Dear All,
we are recently add a new vpn to a customer using ikev2.
Here the config:

conn myName
        authby=secret
        disablearrivalcheck=no
        # Local
        left=%defaultroute
        leftid=x.x.x.x
        leftsubnet=
        # Remote
        right=a.a.a.a
        rightid=a.a.a.a
        rightsubnet=
        # PHASE 1
        # negothiation mode
        aggrmode=no
        ikev2=insist
        narrowing=no
        ike=aes256-sha2_512;modp2048
        ikelifetime=24h
        # PHASE 2
        type=tunnel
        phase2=esp
        phase2alg=aes256-sha2_512;modp2048
        salifetime=1h
        pfs=yes
        auto=start

If we start the tunnel everything works and the tunnel is correctly established:

Oct 18 10:46:16 lofw pluto[1411]:  #579: initiating v2 parent SA
Oct 18 10:46:16 lofw pluto[1411]: #579: myName IKE proposals: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2-512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 Oct 18 10:46:16 lofw pluto[1411]: #579: STATE_PARENT_I1: sent v2I1, expected v2R1 Oct 18 10:46:16 lofw pluto[1411]: #579: myName ESP/AH proposals: 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;ESN=DISABLED Oct 18 10:46:16 lofw pluto[1411]: #580: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha512_256 prf=OAKLEY_SHA2_512 group=MODP2048} Oct 18 10:46:16 lofw pluto[1411]: #580: IKEv2 mode peer ID is ID_IPV4_ADDR: 'a.a.a.a' Oct 18 10:46:16 lofw pluto[1411]: #580: negotiated connection [......] -> [....] Oct 18 10:46:16 lofw pluto[1411]: #580: STATE_PARENT_I3: PARENT SA established tunnel mode {ESP.....


Instead if the process is started from the other side they send us different proposals:

Oct 18 10:45:24 lofw pluto[1411]: packet from a.a.a.a:500: proposal 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2-256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
   chosen from:
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2-512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2-256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048

and we end up choosing the option 2 instead of option 1 and the tunnel is not working.

Any idea why is that happening?
I think option 1 is the only matching the configuration or I think it wrong?


Thanks
Renzo



_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to