Hi Andreas, Thanks for your prompt reply. I have one more clarification from your side.
Is there any command or tool in Strongswan to see encryption statistics for Netkey stack? I meant, statistics like No of packets encrypted using ESP No of packets dropped by tunnel and so on. Regards, Saravanan N On Mon, May 28, 2012 at 8:24 PM, Andreas Steffen < [email protected]> wrote: > Hello, > > AH withouth ESP is not supported by strongSwan IKEv1 (which goes all > the way back to FreeS/WAN). > > With auth=esp which is the default you opt for ESP encryption and ESP's > optional authentication mode. > > With auth=ah you get ESP encryption withouth ESP's optional > authentication mode but you get AH on top of ESP instead. > > If you don't want to encrypt your packets please use either > ESP NULL encryption > > http://www.strongswan.org/uml/testresults/ikev1/esp-alg-null > > or AES-GMAC > > http://www.strongswan.org/uml/testresults/ikev1/esp-alg-aes-gmac > > Regards > > Andreas > > On 28.05.2012 15:40, SaRaVanAn wrote: > > Hi Team, > > I hope , ah mode in strongswan is supported for Ikev1. But I tried > > to form a tunnel > > using AH mode with ikev1, but strongswan was expecting ESP proposal even > > i configured > > auth=ah. If ah mode is supported for Ikev1 , please correct me if there > > any syntax error in > > the below configuration file which makes thing not working. > > > > *ipsec.conf* > > ____________ > > # basic configuration > > ca vpnca > > cacert=ca1Cert.pem > > #crluri=crl.pem > > auto=add > > > > config setup > > plutostart=yes > > plutodebug=all > > charonstart=yes > > charondebug=all > > nat_traversal=yes > > crlcheckinterval=10m > > strictcrlpolicy=no > > > > conn %default > > ikelifetime=1h > > keylife=2h > > keyingtries=1 > > > > conn fqdn_vr > > auth=ah > > type=transport > > keyexchange=ikev1 > > left=172.31.114.227 > > right=%any > > rightid=172.31.114.211 > > pfs=no > > rekey=no > > auto=add > > > > *logs* > > _____ > > May 28 18:48:07 uxcasxxx pluto[32284]: | ******parse ISAKMP IPsec DOI > > attribute: > > May 28 18:48:07 uxcasxxx pluto[32284]: | af+type: ENCAPSULATION_MODE > > May 28 18:48:07 uxcasxxx pluto[32284]: | length/value: 1 > > May 28 18:48:07 uxcasxxx pluto[32284]: | [1 is > ENCAPSULATION_MODE_TUNNEL] > > May 28 18:48:07 uxcasxxx pluto[32284]: | ******parse ISAKMP IPsec DOI > > attribute: > > May 28 18:48:07 uxcasxxx pluto[32284]: | af+type: AUTH_ALGORITHM > > May 28 18:48:07 uxcasxxx pluto[32284]: | length/value: 2 > > May 28 18:48:07 uxcasxxx pluto[32284]: | [2 is HMAC_SHA1] > > *May 28 18:48:07 uxcasxxx pluto[32284]: | policy for "fqdn_vr" requires > > encryption but ESP not in Proposal from 172.31.114.211 > > May 28 18:48:07 uxcasxxx pluto[32284]: "fqdn_vr"[1] 172.31.114.211 #2: > > no acceptable Proposal in IPsec SA > > May 28 18:48:07 uxcasxxx pluto[32284]: "fqdn_vr"[1] 172.31.114.211 #2: > > sending encrypted notification *NO_PROPOSAL_CHOSEN to 172.31.114.211:500 > > <http://172.31.114.211:500> > > May 28 18:48:07 uxcasxxx pluto[32284]: | **emit ISAKMP Message: > > May 28 18:48:07 uxcasxxx pluto[32284]: | initiator cookie: > > May 28 18:48:07 uxcasxxx pluto[32284]: | 39 e8 20 f0 36 bb c5 63 > > May 28 18:48:07 uxcasxxx pluto[32284]: | responder cookie: > > May 28 18:48:07 uxcasxxx pluto[32284]: | 1b 60 45 9a ac b4 b9 d9 > > May 28 18:48:07 uxcasxxx pluto[32284]: | next payload type: > > ISAKMP_NEXT_HASH > > May 28 18:48:07 uxcasxxx pluto[32284]: | ISAKMP version: ISAKMP > > Version 1.0 > > May 28 18:48:07 uxcasxxx pluto[32284]: | exchange type: > ISAKMP_XCHG_INFO > > May 28 18:48:07 uxcasxxx pluto[32284]: | flags: ISAKMP_FLAG_ENCRYPTION > > May 28 18:48:07 uxcasxxx pluto[32284]: | message ID: 4a 6d 47 56 > > May 28 18:48:07 uxcasxxx pluto[32284]: | ***emit ISAKMP Hash Payload: > > May 28 18:48:07 uxcasxxx pluto[32284]: | next payload type: > ISAKMP_NEXT_N > > May 28 18:48:07 uxcasxxx pluto[32284]: | emitting 20 zero bytes of HASH > > into ISAKMP Hash Payload > > May 28 18:48:07 uxcasxxx pluto[32284]: | emitting length of ISAKMP Hash > > Payload: 24 > > May 28 18:48:07 uxcasxxx pluto[32284]: | ***emit ISAKMP Notification > > Payload: > > May 28 18:48:07 uxcasxxx pluto[32284]: | next payload type: > > ISAKMP_NEXT_NONE > > May 28 18:48:07 uxcasxxx pluto[32284]: | DOI: ISAKMP_DOI_IPSEC > > May 28 18:48:07 uxcasxxx pluto[32284]: | protocol ID: 1 > > May 28 18:48:07 uxcasxxx pluto[32284]: | SPI size: 0 > > May 28 18:48:07 uxcasxxx pluto[32284]: | Notify Message Type: > > NO_PROPOSAL_CHOSEN > > May 28 18:48:07 uxcasxxx pluto[32284]: | emitting 0 raw bytes of spi > > into ISAKMP Notification Payload > > May 28 18:48:07 uxcasxxx pluto[32284]: | spi > > May 28 18:48:07 uxcasxxx pluto[32284]: | emitting length of ISAKMP > > Notification Payload: 12 > > > > > > Regards, > > Saravanan N > ================================================================ > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
