just in case it helps someone:
came across another win10 laptop that would not connect yesterday, even
though all the other win10 laptops do. ended up setting both esp= and
ike= to make it work, like so:
esp=aes256-sha1-modp1024
ike=aes256-sha1-modp1024
On 2019-10-04 11:29 a.m., Computerisms Corporation wrote:
Hi Again,
Turns out that brand new laptop still does connect so long as I do not
specify an ike/esp line. in the debug logs, it seems to choose this
proposal:
IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]
Not sure how that helps me get the other ones connected, but it is
interesting, at least...
In the debug logs, I think this is the line that indicates what windows
is proposing that libreswan is rejecting:
pluto[30250]: "rw-ikev2"[1] 50.117.137.129 #5: no local proposal matches
remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED
2:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED
so I put this in my conn:
esp=aes256-sha1-modp1024
and the connection worked.
so I go back to the wiki, which tells me to use this:
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
and I believe from reading the man page on the topic that this should
also match the aes256-sha1-modp1024 proposal, however evidence clearly
indicates it does not.
I tried messing with the syntax of the wiki line a bit, but nothing I
did worked, really not clear what I am missing. Did I find a problem
that isn't supposed to be there? Or am I just stuck with only accepting
the single esp proposal?
How do I interpret this and translate it to
On 2019-10-04 9:30 a.m., Computerisms Corporation wrote:
Hi Nels and Paul,
Apologies for the delayed reply, I was overly busy at the moment and
duct taped the immediate issue with some iptables rules and port
forwarding. But need something better and I am back to trying to
solve this now.
I tried setting ikev2 from yes to no, sadly did not change the situation.
Oddly enough I put a brand new setup together about a week ago, with a
brand new laptop, and it connected fine. Yesterday I configured a
bunch of other laptops to connect to that same firewall, and now
nothing connects to it. That causes me to wonder if a windows update
that wasn't installed to begin with is there now on the brand new laptop.
Regardless, I faced this problem with windows7 way back, and I managed
to solve it that time with a post I found on the strong swan list. So
my instinct is telling me I need to find the correct ike=/esp= lines
to fix this problem. I did find a post from strong swan from Oct/Nov
2018:
https://wiki.strongswan.org/issues/2808
But none of those cipher lines worked.
Similarly there are a set of ciphers listed on the libreswan wiki
under the no_proposal_chosen section, and those are not working either.
I am thinking the next task is to go through the debug log and find
out what proposals windows is expecting, and try to construct
appropriate ike=/esp= lines. I found the parts of the man page that
explain how to write the ciphers, but having a hard time translating
the log entries into valid cipher descriptions for the conf file.
Posting the debug log here in case any one is interested in having a
look...
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
