Hello Noel, thanks for the fast response.
I did that already: ====================================================================== ike=aes128-sha1-modp1536,aes128-md5-modp1536,3des-md5-modp1024,aes128-sha1-modp1024,aes256-sha-modp1024,3des-md5-modp1024 esp=aes128-sha1,aes128-md5,aes256-md5,aes256-sha1,3des-sha1,3des-md5 ====================================================================== Did not help. björn Mit freundlichen Grüßen __________________________________ Björn Wahl Leiter EDV-Abteilung Betriebswirt Fachrichtung Wirtschaftsinformatik St.-Marien Hospital Borken GmbH Am Boltenhof 7 - D-46325 Borken Telefon: +49 (0) 2861 97 - 1125 Telefax: +49 (0) 2861 97 - 5 1122 [email protected] www.hospital-borken.de Registergericht: Amtsgericht Coesfeld Registernummer : HR B 4914 Vertretungsberechtigter Geschäftsführer: Dipl.-Kfm. Christoph Bröcker Umsatzsteuer-Identifikationsnummer gem 27 a Umsatzsteuergesetz: DE 307/5937/0049 _________________________________ >>> Noel Kuntze <[email protected]> 11.11.13 10.16 Uhr >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Bjoern, In this case, you need to set the cipher settings for IKE by hand. You can do this using the "ike" statement (and maybe the esp" statement, too) in ipsec.conf See the manpage for further information. Regards Noel Kuntze Am 11.11.2013 09:57, schrieb bjoern wahl: > Hello! > > Just after solving the problem with my Certs for WIN7 ( thanks to Martin > for the good hint) i hit the next Problem. > > I would like to migrate old VPNs to my new VPN-GW. > >>From Linux Openswan U2.4.4/K2.6.16.60-0.83.2-smp (netkey) to Linux > strongSwan U5.1.1/K3.0.93-0.8-default. > > With my first try i got a problem, the logs telling me: > > ======================================================================== > 13[IKE] IKE_SA p123[1] established between > 11.11.11.11[11.11.11.11]...22.22.22.22[22.22.22.22] > 13[ENC] generating QUICK_MODE request 1243619134 [ HASH SA No ID ID ] > 13[NET] sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (284 > bytes) > 14[NET] received packet: from 22.22.22.22[500] to 11.11.11.11[500] (92 > bytes) > 14[ENC] parsed INFORMATIONAL_V1 request 2876618417 [ HASH N(NO_PROP) ] > 14[IKE] received NO_PROPOSAL_CHOSEN error notify > ======================================================================== > > On my old GW everything till working fine: > > ======================================================================== > 003 "p123" #13615: NAT-Traversal: Result using 3: no NAT detected > 002 "p123" #13615: transition from state STATE_MAIN_I2 to state > STATE_MAIN_I3 > 108 "p123" #13615: STATE_MAIN_I3: sent MI3, expecting MR3 > 002 "p123" #13615: Main mode peer ID is ID_IPV4_ADDR: '22.22.22.22' > 002 "p123" #13615: transition from state STATE_MAIN_I3 to state > STATE_MAIN_I4 > 004 "p123" #13615: STATE_MAIN_I4: ISAKMP SA established > {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024} > 002 "p123" #13616: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP > {using isakmp#13615} > 117 "p123" #13616: STATE_QUICK_I1: initiate > 003 "p123" #13616: ignoring informational payload, type > IPSEC_RESPONDER_LIFETIME > 002 "p123" #13616: transition from state STATE_QUICK_I1 to state > STATE_QUICK_I2 > 004 "p123" #13616: STATE_QUICK_I2: sent QI2, IPsec SA established > {ESP=>0xeaaec3ed <0x3f7a355f xfrm=AES_256-HMAC_SHA1 > NATD=212.159.204.76:500 DPD=none} > ======================================================================== > > I just tought it might be because the cipher is not included in my new > Strongswan and so did look that up i did not find aes_256 in > my new Strongswan, is that the problem ? > How to add that cipher ? > > ======================================================================== > List of X.509 End Entity Certificates: > > altNames: .... > > List of X.509 CA Certif icates: > > s.... > > List of registered IKE algorithm> integrity: HMAC_MD5_96[hmac] > HMAC_SHA1_96[hmac] AES_XCBC_96[xcbc] > HMAC_MD5_128[hmac] HMAC_SHA1_160[hmac] > AES_CMAC_96[cmac] HMAC_SHA2_256_128[hmac] > HMAC_SHA2_384_192[hmac] HMAC_SHA2_512_256[hmac] > HMAC_SHA1_128[hmac] HMAC_SHA2_256_256[hmac] > HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_512[hmac] > aead: > hasher: HASH_MD4[md4] HASH_MD5[md5] HASH_SHA1[sha1] > HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] > HASH_SHA512[sha2] > prf: PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac] > PRF_AES128_XCBC[xcbc] PRF_HMAC_SHA2_256[hmac] > PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac] > PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf] > PRF_KEYED_SHA1[sha1] > dh-group: MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp] > MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp] > MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp] > MODP_2048_256[gmp] MODP_CUSTOM[gmp] > random-gen: RNG_STRONG[random] RNG_TRUE[random] > nonce-gen: [nonce] > > List of loaded Plugins: > > charon: > CUSTOM:libcharon > NONCE_GEN > CUSTOM:libcharon-receiver > CUSTOM:kernel-ipsec > CUSTOM:kernel-net > CUSTOM:libcharon-receiver > HASHER:HASH_SHA1 > RNG:RNG_STRONG > CUSTOM:socket > aes: > CRYPTER:AES_CBC-16 > CRYPTER:AES_CBC-24 > CRYPTER:AES_CBC-32 > des: > CRYPTER:3DES_CBC-24 > CRYPTER:DES_ > CBC-8 > CRYPTER:DES_ECB-8 > rc2: > CRYPTER:RC2_CBC-0 > sha HASHER:HASH_SHA384 > HASHER:HASH_SHA512 > md4: > HASHER:HASH_MD4 > md5: > HASHER:HASH_MD5 > random: > RNG:RNG_STRONG > RNG:RNG_TRUE > nonce: > NONCE_GEN > RNG:RNG_WEAK > x509: > CERT_ENCODE:X509 > HASHER:HASH_SHA1 > CERT_DECODE:X509 > HASHER:HASH_SHA1 > PUBKEY:RSA (soft) > PUBKEY:ECDSA (soft) > PUBKEY:DSA (soft) > CERT_ENCODE:X509_AC > CERT_DECODE:X509_AC > CERT_ENCODE:X509_CRL > CERT_DECODE:X509_CRL > CERT_ENCODE:X509_OCSP_REQUEST > HASHER:HASH_SHA1 > RNG:RNG_WEAK > CERT_DECODE:X509_OCSP_RESPONSE > CERT_ENCODE:PKCS10_REQUEST > CERT_DECODE:PKCS10_REQUEST > revocation: > CUSTOM:revocation > CERT_ENCODE:X509_OCSP_REQUEST (soft) > CERT_DECODE:X509_OCSP_RESPONSE (soft) > CERT_DECODE:X509_CRL (soft) > CERT_DECODE:X509 (soft) > FETCHER:(null) (soft) > constraints: > CUSTOM:constraints > CERT_DECODE:X509 (soft) > pubkey: > CERT_ENCODE:TRUSTED_PUBKEY > CERT_DECODE:TRUSTED_PUBKEY > PUBKEY:RSA (soft) > PUBKEY:ECDSA (soft) > PUBKEY:DSA (soft) > pkcs1: > PRIVKEY:RSA > PUBKEY:ANY > PUBKEY:RSA > pkcs7: > CONTAINER_DECODE:PKCS7 > CONTAINER_ENCODE:PKCS7_DATA > CONTAINER_ENCODE:PKCS7_SIGNED_DATA > CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA > pkcs8: > PRIVKEY:ANY > PRIVKEY:RSA > PRIVKEY:ECDSA > pkcs12: > CONTAINER_DECODE:PKCS12 > CONTAINER_DECODE:PKCS7 > CERT_DECODE:X509 (soft) > PRIVKEY:ANY (soft) > HASHER:HASH_SHA1 (soft) > CRYPTER:3DES_CBC-24 (soft) > CRYPTER:RC2_CBC-0 (soft) > pgp: > PRIVKEY:ANY > PRIVKEY:RSA > PUBKEY:ANY > PUBKEY:RSA > CERT_DECODE:PGP > dnskey: > PUBKEY:ANY > PUBKEY:RSA > sshkey: > PUBKEY:ANY > pem: > PRIVKEY:ANY > PRIVKEY:ANY > HASHER:HASH_MD5 (soft) > PRIVKEY:RSA > PRIVKEY:RSA > HASHER:HASH_MD5 (soft) > PRIVKEY:ECDSA > PRIVKEY:ECDSA > HASHER:HASH_MD5 (soft) > PRIVKEY:DSA (not loaded) > PRIVKEY:DSA > HASHER:HASH_MD5 (soft) > PUBKEY:ANY > PUBKEY:ANY > PUBKEY:RSA > PUBKEY:RSA > PUBKEY:ECDSA (not loaded) > PUBKEY:ECDSA > PUBKEY:DSA (not loaded) > PUBKEY:DSA > CERT_DECODE:ANY > CERT_DECOD> CERT_DECODE:X509_CRL > CERT_DECODE:X509_OCSP_REQUEST (not loaded) > CERT_DECODE:X509_OCSP_REQUEST > CERT_DECODE:X509_OCSP_RESPONSE > CERT_DECODE:X509_OCSP_RESPONSE > CERT_DECODE:X509_AC > CERT_DECODE:X509_AC > CERT_DECODE:PKCS10_REQUEST > CERT_DECODE:PKCS10_REQUEST > CERT_DECODE:TRUSTED_PUBKEY > CERT_DECODE:TRUSTED_PUBKEY > CERT_DECODE:PGP > CERT_DECODE:PGP > CONTAINER_DECODE:PKCS12 > CONTAINER_DECODE:PKCS12 > fips-prf: > PRF:PRF_FIPS_SHA1_160 > PRF:PRF_KEYED_SHA1 > gmp: > DH:MODP_2048 > RNG:RNG_STRONG > DH:MODP_2048_224 > RNG:RNG_STRONG > DH:MODP_2048_256 > RNG:RNG_STRONG > DH:MODP_1536 > RNG:RNG_STRONG > DH:MODP_3072 > RNG:RNG_STRONG > DH:MODP_4096 > RNG:RNG_STRONG > DH:MODP_6144 > RNG:RNG_STRONG > DH:MODP_8192 > RNG:RNG_STRONG > DH:MODP_1024 > RNG:RNG_STRONG > DH:MODP_1024_160 > RNG:RNG_STRONG > DH:MODP_768 > RNG:RNG_STRONG > DH:MODP_CUSTOM > RNG:RNG_STRONG > PRIVKEY:RSA > PRIVKEY_GEN:RSA > RNG:RNG_TRUE > PUBKEY:RSA > PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL > PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1 > HASHER:HASH_SHA1 > PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224 > HASHER:HASH_SHA224 > PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256 > HASHER:HASH_SHA256 > PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384 > HASHER:HASH_SHA384 > PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512 > HASHER:HASH_SHA512 > PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5 > HASHER:HASH_MD5 > PUBKEY_VERIFY:RS > A_EMSA_PKCS1_NULL > PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1 > PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384 > HASHER:HASH_SHA384 > PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512 > HASHER:HASH_SHA512 > PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5 > HASHER:HASH_MD5 > PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1 > PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1 > RNG:RNG_WEAK > xcbc: > PRF:PRF_AES128_XCBC > CRYPTER:AES_CBC-16 > PRF:PRF_CAMELLIA128_XCBC (not loaded) > CRYPTER:CAMELLIA_CBC-16 > SIGNER:CAMELLIA_XCBC_96 (not loaded) > CRYPTER:CAMELLIA_CBC-16 > SIGNER:AES_XCBC_96 > CRYPTER:AES_CBC-16 > cmac: > PRF:PRF_AES128_CMAC > CRYPTER:AES_CBC-16 > SIGNER:AES_CMAC_96 > CRYPTER:AES_CBC-16 > hmac: > PRF:PRF_HMAC_SHA1 > HASHER:HASH_SHA1 > PRF:PRF_HMAC_MD5 > HASHER:HASH_MD5 > PRF:PRF_HMAC_SHA2_256 > HASHER:HASH_SHA256 > PRF:PRF_HMAC_SHA2_384 > HASHER:HASH_SHA384 > PRF:PRF_HMAC_SHA2_512 > HASHER:HASH_SHA512 > SIGNER:HMAC_SHA1_96 > HASHER:HASH_SHA1 > SIGNER:HMAC_SHA1_128 > HASHER:HASH_SHA1 > SIGNER:HMAC_SHA1_160 > HASHER:HASH_SHA1 > SIGNER:HMAC_MD5_96 > HASHER:HASH_MD5 > SIGNER:HMAC_MD5_128 > HASHER:HASH_MD5 > SIGNER:HMAC_SHA2_256_128 > HASHER:HASH_SHA256 > SIGNER:HMAC_SHA2_256_256 > HASHER:HASH_SHA256 > SIGNER:HMAC_SHA2_384_192 > HASHER:HASH_SHA384 > SIGNER:HMAC_SHA2_384_384 > HASHER:HASH_SHA384 > SIGNER:HMAC_SHA2_512_256 > HASHER:HASH_SHA512 > SIGNER:HMAC_SHA2_512_512 > HASHER:HASH_SHA512 > attr: > CUSTOM:attr > kernel-netlink: > CUSTOM:kernel-ipsec > CUSTOM:kernel-net > resolve: > CUSTOM:resolve > socket-default: > CUSTOM:socket > CUSTOM:kernel-ipsec (soft) > stroke: > CUSTOM:stroke > PRIVKEY:RSA (soft) > PRIVKEY:ECDSA (soft) > PRIVKEY:DSA (soft) > CERT_DECODE:ANY (soft) > CERT_DECODE:X509 (soft) > CERT_DECODE:X509_CRL (soft) > CERT_DECODE:X509_AC (soft) > CERT_DECODE:TRUSTED_PUBKEY (soft) > updown: > CUSTOM:updown > eap-identity: > EAP_SERVER:ID > EAP_CLIENT:ID > eap-mschapv2: > EAP_SERVER:MSCHAPV2 > > CRYPTER:DES_ECB-8 > HASHER:HASH_MD4 > HASHER:HASH_SHA1 > RNG:RNG_WEAK > eap-radius: > EAP_SERVER:RAD > CUSTOM:eap-radius > XAUTH_SERVER:radius > CUSTOM:eap-radius > CUSTOM:eap-radius > HASHER:HASH_MD5 > SIGNER:HMAC_MD5_128 > RNG:RNG_WEAK > eap-tls: > EAP_SERVER:TLS > HASHER:HASH_MD5 > HASHER:HASH_SHA1 > RNG:RNG_WEAK > EAP_CLIENT:TLS > HASHER:HASH_MD5 > HASHER:HASH_SHA1 > RNG:RNG_WEAK > RNG:RNG_STRONG > xauth-generic: > XAUTH_SERVER:generic > XAUTH_CLIENT:generic > > ======================================================================== > > ---------------------------------------------------------------------------------------------------- > Klinikverbund Westmünsterland gGmbH > Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken > Registergericht Coesfeld, HRB Nr. 8983 > Ust.-Id.Nr.: DE 222740345 > Hauptgeschäftsführer: Hermann Nientiedt > Geschäftsführer: Christoph Bröcker, Ludger Hellmann > > Diese E-Mail enthält vertrauliche oder rechtlich geschützte > Informationen. Wenn Sie nicht der beabsichtige Empfänger sind, > informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail. > > Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der > enthaltenen Informationen ist nicht gestattet. > > Dem Klinikverbund Westmünsterland sind fünf Krankenhäuser mit 1.332 > Planbetten und mehrere Einrichtungen der Altenhilfe angeschlossen. Mehr > als 50 Fachbereiche orientieren sich an neusten medizinischen Standards > und erfüllen die hohen Anforderungen einer qualifizierten und > zertifizierten Versorgung. Rund 50.000 Patienten werden jährlich in den > Krankenhäusern station� > �r behandelt. Mit über 3.800 Mitarbeitern gehört > der Verbund zu den größten Arbeitgebern der Region. > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSgKC0AAoJEDg5KY9j7GZY1z8P/jbOCJLXjA1R6dR/VrUCF1nc KLHwtG9zEJYAnCtPIUfaGtiaRACE5Vunte1OIEAvs5NZQvl9sfRASvpwpmpZAAp9 FReP0oxq026ofGUMleqaB5Ug2YhgWYJmwzhZWRK/cveUYNn5xUjg5dzdsWU6JZsL oX6rK0xgsolnaI61OSGq3X3boIitTE4fQgrQkGz4RDzYWtMkloRMN1MSjCG5iryT KBil3bC/vAiZjfJ6Ebb2R/Ib/FNFVw9cVFInrbud6s/2Dy9YSJw6B/J1psTm0aDQ Fzftrkvoj8g3BLxmrdVmNNQE1yon044OtMnv8mk9FOykXfIqpNQEVV8HRatQfBZD 6iptFA2up7BR0J0F6BZzoW0Pq0JochHlDiycQtzsfEBgMInQ1uKR95wdHn5Lce+4 onOj8f4U7jDRApyELrTp8n5ZTx2g+G7OTMBtY6Sl6lu6o+RYmwUqnfKHpb/hd/i5 0wx0RDBMagRu9Vj0nii67lV76JBXREf7E2egHuGJPG3hecGkbejbu0wDkcQdWwCZ AlhBJYD22D5sTPTWpOYMyuiz7BkqPWXzCRBq44JR1t7k+vSy9tpjzceLe87NVJyL n8UO8TZ+GMCGEg3h1PqsxkMpxKKxPMybRen0t4FxebqDJP3Rleb8c295l/PLmH+F mqRPWEuUbEOyzf9HTpxv =D3Fk -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
