Hi Noel, Thanks for your reply.
I did already try esp=aes128-sha1! which didn't help. I will try esp=aes128-sha! when I'm back at the office. Cheers, Bas On 13 February 2015 at 19:17, Noel Kuntze <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello Bas, > > That usually means that the two peers could not decide on a common cipher > proiposal. > It is likely that the CISCO peer has PFS disabled. The normal cipher proposal > for phase two > on strongSwan is all PFS by default. Try this: esp=aes128-sha1! or > esp=aes128-sha! > That will set the proposal for phase two to only propose AES-cbc-128 and SHA1 > in combination > without PFS. > > Mit freundlichen Grüßen/Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 13.02.2015 um 16:48 schrieb Bas van Dijk: >> I solved the "no netkey IPsec stack detected" errors. It turned out >> that the NixOS strongSwan configuration used a modprobe which couldn't >> find the right kernel modules. I fixed that and now it starts up >> without that error. See the log at: http://pastebin.com/ufutkmdC >> >> However, my original problem remains. With the following ipsec.conf: >> >> conn data-display >> aggressive=no >> auto=add >> fragmentation=yes >> ike=des-sha1-modp1024 >> ikelifetime=24h >> keyexchange=ikev1 >> left=%any >> leftauth=psk >> leftfirewall=yes >> leftid=83.161.66.130 >> lifetime=1h >> right=213.163.70.4 >> rightauth=psk >> rightsubnet=10.180.0.0/16 >> >> I get the following error: >> >> $ sudo ipsec up data-display >> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4 >> generating ID_PROT request 0 [ SA V V V V V ] >> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (220 bytes) >> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (128 bytes) >> parsed ID_PROT response 0 [ SA V V ] >> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID >> received FRAGMENTATION vendor ID >> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] >> sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (244 bytes) >> received packet: from 213.163.70.4[500] to 192.168.42.178[500] (304 bytes) >> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] >> received Cisco Unity vendor ID >> received XAuth vendor ID >> received unknown vendor ID: 4a:1c:a1:c6:1d:26:60:b5:3f:0b:02:29:da:eb:0e:5a >> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 >> local host is behind NAT, sending keep alives >> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] >> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (84 bytes) >> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes) >> parsed ID_PROT response 0 [ ID HASH V ] >> received DPD vendor ID >> IKE_SA data-display[1] established between >> 192.168.42.178[83.161.66.130]...213.163.70.4[213.163.70.4] >> scheduling reauthentication in 85668s >> maximum IKE_SA lifetime 86208s >> generating QUICK_MODE request 384749459 [ HASH SA No ID ID ] >> sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (228 bytes) >> received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes) >> parsed INFORMATIONAL_V1 request 1953095225 [ HASH N(NO_PROP) ] >> received NO_PROPOSAL_CHOSEN error notify >> establishing connection 'data-display' failed >> >> What does NO_PROPOSAL_CHOSEN mean? >> >> Thanks, >> >> Bas >> >> On 10 February 2015 at 16:48, Bas van Dijk <[email protected]> wrote: >>> Hello, >>> >>> Apologies in advance for the rather long message but I'm new to >>> strongSwan and want to include as much information as I think is >>> relevant to my problem. >>> >>> I'm having some problems using strongSwan-5.2.2 to establish a >>> connection to a host on the subnet 10.180.0.0/16 which is behind the >>> gateway 213.163.70.4. The IP address of my machine is 192.168.42.162 >>> and I'm using NAT to access the internet. My public IP address is: >>> 83.161.66.130. I don't control the 213.163.70.4 gateway and I have >>> been told it uses the following settings: >>> >>> Target address: 213.163.70.4 >>> Source address: 83.161.66.130 >>> IKE SA: Phase 1 >>> Encryption: AES-128 with SHA-1 >>> Diffie-hellman: Group 2 >>> SA lifetime: 86400 seconds >>> IKE negotistion mode: Main (non aggressive) >>> Pre-shared key: XXXX (censored) >>> IPsec proposal: Phase 2 >>> Encryption: AES-128 with SHA-1 >>> IPsec type: ESP >>> IPsec tunnel lifetime: 3600 seconds >>> >>> I set my ipsec.secrets (censored) to: >>> 213.163.70.4 %any : PSK 0xXXXX >>> >>> ipsec.conf: >>> conn data-display >>> aggressive=no >>> authby=secret >>> auto=add >>> esp=aes128-sha1 >>> fragmentation=yes >>> ike=des-sha1-modp1024 >>> ikelifetime=24h >>> keyexchange=ikev1 >>> left=%any >>> leftfirewall=yes >>> leftid=83.161.66.130 >>> lifetime=1h >>> right=213.163.70.4 >>> rightsubnet=10.180.0.0/16 >>> >>> I noticed from the strongSwan logs that the gateway is a Cisco Unity >>> device so I configured strongSwan with --enable-unity. I'm not sure >>> that is required. >>> >>> When I start stongSwan using "sudo systemctl start strongswan" I get >>> the following log (I'm using logging level 2): >>> >>> http://pastebin.com/pC1WYegL >>> >>> I'm a bit confused why I get the "no netkey IPsec stack detected" >>> warning since all required[1] kernel options are enabled (either build >>> in or as modules). In particular: >>> >>> cat /proc/config.gz | gunzip | grep CONFIG_NET_KEY= >>> CONFIG_NET_KEY=m >>> >>> Since it's a warning I ignore it for a moment and try to start up the >>> "data-display" connection using "sudo ipsec up data-display". I get >>> the following output: >>> >>> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4 >>> generating ID_PROT request 0 [ SA V V V V V ] >>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (220 bytes) >>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (128 bytes) >>> parsed ID_PROT response 0 [ SA V V ] >>> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID >>> received FRAGMENTATION vendor ID >>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] >>> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (244 bytes) >>> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (304 bytes) >>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] >>> received Cisco Unity vendor ID >>> received XAuth vendor ID >>> received unknown vendor ID: c5:dd:ab:2d:d0:7e:27:16:a3:59:1d:ba:91:49:75:8d >>> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 >>> local host is behind NAT, sending keep alives >>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] >>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (84 bytes) >>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes) >>> parsed ID_PROT response 0 [ ID HASH V ] >>> received DPD vendor ID >>> IKE_SA data-display[1] established between >>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4] >>> scheduling reauthentication in 85593s >>> maximum IKE_SA lifetime 86133s >>> generating QUICK_MODE request 3299461263 [ HASH SA No ID ID ] >>> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (204 bytes) >>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes) >>> parsed INFORMATIONAL_V1 request 1571124148 [ HASH N(NO_PROP) ] >>> received NO_PROPOSAL_CHOSEN error notify >>> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes) >>> parsed INFORMATIONAL_V1 request 3331205321 [ HASH D ] >>> received DELETE for IKE_SA data-display[1] >>> deleting IKE_SA data-display[1] between >>> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4] >>> establishing connection 'data-display' failed >>> >>> The following is posted to syslog: >>> >>> http://pastebin.com/1Vj1rXaq >>> >>> So I can see that an IKE_SA is established between me and the gateway. >>> However, after that something goes wrong. >>> >>> Can somebody explain what is going wrong and point me in the right >>> direction? >>> >>> Also note that I'm using NixOS running in VirtualBox. My virtual NIC >>> is bridged to my physical NIC. >>> >>> Let me know if any more information is desired. >>> >>> Cheers, >>> >>> Bas >>> >>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJU3j/UAAoJEDg5KY9j7GZYNPUQAJ3Lx4G9VyrzVTLjodToZr4V > yUeKOBKll7PhJopumEnl/aytNUsckoFbrGPUKDm9q3kcv3pjIdsb2FkwoT/t4ivc > O4b95pUjH5LCy6M1U/LtMjaXS4mwbo8dvs7CrYSe218Iw8OoxcvFev0yfM89lcxL > UwIg2jJjtE1oXhbwmGq3+4EFGNDNVV0YcFtndSD79YIiWon52BHsgJk0aprhs+fa > mlJkmcxOwffn+5KFwZ2v8uHJn667UXexFcbrDiiyqb7c0grur3T+8E+zQiY8ce1q > IjvdmjRr+NETlPIcwNAbmMAVqwqFdOJ8hZZqXaYzVg048Wj8hIwGKS+hwa0A8Nrc > fK55BOimMHnm3N96zcnRZfDJdoNLwwvi/r7tuC5jfIR+9pw5antw8UPcblmdv8SA > FZy2LjiC29zcietTcI8vm9vtc7gSdcdlwYofNF8wxbc5urndHR1zp+EURXjhXHhH > lZcTqUNxXI2zWraKyUXAp1BMx4cBJ318Jaj7oJk7Fx1VR2yelr6F4mLl5Fs4lZBh > FUZdHyLqT2+09mBiHU2p3mifNEq4eKiWdRx5KZSVGN/bFYHBeCPkdjdItTgSpzG/ > Fu/y1Cosr1jUC5jDMoHb035r4OBwVB1aT4P03hqYnpbNCcdHgVtWEbUrzpV9o05Q > C+su8uUN6uuJwQoqpMFI > =JK9k > -----END PGP SIGNATURE----- > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
