[strongSwan] Strong swan IKE issue.

Andrii Petrenko aplsms at gmail.com
Mon Mar 19 23:22:36 CET 2018 

Tobias,

I’ve tried ike-scan and what I see: 

~/ike-scan$ sudo ike-scan --verbose  --trans=7/256,2,1,5  xx.xx.xx.xx
sudo: unable to resolve host stratus01
DEBUG: pkt len=88 bytes, bandwidth=56000 bps, int=16571 us
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
xx.xx.xx.xx     Main Mode Handshake returned HDR=(CKY-R=8d51ab78888680ad) SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)




> On Mar 19, 2018, at 11:01, Andrii Petrenko <aplsms at gmail.com> wrote:
> 
> Tobias, thank you for reply.
> 
> Remote side is not supporting pfs.
> 
> IKE Phase One Parameters:	
> Encryption Algorithm:	AES 256
> Hash Algorithm:	SHA
> Authentication Method:	Pre-shared key
> Key Exchange:	Diffie Hellman Group 5
> IKE SA Lifetime:	86400 (Cisco default)
> IKE Phase Two Parameters (IPSEC):	
> Authentication:	ESP with SHA-HMAC
> Encryption Algorithm:	ESP-AES 256
> SA Establishment:	ipsec-isakmp (IKE negotiated)
> IPSEC Mode	Tunnel (Cisco default)
> IPSEC SA Lifetime (time)	3600 seconds
> IPSEC SA Lifetime (volume)	4608000 kilobytes
> PFS (Perfect Forward Secrecy)	No
> Optional encryption if requirements differ from above:	
> esp-3des esp-md5-hmac	
> esp-aes 256 esp-sha-hmac	
> esp-aes 128 esp-sha-hmac	
> 
> This information I have from remote side. 
> 
> Is it possible to se what offer remote side?
> 
> Thank you,
> AP
> 
> 
>> On Mar 19, 2018, at 10:52, Tobias Brunner <tobias at strongswan.org <mailto:tobias at strongswan.org>> wrote:
>> 
>> Hi Andrii,
>> 
>>> I see the problem on IKE side, but don’t know how to debug and fix it.
>> 
>> The log tells you _exactly_ what the problem is:
>> 
>>> 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
>>> 12[IKE] received NO_PROPOSAL_CHOSEN error notify
>> 
>> The peer doesn't like the crypto proposal sent by the client.  So fix
>> the `esp` setting in the config (maybe you have to enabled PFS by adding
>> a DH group, ask the other server admin for the correct algorithms).
>> 
>> Regards,
>> Tobias
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180319/b254d1db/attachment-0001.html>

More information about the Users mailing list