP_384
> 
> CLIENT
> conn %default
>         ike=aes256gcm16-prfsha384-ecp384!
>         esp=aes256gcm16-ecp384!
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
> 
> conn test
>         leftsourceip=%config4
>         leftauth=eap
>         eap_identity=christian.salway
>         rightid=vpnserver
>         right=x.x.x.x
>         rightauth=pubkey
>         rightsubnet=0.0.0.0/0
>         auto=start
> 
> 
> SERVER
> config setup
>     uniqueids = replace
> 
> conn %default
>     ike=aes256gcm16-prfsha384-ecp384,aes128gcm16-prfsha256-ecp256,aes256-sha384-ecp384,aes128-sha256-ecp256,aes256-sha256-modp2048!
>     esp=aes256gcm16-ecp384,aes128gcm16-ecp256,aes256gmac-ecp384,aes128gmac-ecp256,aes256-sha256,aes256-sha1!
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
>     keyexchange=ikev2
> 
> conn pod
>     leftid=vpnserver
>     leftauth=pubkey
>     leftcert=vpnserver.crt
>     leftsendcert=always
>     leftsubnet=10.0.0.0/8
>     rightid=%any
>     rightsourceip=10.0.76.0/22
>     rightauth=eap-radius
>     eap_identity=%identity
>     auto=start

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180811/172db83c/attachment-0001.html>


More information about the Users mailing list