On Tue, Jan 24, 2017 at 9:56 PM, Jim Thompson <[email protected]> wrote:
> On Tue, Jan 24, 2017 at 12:16 PM, Eero Volotinen <[email protected]> > wrote: > > What hardware is other side running? Why you are trying to use 3des? > > > > Eero > > > > 2017-01-17 16:36 GMT+02:00 Roland Giesler <[email protected]>: > > > >> We've battled all afternoon to establish an IPSec site-to-site > connection. > >> Here's what happens: > >> > >> TimeProcessPIDMessage > >> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from > >> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes) > >> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request > >> 2809641300 [ N(NO_PROP) ] > >> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found > >> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals: > >> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, > >> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/ > >> CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_ > >> 128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_ > >> SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_ > >> SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_ > >> CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ > >> ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_ > >> 8192/MODP_2048/MODP_2048_256/MODP_1024, > >> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_ > >> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_ > >> 192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/ > >> PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_ > >> MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_ > >> 384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/ > >> MODP_2048_256/MODP_1024 > >> Jan 17 15:58:53 charon 05[CFG] <197> received proposals: > >> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 > >> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a > >> Aggressive Mode IKE_SA > >> > >> The strange thing is that I have set 3DES and SHA1 to in my setup, yet > it > >> is not being offered. I have also test quite a few other like AES 265 > and > >> SHA2, but they are also not offered. The other side (SonicWall) is > >> offering what we set mutually. > > The other side proposed 3DES-CBC/HMAC-SHA1/MODP_1536. > Your side didn't propose same (search for MODP_1536) > > Search for "Phase 1 DH Group Mismatch" in > https://doc.pfsense.org/index.php/IPsec_Troubleshooting > > not a bug. > If I select 3DES, SHA1 MODP1536 in the pfSense interface and I try to connect and pfSense doesn't offer what I selected, then surely something's wrong? How is setting something to offer ABC and then ABC not being offered not a bug? Roland > > Jim > > >> > >> Is this a bug? If now, how to I force pfSense to behave and start using > >> the settings I set. > >> > >> IPSec IKE V2 with pre-shared key. > >> > >> I'm running 2.3.2_1 > >> > >> Anyone that has seen this? > >> > >> regards > >> > >> > >> Roland Giesler > >> _______________________________________________ > >> pfSense mailing list > >> https://lists.pfsense.org/mailman/listinfo/list > >> Support the project with Gold! https://pfsense.org/gold > >> > > _______________________________________________ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
