On Fri, 03 Aug 2012 10:14:01 +0100, Martin Willi <[email protected]> wrote: >> > 10[CFG] <2> looking for pre-shared key peer configs matching >> > 192.168.199.10...168.63.60.212[10.4.1.4] >> > 10[IKE] <2> no peer config found >> >> Is this an artifact of the charon / pluto merge in strongSwan 5? Or is >> "keyexchange=ikev2" not sufficient to cause IKEv2 to be used? > > The keyexchange parameter is connection specific, so your connection > will use IKEv2. > > Your peer, however, seems to initiate with IKEv1. You don't have a > matching connection for IKEv1, hence the negotiation fails with "no peer > config found".
I have tried "keyexchange=ike" which the ipsec.conf manual page says will "use IKEv2 when initiating, but accept any protocol version when responding". However, that doesn't seem to make a difference ... >> IKE Phase I Parameters: >> Mode: Main mode >> Encryption: AES128 or 3DES >> Integrity: SHA1 >> Diffie-Hellman group: Group 2 (1024 bit) >> Authentication Method: Pre-shared key >> Security Association Lifetime: 28800 seconds > > Phase 1 proposal is what we define with the "ike" keyword: > > ike=aes128-sha1-modp1024! > leftauth=psk > rightauth=psk > >> IKE Phase II Parameters: >> Mode: ESP tunnel mode >> Encryption: AES128 or 3DES >> Integrity: SHA1 >> Perfect Forward Secrecy: OFF >> Diffie-Hellman group: Group 2 (1024 bit) > > This seems bogus to me, either you have a DH group and use PFS, or not. > The "esp" keyword in your connection is either > > esp=aes128-sha1! > > or > > esp=aes128-sha1-modp1024! I have removed the 3des entries from ike and esp. Either with or without "-modp1024" I am still seeing "no peer config found". Am I missing something fundamental such as needing two separate conn section depending on which end initiates? Or is there a way to ensure that the right (remote) end always initiates and the left end listens? Could I need "xauthpsk" rather than "psk". Apologies if these have obvious answers but I am very new to this! Many thanks for the help -- John Connett _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
