Hi,
if you observe AH packets this means that ESP is used for encryption
only (without optional ESP MAC) and authentication is done on top of ESP
via AH. You can achieve the same with strongSwan as an initiator if
you set
auth=ah
Best regards
Andreas
On 05/17/2011 05:31 PM, Zoltan wrote:
Hi Andreas,
Thank you for your answer. I switched on
auth=ah
and I see the AUTHENTICATE difference in the output:
initiating Quick Mode PSK+ENCRYPT+AUTHENTICATE+TUNNEL+UP,
but alas, it didn't help. Actually, I don't see any
change in the result (auth.log)
NO_PROPOSAL_CHOSEN
Hmmm,
000 vtest: ESP/AH proposal: 3DES_CBC/HMAC_MD5/N/A
I see that this is a configuration problem with the
rarely used AH option, dating back to Free/SWAN times.
As far as I remember strongSwan always proposes SHA-1
irrespective of the HMAC algorithm you define. In
your case, although you
Forgot to add, the target of this is to have the strongswan system to be
the only initiator of the IKE_SA
Thanks and Regards
Eduardo M. Torres
On 5/18/2011 8:44 PM, Eduardo Torres wrote:
Hi StrongSwan team,
I have the following configuration: StrongSwan in one peer and
Fortinet Security