Hello! After the change from IKEv1 to IKEv2 I have errors as shown below. In the settings TP-Link I don't see the possibility to change IKEv1/v2. I don't know what is even set in TP-Link. A sample panel is visible on http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm. What is best to change 3DES?
root@SomeWRT:~# ipsec up somename no files found matching '/etc/strongswan.d/*.conf' initiating Main Mode IKE_SA somename[1] to A.A.A.A generating ID_PROT request 0 [ SA V V V V ] sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes) received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes) parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify establishing connection 'somename' failed 2015-07-19 22:32 GMT+02:00 Noel Kuntze <[email protected]>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello Tomek, > > Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very > slow. > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 19.07.2015 um 13:34 schrieb tomek_byd: >> I don't know how to write the correct config file for the connection. My >> config is a conglomeration of many examples from the Internet. So far I >> havn't had contact with IPsec. I'm under the control of TL-ER6120 and >> OpenWRT so I can make changes on both devices. I see the error "IDr payload >> missing" but parameter "leftid" is set in the config file. >> >> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT >> with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24) >> >> TL-ER6120 configuration: >> IKE Proposal: MD5, 3DES, DH2 >> IKE Policy: >> Exchange Mode: main, >> Local ID Type: FQDN, >> Local ID: A.A.A.A >> Remote ID Type: FQDN >> Remote ID: B.B.B.B >> Pre-shared Key: XXXXXX >> SA Lifetime: 28800 >> DPD: Disable >> IPsec Proposal: ESP, MD5, 3DES >> IPsec Policy: >> Mode: LAN-to-LAN >> Local Subnet: 192.168.1.0/24 >> Remote Subnet: 192.168.2.0/24 >> WAN: WAN1 >> Remote Gateway: B.B.B.B >> Policy Mode: IKE >> PFS: DH2 >> SA Lifetime: 28800 >> >> OpenWRT configuration: >> /etc/ipsec.conf: >> config setup >> # strictcrlpolicy = no >> # uniqueids = no >> conn somename >> ikelifetime=60m >> keylife=20m >> rekeymargin=3m >> keyingtries=1 >> keyexchange=ikev2 >> type=tunnel >> authby=secret >> ike=3des-md5-modp1024! >> esp=3des-md5! >> rekey=no >> left=B.B.B.B >> leftid=B.B.B.B >> leftsubnet=192.168.2.0/24 >> leftauth=psk >> right=A.A.A.A >> rightid=A.A.A.A >> rightsubnet=192.168.1.0/24 >> rightauth=psk >> dpdaction=none >> auto=add >> mobike=no >> /etc/ipsec.secrets >> A.A.A.A : PSK "XXXXXX" >> B.B.B.B : PSK "XXXXXX" >> >> Output: >> root@SomeWRT:~# ipsec up somename >> no files found matching '/etc/strongswan.d/*.conf' >> initiating IKE_SA somename[1] to A.A.A.A >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> N(HASH_ALG) ] >> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes) >> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes) >> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ] >> local host is behind NAT, sending keep alives >> remote host is behind NAT >> authentication of 'B.B.B.B' (myself) with pre-shared key >> establishing CHILD_SA somename >> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr >> N(EAP_ONLY) ] >> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes) >> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes) >> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ] >> IDr payload missing >> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] >> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes) >> establishing connection 'somename' failed >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJVrAl0AAoJEDg5KY9j7GZYzA4QAJaMsDMGmUTy3zw26s+3UBbg > t8HUb4PeqkVOcAPN6eoKD7cElOfltyEFVeQzkPo3zfFUFAwxMQV/rHpy34YByU9X > uFHVTxmYcxeWQKHewajIsahhD2ks05fu31agczOzWqpunZT/X0tGECI4rFG/dUFa > wKkKf030C92e80PSQMnirNHVVQKreCc1B+gXCBGkkyFaSsTN+gNd8rae7VRAaJdw > 88XyaI1Xkfk+59rKcnXBdLl071es12Dj36CTCWHQx3styN9VAxXFvoBBJGR3gTwU > pDaG283ZEB+Dg7hEDWy0Q2ZEKPw5c8Ln20eY6KongDIF01L3FH4LJT0dxNkt5R3I > 9xTa/apQeCASTNFHMNCSkANmvSOu6JbcaNUB4jlm90gLMOBXx7q17I9M23jaAoHL > 7CJuSZudAfNPzUFgAngww4AIF2Fl3EdtcJv3En47IWcx2dMhd07eghTpqaZb8pzI > Kcwz0IuQbGGTWw1R7czvheKkOz9JZQGmtz+Hdh+mSJynpgkzz7SSzRqAH6MV0Dmk > 0Nem+FJpow5bVDVP96jRKWdgdf+obZ2ppjuxlTeS3j+CfPdOOOi6e6iYKo7RFjOL > qUUPvGwnQtO3H+U55CEkG14Bfg96MQqxQ8kxNztuoSf59aCoYKu4kmBps0mCwFmI > 7QiHscwnx9SV7O05feeH > =B9Uu > -----END PGP SIGNATURE----- > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
