[strongSwan] Strong swan IKE issue.

Andrii Petrenko aplsms at gmail.com
Tue Mar 20 16:07:12 CET 2018

Hello Tobias,

Thank you for details.
I’ve already tased with 


No luck.  Requested logs and configs from ASA by

debug crypto ikev1 127 
debug crypto ipsec 127 

show crypto ipsec sa

Thank you,

Andrii Petrenko
aplsms at gmail.com <mailto:aplsms at gmail.com>	

> On Mar 20, 2018, at 12:45 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Andrii,
> ike-scan won't help you here as it only reports on Phase 1 (IKE SA), but
> your problem is during Phase 2 (Quick Mode, IPsec SA).
>> Remote side is not supporting pfs.
>> IKE Phase One Parameters:	
>> Encryption Algorithm: 	AES 256
>> Hash Algorithm: 	SHA
>> Authentication Method:	Pre-shared key
>> Key Exchange:	Diffie Hellman Group 5
>> IKE SA Lifetime: 	86400 (Cisco default)
>> IKE Phase Two Parameters (IPSEC):	
>> Authentication:	ESP with SHA-HMAC
>> Encryption Algorithm: 	ESP-AES 256
>> SA Establishment: 	ipsec-isakmp (IKE negotiated)
>> IPSEC Mode	Tunnel (Cisco default)
>> IPSEC SA Lifetime (time)	3600 seconds
>> IPSEC SA Lifetime (volume) 	4608000 kilobytes
>> PFS (Perfect Forward Secrecy)	No
>> Optional encryption if requirements differ from above:	
>> esp-3des esp-md5-hmac	
>> esp-aes 256 esp-sha-hmac	
>> esp-aes 128 esp-sha-hmac	
>> This information I have from remote side. 
> Looks like esp=aes256-sha1! should be correct then.  You could also try
> esp=aes128-sha1! or esp=3des-md5! (not recommended though).  And if this
> doesn't work, ask the remote admins for the correct settings (they
> should see in the log why the proposal was rejected).
>> Is it possible to se what offer remote side?
> No (unless you do what ike-scan does i.e. try a number of possible
> combinations).
> Regards,
> Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180320/823e8402/attachment.html>

More information about the Users mailing list