Don't ask why.
A couple of differences with the machine certificate installation and how the
system actually picks them up, [email protected] makes extra double sure the
machine can find the right client cert.
Set the registry DWORD for 2048 DH sets and now I get a policy error and
NO_PROPOSAL_CHOSEN on re-key.
Jan 31 22:32:59 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389:
proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match]
2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048
3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048Jan
31 22:32:59 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256
integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}Jan 31 22:32:59 ip-10-0-0-194
pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389: certificate verified OK:
O=w7test,[email protected] 31 22:32:59 ip-10-0-0-194 pluto[18497]:
"ikev2-cp"[35] 22.22.22.22 #389: IKEv2 mode peer ID is ID_DER_ASN1_DN:
'[email protected], O=w7test'Jan 31 22:32:59 ip-10-0-0-194 pluto[18497]:
"ikev2-cp"[35] 22.22.22.22 #389: Authenticated using RSAJan 31 22:32:59
ip-10-0-0-194 pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389: no local proposal
matches remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED
2:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLEDJan 31 22:32:59 ip-10-0-0-194
pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389: IKE_AUTH responder matching
remote ESP/AH proposals failed, responder SA processing returned
STF_FAIL+v2N_NO_PROPOSAL_CHOSENJan 31 22:32:59 ip-10-0-0-194 pluto[18497]:
"ikev2-cp"[35] 22.22.22.22 #390: responding to IKE_AUTH message (ID 1) from
22.22.22.22:64153 with encrypted notification NO_PROPOSAL_CHOSEN
The relevant line in the ipsec.conf file is:
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048,aes-sha2;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024,aes-sha2;modp1024
For some reason Windows 7 still didn't want to play with the 1024 DH in spite
of them being on the list above too, but that's not the problem I think.
Thoughts? What obvious step did I miss here?
Jan_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
