[strongSwan] ipsec.conf working vs swanctl.conf not working
tobias at strongswan.org
Fri May 4 14:46:42 CEST 2018
> Here are the two outputs:
> (non working)
> [IKE] initiating Main Mode IKE_SA cbt to 18.104.22.168
> [ENC] generating ID_PROT request 0 [ SA V V V V V ]
> [NET] sending packet: from 22.214.171.124 to 126.96.36.199 (180 bytes)
So you're using IKEv1 now? (Was IKEv2 in your original mail, and you
should definitely prefer that if you can.)
> Why only 180 bytes?
> [NET] received packet: from 188.8.131.52 to 184.108.40.206 (40 bytes)
> [ENC] parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
> [IKE] received NO_PROPOSAL_CHOSEN error notify
> initiating Main Mode IKE_SA cbt to 220.127.116.11
> generating ID_PROT request 0 [ SA V V V V V ]
> sending packet: from 18.104.22.168 to 22.214.171.124 (248 bytes)
> this time strongswan send a 248 bytes ike packet?
Different IKE proposals. With ipsec.conf the default proposal(s) are
added to whatever you configure in ike/esp unless that ends with a !.
With swanctl.conf the default proposal(s) have to be added explicitly to
the IKE/ESP proposals (e.g. in your example `proposals =
3des-sha1-modp1024, default`) . So that indicates your configured
proposal is incorrect. But that's a completely different problem than
the one you had before with IKEv2.
More information about the Users