[strongSwan] Strange error

Christian Salway christian.salway at naimuri.com
Sun Aug 12 06:23:40 CEST 2018 

That wasn't the problem. still getting DH group ECP_256 inacceptable, requesting ECP_384


Aug 12 04:22:10 06[CFG] looking for an ike config for 10.0.1.216...86.2.58.36
Aug 12 04:22:10 06[CFG]   candidate: %any...%any, prio 28
Aug 12 04:22:10 06[CFG]   candidate: %any...%any, prio 28
Aug 12 04:22:10 06[CFG] found matching ike config: %any...%any with prio 28
Aug 12 04:22:10 06[IKE] 86.2.58.36 is initiating an IKE_SA
Aug 12 04:22:10 06[IKE] IKE_SA (unnamed)[7] state change: CREATED => CONNECTING
Aug 12 04:22:10 06[CFG] selecting proposal:
Aug 12 04:22:10 06[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug 12 04:22:10 06[CFG] selecting proposal:
Aug 12 04:22:10 06[CFG]   proposal matches
Aug 12 04:22:10 06[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Aug 12 04:22:10 06[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 12 04:22:10 06[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Aug 12 04:22:10 06[CFG] received supported signature hash algorithms: sha256 sha384 sha512
Aug 12 04:22:10 06[IKE] local host is behind NAT, sending keep alives
Aug 12 04:22:10 06[IKE] remote host is behind NAT
Aug 12 04:22:10 06[IKE] DH group ECP_256 inacceptable, requesting ECP_384



> On 11 Aug 2018, at 22:52, Christian Salway <christian.salway at naimuri.com> wrote:
> 
> forgot to add the --enable-openssl to the ./configure
> 
> 
>> On 11 Aug 2018, at 22:31, Christian Salway <christian.salway at naimuri.com <mailto:christian.salway at naimuri.com>> wrote:
>> 
>> I am unable to connect from StrongSwan client with an error that doesnt make sense:
>> 
>> 
>> Aug 11 21:26:17 15[CFG] looking for an ike config for 10.0.1.216...x.x.x.x
>> Aug 11 21:26:17 15[CFG]   candidate: %any...%any, prio 28
>> Aug 11 21:26:17 15[CFG] found matching ike config: %any...%any with prio 28
>> Aug 11 21:26:17 15[IKE] x.x.x.x is initiating an IKE_SA
>> Aug 11 21:26:17 15[IKE] IKE_SA (unnamed)[21] state change: CREATED => CONNECTING
>> Aug 11 21:26:17 15[CFG] selecting proposal:
>> Aug 11 21:26:17 15[CFG]   proposal matches
>> Aug 11 21:26:17 15[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
>> Aug 11 21:26:17 15[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>> Aug 11 21:26:17 15[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
>> Aug 11 21:26:17 15[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
>> Aug 11 21:26:17 15[IKE] local host is behind NAT, sending keep alives
>> Aug 11 21:26:17 15[IKE] remote host is behind NAT
>> Aug 11 21:26:17 15[IKE] DH group ECP_384 inacceptable, requesting ECP_384
>> 
>> CLIENT
>> conn %default
>>         ike=aes256gcm16-prfsha384-ecp384!
>>         esp=aes256gcm16-ecp384!
>>         ikelifetime=60m
>>         keylife=20m
>>         rekeymargin=3m
>>         keyingtries=1
>>         keyexchange=ikev2
>> 
>> conn test
>>         leftsourceip=%config4
>>         leftauth=eap
>>         eap_identity=christian.salway
>>         rightid=vpnserver
>>         right=x.x.x.x
>>         rightauth=pubkey
>>         rightsubnet=0.0.0.0/0
>>         auto=start
>> 
>> 
>> SERVER
>> config setup
>>     uniqueids = replace
>> 
>> conn %default
>>     ike=aes256gcm16-prfsha384-ecp384,aes128gcm16-prfsha256-ecp256,aes256-sha384-ecp384,aes128-sha256-ecp256,aes256-sha256-modp2048!
>>     esp=aes256gcm16-ecp384,aes128gcm16-ecp256,aes256gmac-ecp384,aes128gmac-ecp256,aes256-sha256,aes256-sha1!
>>     ikelifetime=60m
>>     keylife=20m
>>     rekeymargin=3m
>>     keyingtries=1
>>     keyexchange=ikev2
>> 
>> conn pod
>>     leftid=vpnserver
>>     leftauth=pubkey
>>     leftcert=vpnserver.crt
>>     leftsendcert=always
>>     leftsubnet=10.0.0.0/8
>>     rightid=%any
>>     rightsourceip=10.0.76.0/22
>>     rightauth=eap-radius
>>     eap_identity=%identity
>>     auto=start
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180812/1fc5501c/attachment-0001.html>

More information about the Users mailing list