On Mon, 8 Mar 2021, Miguel Ponce Antolin wrote:
I think we are facing issues with the IKE algorithms.
The Cisco peer has the next configuration:
- pfs group14
- ikev2 ipsec-proposal AES256-SHA256
- security-association lifetime seconds 28800
So the libreswan side is configured in the ipsec.d/vpn.conf with similar
parameters using the yum repository last version 3.25:
conn vpn
type=tunnel
authby=secret
auto=start
left=%defaultroute
leftid=xxx.xxx.xxx.120
leftsubnets=10.xxx.xxx.xxx/28
right=xxx.xxx.xxx.45
rightsubnets=xxx.xxx.xxx.17/32
leftsourceip=xxx.xxx.xxx.92
leftnexthop=%defaultroute
ikev2=insist
ike=aes256-sha2;dh14
keyexchange=ike
ikelifetime=28800s
salifetime=28800s
dpddelay=30
dpdtimeout=120
dpdaction=restart
remote_peer_type=cisco
aggrmode=yes
initial-contact=yes
encapsulation=no
Delete the lines with remote_peer_type, aggrmode, and encapsulation
Try using ike=aes256-sha2_256;dh14
Mar 8 12:33:25.540325: | selected state microcode Initiator: process
AUTHENTICATION_FAILED AUTH notification
It could also be that they are expected a different leftid= then you think?
Despite them claiming pfs, you can try pfs=no as well to see if that
makes a difference.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
