I was configuring IPsec transport mode between a strongswan client and Windows
2008,
but ran into problems:
> On to the quick mode neg., which fails:
> generating QUICK_MODE request 2717344713 [ HASH SA No KE ID ID ]
> sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (300 bytes)
> received packet: from 192.168.0.2[500] to 192.168.0.3[500] (76 bytes)
> parsed INFORMATIONAL_V1 request 2390185800 [ HASH N(NO_PROP) ]
> received NO_PROPOSAL_CHOSEN error notify
> establishing connection 'host-host' failed
> The event log:
> EventID 4654:
> An IPsec quick mode negotiation failed.
> Failure Information:
> State:No state
> Message ID:3573913272
> Failure Point:Local computer
> Failure Reason:Policy match error
Solution: I enabled PFS for the Filter Action on the server. Turns out the
client
enables PFS, even though my ipsec.conf looks like (proposing esp without dh
group):
conn %default
ikelifetime=480m
keylife=60m
rekeymargin=3m
keyingtries=3
keyexchange=ikev1
ike=3des-sha1,3des-sha1-modp1024
esp=3des-sha1,3des-sha1-modp1024
aggressive=no
Does it look reasonable?
It was a bit tricky to get this right, as it is not obvious if PFS is enabled
or not.
Regards,
Lars
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
