[strongSwan] Sanity Check for ipsec.conf

Odhiambo Washington odhiambo at gmail.com
Tue Oct 29 14:54:52 CET 2019


Hi everyone,
I have been given the following as the connection parameters to connect to
a Cisco ASA:

Phase1:
Authentication Method *Pre-shared key*
Cryptography Type        * IKE*
Diffie-Hellman Group *Group 2*
Cryptography Algorithm *3DES*
Hash Algorithm         *SHA-1*
Main or Aggressive Mode *Main mode*
Lifetime (for renegotiation) *28800 seconds*

Phase2:
Encapsulation (ESP or AH) *ESP*
Cryptography Algorithm         *3DES*
Algorithm Method                 *SHA-1*
Perfect Forward Secrecy *NO PFS*
Lifetime (for renegotiation) *3600 seconds*


Can someone please help me spot the mistake in my ipsec.conf?

Also, what do I need to add to the file to get more debug output in the log
at least so that I can see the proposals offered?

My ipsec.conf looks like this:
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev1
        mobike=no
conn site1
       authby=secret
        left=178.128.x.x
        leftsubnet=0.0.0.0/0
        right=212.49.x.x
        rightsubnet=192.168.27.0/24
        # we tell StrongSwan which encryption algorithms to use for the VPN
        ike=3des-sha1-modp1024   <======== I am not sure about this value
        esp=3des-sha1
        pfs=no
        auto=start
        # configure dead-peer detection to clear any “dangling” connections
in case the client unexpectedly disconnects
        dpdaction=clear
        dpddelay=300s
        rekey=no


Thanks
-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191029/16de1434/attachment.html>


More information about the Users mailing list