The Fritzbox seems to expect Perfect Forward Secrecy (PFS: phase2ss = "esp-all-all/ah-none/comp-all/pfs";
therefore you should enable PFS on the strongSwan side, too: esp=3des-sha1-modp1024 Regards Andreas On 12.02.2014 20:01, Wagenknecht Michael wrote: > Hello, > I try to make a lan to lan connection between a Fritzbox 7390 and a > CentOS 6.5 gateway with strongswan 5.1.1. > When I open the connection I get the following messages: > > [root@miwatest strongswan]# strongswan up miwa > initiating Main Mode IKE_SA miwa[1] to 185.19.32.227 > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from 213.133.108.164[500] to 185.19.32.227[500] (184 bytes) > received packet: from 185.19.32.227[500] to 213.133.108.164[500] (148 bytes) > parsed ID_PROT response 0 [ SA N((24576)) V V ] > received XAuth vendor ID > received DPD vendor ID > generating ID_PROT request 0 [ KE No ] > sending packet: from 213.133.108.164[500] to 185.19.32.227[500] (196 bytes) > received packet: from 185.19.32.227[500] to 213.133.108.164[500] (180 bytes) > parsed ID_PROT response 0 [ KE No ] > generating ID_PROT request 0 [ ID HASH ] > sending packet: from 213.133.108.164[500] to 185.19.32.227[500] (68 bytes) > received packet: from 185.19.32.227[500] to 213.133.108.164[500] (108 bytes) > parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ] > IKE_SA miwa[1] established between > 213.133.108.164[213.133.108.164]...185.19.32.227[miwaidv.dyndns.ws] > scheduling reauthentication in 28128s > maximum IKE_SA lifetime 28668s > generating QUICK_MODE request 1324784499 [ HASH SA No ID ID ] > sending packet: from 213.133.108.164[500] to 185.19.32.227[500] (204 bytes) > received packet: from 185.19.32.227[500] to 213.133.108.164[500] (76 bytes) > parsed INFORMATIONAL_V1 request 2845966155 [ HASH N(NO_PROP) ] > received NO_PROPOSAL_CHOSEN error notify > establishing connection 'miwa' failed > > > When I scan the FritzBox I get the following informations: > [root@miwatest strongswan]# ike-scan miwaidv.dyndns.ws > Starting ike-scan 1.9 with 1 hosts > (http://www.nta-monitor.com/tools/ike-scan/) > 185.19.32.227 Main Mode Handshake returned > HDR=(CKY-R=539bd1bb72dabf1d) SA=(Enc=3DES Hash=SHA1 Auth=PSK > Group=2:modp1024 LifeType=Seconds LifeDuration=28800) > Notification=(Type=RESPONDER-LIFETIME, > SPI=7471c7db8f597359539bd1bb72dabf1d, Data=800b0001800c0e10) > VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead > Peer Detection v1.0) > Ending ike-scan 1.9: 1 hosts scanned in 0.204 seconds (4.90 hosts/sec). > 1 returned handshake; 0 returned notify > > > Here my ipsec.conf: > conn miwa > aggressive=no > left=213.133.108.164 > leftsubnet=192.168.1.0/24 > ike=3des-sha1-modp1024 > esp=3des-sha1 > leftallowany=yes > leftfirewall=yes > lefthostaccess=yes > # > right=miwaidv.dyndns.ws > rightid="@miwaidv.dyndns.ws" > rightsubnet=192.168.0.0/24 > keyexchange=ikev1 > ikelifetime=8h > keylife=8h > authby=psk > type=tunnel > auto=route > # dpddelay=30 > # dpdtimeout=120 > # dpdaction=none > > Here is the configuration of the Fritzbox: > vpncfg { > connections { > enabled = yes; > conn_type = conntype_lan; > name = "miwatest"; > always_renew = no; > reject_not_encrypted = no; > dont_filter_netbios = yes; > localip = 0.0.0.0; > local_virtualip = 0.0.0.0; > remoteip = 213.133.108.164; > remote_virtualip = 0.0.0.0; > localid { > fqdn = "miwaidv.dyndns.ws"; > } > remoteid { > ipaddr = 213.133.108.164; > } > mode = phase1_mode_idp; > phase1ss = "all/all/all"; > keytype = connkeytype_pre_shared; > key = "xxxxxx"; > cert_do_server_auth = no; > use_nat_t = no; > use_xauth = no; > use_cfgmode = no; > phase2localid { > ipnet { > ipaddr = 192.168.0.0; > mask = 255.255.255.0; > } > } > phase2remoteid { > ipnet { > ipaddr = 192.168.1.0; > mask = 255.255.255.0; > } > } > phase2ss = "esp-all-all/ah-none/comp-all/pfs"; > accesslist = "permit ip any 192.168.1.0 255.255.255.0"; > } > ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", > "udp 0.0.0.0:4500 0.0.0.0:4500"; > } > > > Have someone an idea where's the problem? > > Best Regards, > Michael > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
