[strongSwan] Unstable strongSwan-ASA tunnel
Tobias Brunner
tobias at strongswan.org
Mon Nov 11 12:34:16 CET 2019
Hi Santiago,
> I'm not an expert, but according to the logs it seems it might have
> something to do with rekeying.
Yep, looks that way. First, I've never seen this message before:
> Nov 9 23:31:17 RouterA charon: 15[IKE] peer didn't accept DH group MODP_1024, it requested MODP_NONE
It seems a bit strange, but I guess the peer doesn't want to use DH
during CHILD_SA rekeying. Technically, it should just ignore the KE
payload and select a proposal without DH group (or with MODP_NONE). If
there isn't one, the response should probably be NO_PROPOSAL_CHOSEN and
not INVALID_KE_PAYLOAD.
What's interesting is that strongSwan actually continues without a KE
payload, while the proposal is obviously not changed and still proposes
modp1024, so it won't actually match later and causes this error:
> Nov 9 23:31:17 RouterA charon: 08[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
> Nov 9 23:31:17 RouterA charon: 08[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
> Nov 9 23:31:17 RouterA charon: 08[IKE] no acceptable proposal found
You should either enable PFS on the Cisco box, or disable it on the other.
Regards,
Tobias
More information about the Users
mailing list