Re: [strongSwan] Problem: strongswan 5.4 with sha2

2016-10-13 Thread Noel Kuntze 
On 13.10.2016 17:40, fatcha...@gmx.de wrote:
> conn siteA
> left=my IP
> leftsubnet=my Subnet
> leftid=my IP
> right=site A IP
> rightsubnet=site A subnet
> rightid=site A ip
> authby=secret
> auto=start
> ikelifetime=28800s
> keylife=3600s
> keyexchange=ikev1
> ike=aes256-sha256-ecp384
> esp=aes256-sha256-modp2048
> 

> Oct 13 17:19:14 tia charon: 16[NET] received packet: from siteAIP[500] to 
> myIP[500] (64 bytes)
> Oct 13 17:19:14 tia charon: 16[ENC] parsed INFORMATIONAL_V1 request 0 [ 
> N(NO_PROP) ]
> Oct 13 17:19:14 tia charon: 16[IKE] received NO_PROPOSAL_CHOSEN error notify
> Oct 13 17:19:14 tia charon: 16[IKE] IKE_SA siteA [6] state change: CONNECTING 
> => DESTROYING
> 
> I can see that no proposal was chosen, so which part of the configuration do 
> I have to change ?

The remote peer sends that. Pay attention to the exact order of events and what 
they say.
Try limiting the sent set to only the configured proposal by appending an 
exclamation mark
at the end of the cipher list. Maybe the software of the remote peer is broken 
in some way
in the cipher selection.

A remote peer can also send that message when it can't find a matching 
configuration,
besides the cipher suites.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Problem: strongswan 5.4 with sha2

2016-10-13 Thread fatcharly 


> Gesendet: Donnerstag, 13. Oktober 2016 um 17:32 Uhr
> Von: "Noel Kuntze" <n...@familie-kuntze.de>
> An: fatcha...@gmx.de, "Users strongswan" <users@lists.strongswan.org>
> Betreff: Re: [strongSwan] Problem: strongswan 5.4 with sha2
>
> On 13.10.2016 17:28, fatcha...@gmx.de wrote:
> > Hi,
> > 
> > I´m using a strongswan-5.4.0-2.el7.x86_64 on a CentOS 7. I´m trying to 
> > build a VPN connection with the following proposals: 
> > ike: RSA, DH20, AES256/SHA-2
> > esp: DH-14, AES256/SHA-2
> > 
> > I`ve tried it with this:
> > ike=aes256-sha256-ecp384
> > esp=aes256-sha256-modp2048
> > 
> > but its not working. WHich would be the right setting for this ?
> > 
> 
> Please provide configs and logs. My crystal balls are getting repaired right 
> now.
> 
conn siteA
left=my IP
leftsubnet=my Subnet
leftid=my IP
right=site A IP
rightsubnet=site A subnet
rightid=site A ip
authby=secret
auto=start
ikelifetime=28800s
keylife=3600s
keyexchange=ikev1
ike=aes256-sha256-ecp384
esp=aes256-sha256-modp2048





the is shown in the log, when I try to start up the connection:
Oct 13 17:19:14 tia charon: 13[CFG] received stroke: initiate 'siteA'
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_VENDOR task
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_CERT_PRE task
Oct 13 17:19:14 tia charon: 14[IKE] queueing MAIN_MODE task
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_CERT_POST task
Oct 13 17:19:14 tia charon: 14[IKE] queueing ISAKMP_NATD task
Oct 13 17:19:14 tia charon: 14[IKE] queueing QUICK_MODE task
Oct 13 17:19:14 tia charon: 14[IKE] activating new tasks
Oct 13 17:19:14 tia charon: 14[IKE]   activating ISAKMP_VENDOR task
Oct 13 17:19:14 tia charon: 14[IKE]   activating ISAKMP_CERT_PRE task
Oct 13 17:19:14 tia charon: 14[IKE]   activating MAIN_MODE task
Oct 13 17:19:14 tia charon: 14[IKE]   activating ISAKMP_CERT_POST task
Oct 13 17:19:14 tia charon: 14[IKE]   activating ISAKMP_NATD task
Oct 13 17:19:14 tia charon: 14[IKE] sending XAuth vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] sending DPD vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n 
vendor ID
Oct 13 17:19:14 tia charon: 14[IKE] initiating Main Mode IKE_SA siteA [6] to IP 
siteA
Oct 13 17:19:14 tia charon: 14[IKE] IKE_SA siteA [6] state change: CREATED => 
CONNECTING
Oct 13 17:19:14 tia charon: 14[ENC] generating ID_PROT request 0 [ SA V V V V ]
Oct 13 17:19:14 tia charon: 14[NET] sending packet: from myIP[500] to 
siteAIP[500] (216 bytes)
Oct 13 17:19:14 tia charon: 16[NET] received packet: from siteAIP[500] to 
myIP[500] (64 bytes)
Oct 13 17:19:14 tia charon: 16[ENC] parsed INFORMATIONAL_V1 request 0 [ 
N(NO_PROP) ]
Oct 13 17:19:14 tia charon: 16[IKE] received NO_PROPOSAL_CHOSEN error notify
Oct 13 17:19:14 tia charon: 16[IKE] IKE_SA siteA [6] state change: CONNECTING 
=> DESTROYING

I can see that no proposal was chosen, so which part of the configuration do I 
have to change ?

Kind regards

fatcharly
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Problem: strongswan 5.4 with sha2

2016-10-13 Thread Noel Kuntze 
On 13.10.2016 17:28, fatcha...@gmx.de wrote:
> Hi,
> 
> I´m using a strongswan-5.4.0-2.el7.x86_64 on a CentOS 7. I´m trying to build 
> a VPN connection with the following proposals: 
> ike: RSA, DH20, AES256/SHA-2
> esp: DH-14, AES256/SHA-2
> 
> I`ve tried it with this:
> ike=aes256-sha256-ecp384
> esp=aes256-sha256-modp2048
> 
> but its not working. WHich would be the right setting for this ?
> 

Please provide configs and logs. My crystal balls are getting repaired right 
now.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users