[strongSwan] Strong swan IKE issue.
aplsms at gmail.com
Mon Mar 19 23:22:36 CET 2018
I’ve tried ike-scan and what I see:
~/ike-scan$ sudo ike-scan --verbose --trans=7/256,2,1,5 xx.xx.xx.xx
sudo: unable to resolve host stratus01
DEBUG: pkt len=88 bytes, bandwidth=56000 bps, int=16571 us
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
xx.xx.xx.xx Main Mode Handshake returned HDR=(CKY-R=8d51ab78888680ad) SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
> On Mar 19, 2018, at 11:01, Andrii Petrenko <aplsms at gmail.com> wrote:
> Tobias, thank you for reply.
> Remote side is not supporting pfs.
> IKE Phase One Parameters:
> Encryption Algorithm: AES 256
> Hash Algorithm: SHA
> Authentication Method: Pre-shared key
> Key Exchange: Diffie Hellman Group 5
> IKE SA Lifetime: 86400 (Cisco default)
> IKE Phase Two Parameters (IPSEC):
> Authentication: ESP with SHA-HMAC
> Encryption Algorithm: ESP-AES 256
> SA Establishment: ipsec-isakmp (IKE negotiated)
> IPSEC Mode Tunnel (Cisco default)
> IPSEC SA Lifetime (time) 3600 seconds
> IPSEC SA Lifetime (volume) 4608000 kilobytes
> PFS (Perfect Forward Secrecy) No
> Optional encryption if requirements differ from above:
> esp-3des esp-md5-hmac
> esp-aes 256 esp-sha-hmac
> esp-aes 128 esp-sha-hmac
> This information I have from remote side.
> Is it possible to se what offer remote side?
> Thank you,
>> On Mar 19, 2018, at 10:52, Tobias Brunner <tobias at strongswan.org <mailto:tobias at strongswan.org>> wrote:
>> Hi Andrii,
>>> I see the problem on IKE side, but don’t know how to debug and fix it.
>> The log tells you _exactly_ what the problem is:
>>> 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
>>> 12[IKE] received NO_PROPOSAL_CHOSEN error notify
>> The peer doesn't like the crypto proposal sent by the client. So fix
>> the `esp` setting in the config (maybe you have to enabled PFS by adding
>> a DH group, ask the other server admin for the correct algorithms).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users