On 10/03/2021 11:17, Miguel Ponce Antolin wrote:
Thanks for your answer Paul,
I have tried the options you said with similar results, the connection
is not stablished in any case.
The other side configuration is mandatory, so the AES256 must be effective.
We have seen that the aes256 configuration selects AES_CBC and the 256
bit option have to be selected.
Does libreswan accepts this 256 bits option on AES_CBC?
Looking on the libreswan wiki the Implemented Standards
<https://libreswan.org/wiki/Implemented_Standards> I can see that the
option is possible but I cannot assure that when cipherkey is selected
as AES_CBC the 256 bits are selected.
The other peer is sure that the problem is about this and I don't know
if the 256 bits option is effective when the Payload is negotiated.
Maybe you can bring me some clarity,
Thanks in advance!
El mié, 10 mar 2021 a las 4:16, Paul Wouters (<[email protected]
<mailto:[email protected]>>) escribió:
On Mon, 8 Mar 2021, Miguel Ponce Antolin wrote:
> I think we are facing issues with the IKE algorithms.
>
> The Cisco peer has the next configuration:
> - pfs group14
> - ikev2 ipsec-proposal AES256-SHA256
> - security-association lifetime seconds 28800
>
> So the libreswan side is configured in the ipsec.d/vpn.conf with
similar parameters using the yum repository last version 3.25:
>
> conn vpn
> type=tunnel
> authby=secret
> auto=start
> left=%defaultroute
> leftid=xxx.xxx.xxx.120
> leftsubnets=10.xxx.xxx.xxx/28
> right=xxx.xxx.xxx.45
> rightsubnets=xxx.xxx.xxx.17/32
> leftsourceip=xxx.xxx.xxx.92
> leftnexthop=%defaultroute
> ikev2=insist
> ike=aes256-sha2;dh14
> keyexchange=ike
> ikelifetime=28800s
> salifetime=28800s
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> remote_peer_type=cisco
> aggrmode=yes
> initial-contact=yes
> encapsulation=no
Delete the lines with remote_peer_type, aggrmode, and encapsulation
Try using ike=aes256-sha2_256;dh14
> Mar 8 12:33:25.540325: | selected state microcode Initiator:
process AUTHENTICATION_FAILED AUTH notification
It could also be that they are expected a different leftid= then you
think?
Despite them claiming pfs, you can try pfs=no as well to see if that
makes a difference.
Paul
--
Logo Especialidad
*Miguel Ponce Antolín.*
Sistemas · +34 670 360 655
Linea
Logo Paradigma · paradig.ma <https://www.paradigmadigital.com/> ·
contáctanos <https://www.paradigmadigital.com/contacto> · Twitter
<https://twitter.com/paradigmate> Youtube
<https://www.youtube.com/user/ParadigmaTe?feature=watch> Linkedin
<https://www.linkedin.com/company/paradigma-digital/> Instagram
<https://www.instagram.com/paradigma_digital/?hl=es>
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
Is "sha2-truncbug = yes" relevant?
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
