[strongSwan] Unstable strongSwan-ASA tunnel

Santiago Lorente sll at disroot.org
Tue Nov 12 10:48:55 CET 2019


On 11/11/19 12:34, Tobias Brunner wrote:
> Hi Santiago,
>
>> I'm not an expert, but according to the logs it seems it might have
>> something to do with rekeying.
> Yep, looks that way.  First, I've never seen this message before:
>
>> Nov  9 23:31:17 RouterA charon: 15[IKE] peer didn't accept DH group MODP_1024, it requested MODP_NONE
> It seems a bit strange, but I guess the peer doesn't want to use DH
> during CHILD_SA rekeying.  Technically, it should just ignore the KE
> payload and select a proposal without DH group (or with MODP_NONE).  If
> there isn't one, the response should probably be NO_PROPOSAL_CHOSEN and
> not INVALID_KE_PAYLOAD.
>
> What's interesting is that strongSwan actually continues without a KE
> payload, while the proposal is obviously not changed and still proposes
> modp1024, so it won't actually match later and causes this error:
>
>> Nov  9 23:31:17 RouterA charon: 08[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
>> Nov  9 23:31:17 RouterA charon: 08[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
>> Nov  9 23:31:17 RouterA charon: 08[IKE] no acceptable proposal found
> You should either enable PFS on the Cisco box, or disable it on the other.
>
> Regards,
> Tobias


Hey Tobias, thanks, it works now!

I added PFS to the Cisco ASA.

I think the the SA keeps restarting sometimes, but now no connection is 
interrupted.

Thank you!



More information about the Users mailing list