[strongSwan] Wrong DH group and hash in IKE phase 1 proposal

Fri Dec 13 15:45:16 CET 2019

Hi All,

A quick update to my last query.

Make clean and a reboot seems to have fixed the issue. I haven’t modified any strongswan code so it should not have mattered. Anyways. Now I can see the IKE PH1 complete.

*Dec 13 17:14:29.259: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Dec 13 17:14:29.259: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Thanks.

Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
#1-1815 Meyerside Drive
Mississauga, Ontario
L5T 1G3
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

-----Original Message-----
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Makarand Pradhan
Sent: December 12, 2019 2:31 PM
To: users at lists.strongswan.org
Subject: [strongSwan] Wrong DH group and hash in IKE phase 1 proposal

Hello Everyone,

I'm trying to set up a tunnel between Strongswan and Cisco 2811. I'm following instructions per:

https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

Phase 1 parameters are configured in ipsec.conf as:
	keyexchange=ikev1                                            
	ike=aes128-md5-modp1536                                      

When I try starting up the tunnel, the IKE proposal sent out contains:

Per log on Cisco router:
*Dec 12 21:32:39.438: ISAKMP:      encryption AES-CBC
*Dec 12 21:32:39.438: ISAKMP:      keylength of 128
*Dec 12 21:32:39.438: ISAKMP:      hash SHA256
*Dec 12 21:32:39.438: ISAKMP:      unknown DH group 31
*Dec 12 21:32:39.438: ISAKMP:      auth pre-share
*Dec 12 21:32:39.438: ISAKMP:      life type in seconds
*Dec 12 21:32:39.438: ISAKMP:      life duration (basic) of 1520

I've captured the packet in wireshark and the packet indicates the wrong DH group and wrong hash. I've attached the captured pcap file.

My ipsec.conf file is as follows:

config setup                     
        charondebug=ike 4        

#####IS5#####                                                        
conn m1                                                              
        type=tunnel                                                  
        authby=secret                                                
        auto=add                                                     
        keyexchange=ikev1                                            
        ike=aes128-md5-modp1536                                      
        esp=aes128-sha1                                              
        ikelifetime=1520                                             
        right=80.0.0.3                                               
        rightid=80.0.0.3                                             
        rightsubnet=10.10.3.0/24                                     
        left=80.0.0.2                                                
        leftid=80.0.0.2                                              
        leftsubnet=192.168.0.0/16                               

 I've tried changing to 3DES and SHA512 and different DH groups in ipsec.conf. All the same, I always see AES-SHA256-DHGRP31 going out.

Any opinions or suggestions to correct my ipsec.conf would be highly appreciated.

With rgds,
Makarand.