[strongSwan] Wrong DH group and hash in IKE phase 1 proposal
Makarand Pradhan
MakarandPradhan at is5com.com
Thu Dec 12 20:31:02 CET 2019
Hello Everyone,
I'm trying to set up a tunnel between Strongswan and Cisco 2811. I'm following instructions per:
https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html
Phase 1 parameters are configured in ipsec.conf as:
keyexchange=ikev1
ike=aes128-md5-modp1536
When I try starting up the tunnel, the IKE proposal sent out contains:
Per log on Cisco router:
*Dec 12 21:32:39.438: ISAKMP: encryption AES-CBC
*Dec 12 21:32:39.438: ISAKMP: keylength of 128
*Dec 12 21:32:39.438: ISAKMP: hash SHA256
*Dec 12 21:32:39.438: ISAKMP: unknown DH group 31
*Dec 12 21:32:39.438: ISAKMP: auth pre-share
*Dec 12 21:32:39.438: ISAKMP: life type in seconds
*Dec 12 21:32:39.438: ISAKMP: life duration (basic) of 1520
I've captured the packet in wireshark and the packet indicates the wrong DH group and wrong hash. I've attached the captured pcap file.
My ipsec.conf file is as follows:
config setup
charondebug=ike 4
#####IS5#####
conn m1
type=tunnel
authby=secret
auto=add
keyexchange=ikev1
ike=aes128-md5-modp1536
esp=aes128-sha1
ikelifetime=1520
right=80.0.0.3
rightid=80.0.0.3
rightsubnet=10.10.3.0/24
left=80.0.0.2
leftid=80.0.0.2
leftsubnet=192.168.0.0/16
I've tried changing to 3DES and SHA512 and different DH groups in ipsec.conf. All the same, I always see AES-SHA256-DHGRP31 going out.
Any opinions or suggestions to correct my ipsec.conf would be highly appreciated.
With rgds,
Makarand.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.pcap
Type: application/octet-stream
Size: 566 bytes
Desc: ipsec.pcap
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191212/6b645524/attachment.obj>
More information about the Users
mailing list