Yes, this is expected behaviour. With peer1: ike=aes128-sha1 peer2: ike=3des-md5
The peers just state their preferred algorithms but any other supported algorithms are also accepted by default. If you don't want this standard behaviour then you have to append the '!' *strict* flag: peer1: ike=aes128-sha1! peer2: ike=3des-md5! In this case the IKE negotiation will abort with "NO_COMMON_PROPOSAL". Best regards Andreas On 19.11.2015 05:56, Jayapal Reddy wrote:
Hi, I have the site to site vpn config where ike in the config has different values. The vpn tunnel is coming up with this config. Is it expected behavior or something wrong. * ike=aes128-sha1 **ike=3des-md5* Router104 ---------------public--------------Router103 root@r-104-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.52.103.conf conn vpn-10.147.52.103 left=10.147.52.106 leftsubnet=10.10.0.0/16 <http://10.10.0.0/16> leftnexthop=10.147.52.1 right=10.147.52.103 rightsubnet=192.168.0.0/16 <http://192.168.0.0/16> type=tunnel authby=secret keyexchange=ikev1 * ike=aes128-sha1* ikelifetime=86400s esp=aes128-sha1 lifetime=3600s pfs=no keyingtries=2 auto=start root@r-104-QA:~# root@r-104-QA:~# ipsec statusall 000 Status of IKEv1 pluto daemon (strongSwan 4.5.2): 000 interface lo/lo 127.0.0.1:4500 <http://127.0.0.1:4500> 000 interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500> 000 interface eth0/eth0 169.254.2.237:4500 <http://169.254.2.237:4500> 000 interface eth0/eth0 169.254.2.237:500 <http://169.254.2.237:500> 000 interface eth1/eth1 10.147.52.106:4500 <http://10.147.52.106:4500> 000 interface eth1/eth1 10.147.52.106:500 <http://10.147.52.106:500> 000 %myid = '%any' 000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve 000 debug options: none 000 000 "L2TP-PSK": 172.26.0.151[172.26.0.151]:17/1701---10.147.52.1...%any[%any]:17/%any==={10.0.0.0/8 <http://10.0.0.0/8>}; unrouted; eroute owner: #0 000 "L2TP-PSK": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 000 "L2TP-PSK": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,8; interface: ; 000 "L2TP-PSK": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "vpn-10.147.52.103": 10.10.0.0/16===10.147.52.106[10.147.52.106]---10.147.52.1...10.147.52.103[10.147.52.103]===192.168.0.0/16 <http://10.10.0.0/16===10.147.52.106[10.147.52.106]---10.147.52.1...10.147.52.103[10.147.52.103]===192.168.0.0/16>; erouted; eroute owner: #11 000 "vpn-10.147.52.103": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2 000 "vpn-10.147.52.103": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,16; interface: eth1; 000 "vpn-10.147.52.103": newest ISAKMP SA: #8; newest IPsec SA: #11; *000 "vpn-10.147.52.103": IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1536* 000 "vpn-10.147.52.103": ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A> 000 000 #11: "vpn-10.147.52.103" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2366s; newest IPSEC; eroute owner 000 #11: "vpn-10.147.52.103" [email protected] <mailto:[email protected]> (0 bytes) [email protected] <mailto:[email protected]> (0 bytes); tunnel 000 #10: "vpn-10.147.52.103" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2599s 000 #10: "vpn-10.147.52.103" [email protected] <mailto:[email protected]> (0 bytes) [email protected] <mailto:[email protected]> (0 bytes); tunnel 000 #9: "vpn-10.147.52.103" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2674s 000 #9: "vpn-10.147.52.103" [email protected] <mailto:[email protected]> (0 bytes) [email protected] <mailto:[email protected]> (0 bytes); tunnel 000 #8: "vpn-10.147.52.103" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85088s; newest ISAKMP 000 Status of IKEv2 charon daemon (strongSwan 4.5.2): uptime: 13 minutes, since Nov 18 09:00:50 2015 malloc: sbrk 380928, mmap 0, used 245664, free 135264 worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock Listening IP addresses: 169.254.2.237 10.147.52.106 Connections: Security Associations: none root@r-104-QA:~# root@r-103-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.52.106.conf conn vpn-10.147.52.106 left=10.147.52.103 leftsubnet=192.168.0.0/16 <http://192.168.0.0/16> leftnexthop=10.147.52.1 right=10.147.52.106 rightsubnet=10.10.0.0/16 <http://10.10.0.0/16> type=tunnel authby=secret keyexchange=ikev1 * ike=3des-md5* ikelifetime=86400s esp=3des-md5 lifetime=3600s pfs=no keyingtries=2 auto=start root@r-103-QA:~# root@r-103-QA:~# root@r-103-QA:~# ipsec statusall 000 Status of IKEv1 pluto daemon (strongSwan 4.5.2): 000 interface lo/lo 127.0.0.1:4500 <http://127.0.0.1:4500> 000 interface lo/lo 127.0.0.1:500 <http://127.0.0.1:500> 000 interface eth0/eth0 169.254.1.56:4500 <http://169.254.1.56:4500> 000 interface eth0/eth0 169.254.1.56:500 <http://169.254.1.56:500> 000 interface eth1/eth1 10.147.52.103:4500 <http://10.147.52.103:4500> 000 interface eth1/eth1 10.147.52.103:500 <http://10.147.52.103:500> 000 %myid = '%any' 000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve 000 debug options: none 000 000 "L2TP-PSK": 172.26.0.151[172.26.0.151]:17/1701---10.147.52.1...%any[%any]:17/%any==={10.0.0.0/8 <http://10.0.0.0/8>}; unrouted; eroute owner: #0 000 "L2TP-PSK": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 000 "L2TP-PSK": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,8; interface: ; 000 "L2TP-PSK": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "vpn-10.147.52.106": 192.168.0.0/16===10.147.52.103[10.147.52.103]---10.147.52.1...10.147.52.106[10.147.52.106]===10.10.0.0/16 <http://192.168.0.0/16===10.147.52.103[10.147.52.103]---10.147.52.1...10.147.52.106[10.147.52.106]===10.10.0.0/16>; erouted; eroute owner: #15 000 "vpn-10.147.52.106": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2 000 "vpn-10.147.52.106": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,16; interface: eth1; 000 "vpn-10.147.52.106": newest ISAKMP SA: #12; newest IPsec SA: #15; *000 "vpn-10.147.52.106": IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1536* 000 "vpn-10.147.52.106": ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A> 000 000 #15: "vpn-10.147.52.106" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2974s; newest IPSEC; eroute owner 000 #15: "vpn-10.147.52.106" [email protected] <mailto:[email protected]> (0 bytes) [email protected] <mailto:[email protected]> (0 bytes); tunnel 000 #14: "vpn-10.147.52.106" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2974s 000 #14: "vpn-10.147.52.106" [email protected] <mailto:[email protected]> (0 bytes) [email protected] <mailto:[email protected]> (0 bytes); tunnel 000 #13: "vpn-10.147.52.106" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2974s 000 #13: "vpn-10.147.52.106" [email protected] <mailto:[email protected]> (0 bytes) [email protected] <mailto:[email protected]> (0 bytes); tunnel 000 #12: "vpn-10.147.52.106" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 85774s; newest ISAKMP 000 Status of IKEv2 charon daemon (strongSwan 4.5.2): uptime: 16 minutes, since Nov 18 08:59:07 2015 malloc: sbrk 380928, mmap 0, used 245648, free 135280 worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock Listening IP addresses: 169.254.1.56 10.147.52.103 Connections: Security Associations: none Thanks, Jayapal _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
