[strongSwan] Strong swan IKE issue.

Andrii Petrenko aplsms at gmail.com
Tue Mar 20 00:06:12 CET 2018 

Actually  all of them are identified:

12.10.219.4     Main Mode Handshake returned HDR=(CKY-R=8d51ab7841c04271) SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
12.10.219.4     Main Mode Handshake returned HDR=(CKY-R=8d51ab78aa98b745) SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
12.10.219.4     Main Mode Handshake returned HDR=(CKY-R=8d51ab78faedcf4f) SA=(Enc=3DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)

But strong swan set for all:

12[ENC] parsed INFORMATIONAL_V1 request 76122219 [ HASH N(NO_PROP) ]
12[IKE] received NO_PROPOSAL_CHOSEN error notify


Thank you,
AP



> On Mar 19, 2018, at 15:22, Andrii Petrenko <aplsms at gmail.com> wrote:
> 
> Tobias,
> 
> I’ve tried ike-scan and what I see: 
> 
> ~/ike-scan$ sudo ike-scan --verbose  --trans=7/256,2,1,5  xx.xx.xx.xx
> sudo: unable to resolve host stratus01
> DEBUG: pkt len=88 bytes, bandwidth=56000 bps, int=16571 us
> Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/ <http://www.nta-monitor.com/tools/ike-scan/>)
> xx.xx.xx.xx     Main Mode Handshake returned HDR=(CKY-R=8d51ab78888680ad) SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
> 
> 
> 
> 
>> On Mar 19, 2018, at 11:01, Andrii Petrenko <aplsms at gmail.com <mailto:aplsms at gmail.com>> wrote:
>> 
>> Tobias, thank you for reply.
>> 
>> Remote side is not supporting pfs.
>> 
>> IKE Phase One Parameters:	
>> Encryption Algorithm:	AES 256
>> Hash Algorithm:	SHA
>> Authentication Method:	Pre-shared key
>> Key Exchange:	Diffie Hellman Group 5
>> IKE SA Lifetime:	86400 (Cisco default)
>> IKE Phase Two Parameters (IPSEC):	
>> Authentication:	ESP with SHA-HMAC
>> Encryption Algorithm:	ESP-AES 256
>> SA Establishment:	ipsec-isakmp (IKE negotiated)
>> IPSEC Mode	Tunnel (Cisco default)
>> IPSEC SA Lifetime (time)	3600 seconds
>> IPSEC SA Lifetime (volume)	4608000 kilobytes
>> PFS (Perfect Forward Secrecy)	No
>> Optional encryption if requirements differ from above:	
>> esp-3des esp-md5-hmac	
>> esp-aes 256 esp-sha-hmac	
>> esp-aes 128 esp-sha-hmac	
>> 
>> This information I have from remote side. 
>> 
>> Is it possible to se what offer remote side?
>> 
>> Thank you,
>> AP
>> 
>> 
>>> On Mar 19, 2018, at 10:52, Tobias Brunner <tobias at strongswan.org <mailto:tobias at strongswan.org>> wrote:
>>> 
>>> Hi Andrii,
>>> 
>>>> I see the problem on IKE side, but don’t know how to debug and fix it.
>>> 
>>> The log tells you _exactly_ what the problem is:
>>> 
>>>> 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
>>>> 12[IKE] received NO_PROPOSAL_CHOSEN error notify
>>> 
>>> The peer doesn't like the crypto proposal sent by the client.  So fix
>>> the `esp` setting in the config (maybe you have to enabled PFS by adding
>>> a DH group, ask the other server admin for the correct algorithms).
>>> 
>>> Regards,
>>> Tobias
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180319/344e04fd/attachment.html>

More information about the Users mailing list