[strongSwan] Unstable strongSwan-ASA tunnel

Tobias Brunner tobias at strongswan.org
Mon Nov 11 12:34:16 CET 2019


Hi Santiago,

> I'm not an expert, but according to the logs it seems it might have 
> something to do with rekeying.

Yep, looks that way.  First, I've never seen this message before:

> Nov  9 23:31:17 RouterA charon: 15[IKE] peer didn't accept DH group MODP_1024, it requested MODP_NONE

It seems a bit strange, but I guess the peer doesn't want to use DH
during CHILD_SA rekeying.  Technically, it should just ignore the KE
payload and select a proposal without DH group (or with MODP_NONE).  If
there isn't one, the response should probably be NO_PROPOSAL_CHOSEN and
not INVALID_KE_PAYLOAD.

What's interesting is that strongSwan actually continues without a KE
payload, while the proposal is obviously not changed and still proposes
modp1024, so it won't actually match later and causes this error:

> Nov  9 23:31:17 RouterA charon: 08[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
> Nov  9 23:31:17 RouterA charon: 08[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
> Nov  9 23:31:17 RouterA charon: 08[IKE] no acceptable proposal found

You should either enable PFS on the Cisco box, or disable it on the other.

Regards,
Tobias


More information about the Users mailing list