-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Tomek,
I can tell from "Exchange Mode: Main" that it uses IKEv1. Append an @ to the IDs on the strongSwan side to force charon to send the ID as type FQDN, which the other side expects (you set ID type to FQDN). Use AES-128 instead of 3DES. You should also use SHA1, not MD5. Furthermore, you enabled PFS in the configuration on the TP link, but not in strongSwan. Append the correct dh group to your ESP cipher settings. Look at the logs in the webinterface to find out what the TP link side doesn't like. Mit freundlichen Grüßen/Regards, Noel Kuntze Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 20.07.2015 um 13:58 schrieb [email protected]: > Hello! > > After the change from IKEv1 to IKEv2 I have errors as shown below. In > the settings TP-Link I don't see the possibility to change IKEv1/v2. I > don't know what is even set in TP-Link. A sample panel is visible on > http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm. > What is best to change 3DES? > > root@SomeWRT:~# ipsec up somename > no files found matching '/etc/strongswan.d/*.conf' > initiating Main Mode IKE_SA somename[1] to A.A.A.A > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes) > received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes) > parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ] > received NO_PROPOSAL_CHOSEN error notify > establishing connection 'somename' failed > > 2015-07-19 22:32 GMT+02:00 Noel Kuntze <[email protected]>: >> > Hello Tomek, > > Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very > slow. > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 19.07.2015 um 13:34 schrieb tomek_byd: >>>> I don't know how to write the correct config file for the connection. My >>>> config is a conglomeration of many examples from the Internet. So far I >>>> havn't had contact with IPsec. I'm under the control of TL-ER6120 and >>>> OpenWRT so I can make changes on both devices. I see the error "IDr >>>> payload missing" but parameter "leftid" is set in the config file. >>>> >>>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> >>>> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24) >>>> >>>> TL-ER6120 configuration: >>>> IKE Proposal: MD5, 3DES, DH2 >>>> IKE Policy: >>>> Exchange Mode: main, >>>> Local ID Type: FQDN, >>>> Local ID: A.A.A.A >>>> Remote ID Type: FQDN >>>> Remote ID: B.B.B.B >>>> Pre-shared Key: XXXXXX >>>> SA Lifetime: 28800 >>>> DPD: Disable >>>> IPsec Proposal: ESP, MD5, 3DES >>>> IPsec Policy: >>>> Mode: LAN-to-LAN >>>> Local Subnet: 192.168.1.0/24 >>>> Remote Subnet: 192.168.2.0/24 >>>> WAN: WAN1 >>>> Remote Gateway: B.B.B.B >>>> Policy Mode: IKE >>>> PFS: DH2 >>>> SA Lifetime: 28800 >>>> >>>> OpenWRT configuration: >>>> /etc/ipsec.conf: >>>> config setup >>>> # strictcrlpolicy = no >>>> # uniqueids = no >>>> conn somename >>>> ikelifetime=60m >>>> keylife=20m >>>> rekeymargin=3m >>>> keyingtries=1 >>>> keyexchange=ikev2 >>>> type=tunnel >>>> authby=secret >>>> ike=3des-md5-modp1024! >>>> esp=3des-md5! >>>> rekey=no >>>> left=B.B.B.B >>>> leftid=B.B.B.B >>>> leftsubnet=192.168.2.0/24 >>>> leftauth=psk >>>> right=A.A.A.A >>>> rightid=A.A.A.A >>>> rightsubnet=192.168.1.0/24 >>>> rightauth=psk >>>> dpdaction=none >>>> auto=add >>>> mobike=no >>>> /etc/ipsec.secrets >>>> A.A.A.A : PSK "XXXXXX" >>>> B.B.B.B : PSK "XXXXXX" >>>> >>>> Output: >>>> root@SomeWRT:~# ipsec up somename >>>> no files found matching '/etc/strongswan.d/*.conf' >>>> initiating IKE_SA somename[1] to A.A.A.A >>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >>>> N(HASH_ALG) ] >>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes) >>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes) >>>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ] >>>> local host is behind NAT, sending keep alives >>>> remote host is behind NAT >>>> authentication of 'B.B.B.B' (myself) with pre-shared key >>>> establishing CHILD_SA somename >>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr >>>> N(EAP_ONLY) ] >>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes) >>>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes) >>>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ] >>>> IDr payload missing >>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] >>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes) >>>> establishing connection 'somename' failed >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] >>>> https://lists.strongswan.org/mailman/listinfo/users > >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVrOc2AAoJEDg5KY9j7GZYoaEP/3B0Ktku7nDagsjQiIbCeyaR kSSfegu/IrgbinSsXPzMbCFJUlyesRAM+qIUM4t21bWnHGPJh+ydrBc8b+5ybCxq lPhpTioEnASpOIDSH2Vc5tpPMJnXusslep5JU+KwcifnKAbhnZVtKpBAFNeAbPU0 G9cu16a1sXcx9zxqhNUvrLqKJqrNsAy9oKTZ9aoPrTNCtUdLAHvHGALWXTgdNR60 E87/G3Eo1GtDAMziiFs5ePsoI774H+uXITB3LmP4mo3t5lc1vC7bIa91FRTji5ol xTieBrsjUfs8dsWfa8Q5PzcXAPwxPuo3FCEXQ86ZEf8alEdyHAAwXfqo38UYUi6p Ll09XECjseBkQ7HjBy6Qf2mHO9A2poFsDkXIGJgt5Gfv/ZbH+6j7UH2YmghWNmgm 5YZpgO03Q4eVkVu4m1iWKW2H9PV9ZTQL7k5gpVA8NfoEZ6lWjd3lOE+8FnNqECPm ZdDZl4I+6NHXsuN6qYTw30q2E/doC22bQiInd/br5wwjcKi5JRTjsP4pfehbLeLm 3utkQ7JeewAunpG0NIfBsOiaElHxxA83DbfJo8q/vjrKQkKzT51YgTzRgQcWCdV2 h+MfWSpLY3tW3KscrwDmBqz4x9HDSb9TVi3Pq1BBTcYaqYs5d17eufOhjBCnsZrx m4tmqqmn4CVLTlXGWLyP =0xLZ -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
