Re: [strongSwan] NO_PROPOSAL_CHOSEN when connect with Fritzbox

Wed, 12 Feb 2014 11:06:47 -0800 

The Fritzbox seems to expect Perfect Forward Secrecy (PFS:

   phase2ss = "esp-all-all/ah-none/comp-all/pfs";

therefore you should enable PFS on the strongSwan side, too:

   esp=3des-sha1-modp1024

Regards

Andreas

On 12.02.2014 20:01, Wagenknecht Michael wrote:
> Hello,
> I try to make a lan to lan connection between a Fritzbox 7390 and a
> CentOS 6.5 gateway with strongswan 5.1.1.
> When I open the connection I get the following messages:
> 
> [root@miwatest strongswan]# strongswan up miwa
> initiating Main Mode IKE_SA miwa[1] to 185.19.32.227
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from 213.133.108.164[500] to 185.19.32.227[500] (184 bytes)
> received packet: from 185.19.32.227[500] to 213.133.108.164[500] (148 bytes)
> parsed ID_PROT response 0 [ SA N((24576)) V V ]
> received XAuth vendor ID
> received DPD vendor ID
> generating ID_PROT request 0 [ KE No ]
> sending packet: from 213.133.108.164[500] to 185.19.32.227[500] (196 bytes)
> received packet: from 185.19.32.227[500] to 213.133.108.164[500] (180 bytes)
> parsed ID_PROT response 0 [ KE No ]
> generating ID_PROT request 0 [ ID HASH ]
> sending packet: from 213.133.108.164[500] to 185.19.32.227[500] (68 bytes)
> received packet: from 185.19.32.227[500] to 213.133.108.164[500] (108 bytes)
> parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
> IKE_SA miwa[1] established between
> 213.133.108.164[213.133.108.164]...185.19.32.227[miwaidv.dyndns.ws]
> scheduling reauthentication in 28128s
> maximum IKE_SA lifetime 28668s
> generating QUICK_MODE request 1324784499 [ HASH SA No ID ID ]
> sending packet: from 213.133.108.164[500] to 185.19.32.227[500] (204 bytes)
> received packet: from 185.19.32.227[500] to 213.133.108.164[500] (76 bytes)
> parsed INFORMATIONAL_V1 request 2845966155 [ HASH N(NO_PROP) ]
> received NO_PROPOSAL_CHOSEN error notify
> establishing connection 'miwa' failed
> 
> 
> When I scan the FritzBox I get the following informations:
> [root@miwatest strongswan]# ike-scan miwaidv.dyndns.ws
> Starting ike-scan 1.9 with 1 hosts
> (http://www.nta-monitor.com/tools/ike-scan/)
> 185.19.32.227    Main Mode Handshake returned
> HDR=(CKY-R=539bd1bb72dabf1d) SA=(Enc=3DES Hash=SHA1 Auth=PSK
> Group=2:modp1024 LifeType=Seconds LifeDuration=28800)
> Notification=(Type=RESPONDER-LIFETIME,
> SPI=7471c7db8f597359539bd1bb72dabf1d, Data=800b0001800c0e10)
> VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead
> Peer Detection v1.0)
> Ending ike-scan 1.9: 1 hosts scanned in 0.204 seconds (4.90 hosts/sec). 
> 1 returned handshake; 0 returned notify
> 
> 
> Here my ipsec.conf:
> conn miwa
>         aggressive=no
>         left=213.133.108.164
>         leftsubnet=192.168.1.0/24
>         ike=3des-sha1-modp1024
>         esp=3des-sha1
>         leftallowany=yes
>         leftfirewall=yes
>         lefthostaccess=yes
>         #
>         right=miwaidv.dyndns.ws
>         rightid="@miwaidv.dyndns.ws"
>         rightsubnet=192.168.0.0/24
>         keyexchange=ikev1
>         ikelifetime=8h
>         keylife=8h
>         authby=psk
>         type=tunnel
>         auto=route
> #       dpddelay=30
> #       dpdtimeout=120
> #       dpdaction=none
> 
> Here is the configuration of the Fritzbox:
> vpncfg {
>         connections {
>                 enabled = yes;
>                 conn_type = conntype_lan;
>                 name = "miwatest";
>                 always_renew = no;
>                 reject_not_encrypted = no;
>                 dont_filter_netbios = yes;
>                 localip = 0.0.0.0;
>                 local_virtualip = 0.0.0.0;
>                 remoteip = 213.133.108.164;
>                 remote_virtualip = 0.0.0.0;
>                 localid {
>                         fqdn = "miwaidv.dyndns.ws";
>                 }
>                 remoteid {
>                         ipaddr = 213.133.108.164;
>                 }
>                 mode = phase1_mode_idp;
>                 phase1ss = "all/all/all";
>                 keytype = connkeytype_pre_shared;
>                 key = "xxxxxx";
>                 cert_do_server_auth = no;
>                 use_nat_t = no;
>                 use_xauth = no;
>                 use_cfgmode = no;
>                 phase2localid {
>                         ipnet {
>                                 ipaddr = 192.168.0.0;
>                                 mask = 255.255.255.0;
>                         }
>                 }
>                 phase2remoteid {
>                         ipnet {
>                                 ipaddr = 192.168.1.0;
>                                 mask = 255.255.255.0;
>                         }
>                 }
>                 phase2ss = "esp-all-all/ah-none/comp-all/pfs";
>                 accesslist = "permit ip any 192.168.1.0 255.255.255.0";
>         }
>         ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
>                             "udp 0.0.0.0:4500 0.0.0.0:4500";
> }
> 
> 
> Have someone an idea where's the problem?
> 
> Best Regards,
> Michael
> _______________________________________________
> Users mailing list
> [email protected]
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 
======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to