[strongSwan] ipsec.conf working vs swanctl.conf not working
Tobias Brunner
tobias at strongswan.org
Fri May 4 14:46:42 CEST 2018
Hi Marco,
> Here are the two outputs:
>
> (non working)
> [IKE] initiating Main Mode IKE_SA cbt[494] to 31.169.105.210
> [ENC] generating ID_PROT request 0 [ SA V V V V V ]
> [NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (180 bytes)
So you're using IKEv1 now? (Was IKEv2 in your original mail, and you
should definitely prefer that if you can.)
> Why only 180 bytes?
>
> [NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (40 bytes)
> [ENC] parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
> [IKE] received NO_PROPOSAL_CHOSEN error notify
>
>
> (working)
> initiating Main Mode IKE_SA cbt[499] to 31.169.105.210
> generating ID_PROT request 0 [ SA V V V V V ]
> sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (248 bytes)
>
> this time strongswan send a 248 bytes ike packet?
Different IKE proposals. With ipsec.conf the default proposal(s) are
added to whatever you configure in ike/esp unless that ends with a !.
With swanctl.conf the default proposal(s) have to be added explicitly to
the IKE/ESP proposals (e.g. in your example `proposals =
3des-sha1-modp1024, default`) . So that indicates your configured
proposal is incorrect. But that's a completely different problem than
the one you had before with IKEv2.
Regards,
Tobias
More information about the Users
mailing list