On Wed, Oct 04, 2017 at 10:05:08PM +0200, Bartek Krawczyk wrote: > In summary: 1. racoon configuration with aes128-cbc, sha256 and > pfs2048 doesn't work with MikroTik. 2. changing only sha256 to sha1 > on racoon and MikroTik solves the problem immediately. 3. MikroTik to > MikroTik and MikroTik to strongSwan works as expected. > 4. PSK is fine, phase 1 and 2 completes properly, setkey -D and setkey -DP > shows expected values but packets are dropped.
Once the SA is installed, it's the kernel's responsibility to actually
handle the relevant ipsec encap/decap operations. So the two likely
possibilities that I see are:
1. Kernel is misbehaving due to kernel bug
2. Kernel is misbehaving due to improperly configured SA
Can you provide the SA db of a working system (e.g. configured by
strongswan or racoon with sha1) and that of a non-working system, for
comparison? You should be able to use 'setkey' even on a system
configured using strongswan, or you can use 'ip xfrm state'
For what it's worth, I use the following in most of my configurations
with no issues:
encryption_algorithm aes 256;
hash_algorithm sha512;
Thanks
noah
signature.asc
Description: PGP signature
