[strongSwan] Strong swan IKE issue.
aplsms at gmail.com
Tue Mar 20 16:07:12 CET 2018
Thank you for details.
I’ve already tased with
No luck. Requested logs and configs from ASA by
debug crypto ikev1 127
debug crypto ipsec 127
show crypto ipsec sa
aplsms at gmail.com <mailto:aplsms at gmail.com>
> On Mar 20, 2018, at 12:45 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Andrii,
> ike-scan won't help you here as it only reports on Phase 1 (IKE SA), but
> your problem is during Phase 2 (Quick Mode, IPsec SA).
>> Remote side is not supporting pfs.
>> IKE Phase One Parameters:
>> Encryption Algorithm: AES 256
>> Hash Algorithm: SHA
>> Authentication Method: Pre-shared key
>> Key Exchange: Diffie Hellman Group 5
>> IKE SA Lifetime: 86400 (Cisco default)
>> IKE Phase Two Parameters (IPSEC):
>> Authentication: ESP with SHA-HMAC
>> Encryption Algorithm: ESP-AES 256
>> SA Establishment: ipsec-isakmp (IKE negotiated)
>> IPSEC Mode Tunnel (Cisco default)
>> IPSEC SA Lifetime (time) 3600 seconds
>> IPSEC SA Lifetime (volume) 4608000 kilobytes
>> PFS (Perfect Forward Secrecy) No
>> Optional encryption if requirements differ from above:
>> esp-3des esp-md5-hmac
>> esp-aes 256 esp-sha-hmac
>> esp-aes 128 esp-sha-hmac
>> This information I have from remote side.
> Looks like esp=aes256-sha1! should be correct then. You could also try
> esp=aes128-sha1! or esp=3des-md5! (not recommended though). And if this
> doesn't work, ask the remote admins for the correct settings (they
> should see in the log why the proposal was rejected).
>> Is it possible to se what offer remote side?
> No (unless you do what ike-scan does i.e. try a number of possible
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users