On Wed, Oct 04, 2017 at 10:05:08PM +0200, Bartek Krawczyk wrote: > In summary: 1. racoon configuration with aes128-cbc, sha256 and > pfs2048 doesn't work with MikroTik. 2. changing only sha256 to sha1 > on racoon and MikroTik solves the problem immediately. 3. MikroTik to > MikroTik and MikroTik to strongSwan works as expected. > 4. PSK is fine, phase 1 and 2 completes properly, setkey -D and setkey -DP > shows expected values but packets are dropped.
Once the SA is installed, it's the kernel's responsibility to actually handle the relevant ipsec encap/decap operations. So the two likely possibilities that I see are: 1. Kernel is misbehaving due to kernel bug 2. Kernel is misbehaving due to improperly configured SA Can you provide the SA db of a working system (e.g. configured by strongswan or racoon with sha1) and that of a non-working system, for comparison? You should be able to use 'setkey' even on a system configured using strongswan, or you can use 'ip xfrm state' For what it's worth, I use the following in most of my configurations with no issues: encryption_algorithm aes 256; hash_algorithm sha512; Thanks noah
signature.asc
Description: PGP signature