Setting ike=3des-md5-modp1024
means that strongSwan as an initiator is proposing only the md5 hash to the mikrotik box and therefore fails but as a responder strongSwan accepts any supported algorithm and therefore succeeds. In order to avoid such asymmetries I propose to set the strict flag '!' as in ike=3des-sha1-modp1024! so that strongSwan as initiator proposes SHA-1 and as a responder accepts SHA-1 only. Regards Andreas On 27.07.2010 12:44, zux wrote: > yeah, that did it. thanks. but i still don't get what was the catch? > probably because i don't completely understand how to translate how they > name options on mikrotik and how they are named in strongswan > > On 07/27/2010 12:49 PM, Andreas Steffen wrote: >> And if you set >> >> ike=3des-sha1-modp1024 >> esp=3des-md5 >> >> Regards >> >> Andreas >> >> On 27.07.2010 10:34, zux wrote: >> >>> Hello, >>> I'm new to strongswan and ipsec and I'm having problems with configuring >>> strongswan to work with mikrotik router, the strange thing is that >>> mikrotik is able to initiate the connection and everything works then, >>> but strongswan can not initiate the connection. The problem is, that if >>> the strongswan box is rebooted, the connection is not reestablished >>> until I reset it from the mikrotik side. The configuration on the >>> mikrotik is the same as other, that work well between other mikrotik >>> boxes. Besides, I have changed the lifetime on mikrotik from 1 day to >>> one hour, and then if i reboot strongswan, the connection is established >>> after that hour. (or less, if the connection was up for some time) >>> I'm sorry if this problem has nothing to do with strongswan, but maybe >>> someone can give some useful tips. >>> >>> The error on Mikrotik, when strongswan tries to connect is this: >>> >>> Recieved ISAKMP packet from<strongswan IP>, phase 1, Identity Protection >>> responding phase 1, starting mode Identity Protection (local<mikrotik >>> IP>:500)(remote<strongswan IP>) >>> no acceptable proposal found (remote unknown) >>> failed to process packet >>> >>> This is the mikrotik configuration: >>> >>> Ipsec Policy: >>> Src. Address: 192.168.1.0/24 >>> Dst. Address: 192.168.156.0/24 >>> Action: encrypt >>> Level: require >>> IPsec Protocols: esp >>> Tunnel = yes >>> SA Src. Address:<mikrotik IP> >>> SA Dst. Address:<strongswan IP> >>> Proposal: pleskava >>> Manual SA: None >>> >>> IPsec Peer: >>> Address:<strongswan IP> >>> Port: 500 >>> Secret:<password> >>> Exchange Mode: main >>> Send initial Contact = yes >>> Proposal Check: obey >>> Hash Algoritm: sha >>> Encrypt Algorithm: 3des >>> DH Group: modp1024 >>> Generate policy = yes >>> Lifetime: 1d 00:00:00 >>> >>> Ipsec Proposal: >>> Name: pleskava >>> Auth. Algorithms: md5 >>> Encr. Algorithms: 3des >>> Lifetime: 01:00:00 >>> PFS Goup: none >>> >>> >>> and this ir strongswan configuration: >>> r...@kristaps:~# cat /etc/ipsec.conf >>> # ipsec.conf - strongSwan IPsec configuration file >>> >>> # basic configuration >>> >>> config setup >>> interfaces="ipsec0=eth0" >>> klipsdebug=none >>> plutodebug=all >>> uniqueids=yes >>> >>> conn %default >>> keyingtries=0 >>> authby=rsasig >>> >>> conn riga >>> left=<stronswan IP> >>> leftsubnet=192.168.156.0/24 >>> right=<mikrotik IP> >>> rightsubnet=192.168.1.0/24 >>> keyexchange=ike >>> authby=secret >>> auth=esp >>> ike=3des-md5-modp1024 >>> esp=3des-md5-modp1024 >>> pfs=no >>> type=tunnel >>> auto=start >>> >>> >>> r...@kristaps:~# cat /etc/ipsec.secrets >>> <strongswan IP> <mikrotik IP> : PSK "password" >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> https://lists.strongswan.org/mailman/listinfo/users ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
