-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CJ,
neither of your connections has a reasonable 'right' parameter [1], so charon has to guess which connection to select. Based on what the log says, it choses CertBased over the one you want (testzyxel). Try adding 'right=207.8.183.25' to conn testzyxel. This should let charon select the proper IKE/Peer config. Cheers, Thomas [1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection On 01/22/2016 06:04 AM, CJ Fearnley wrote: > Unfortunately, the Zyxel's cannot use a CA signed cert, so I'm forced to > try to connect them with PSK despite our other ipsec clients using certs > (Netgears). > > I have this configuration (Debian Jessie, Linux strongSwan > U5.2.1/K3.16.0-4-amd64): > > config setup > uniqueids=no > > conn %default > mobike=no > keyexchange=ikev1 > left=216.130.102.66 > leftsubnet=192.168.101.0/24 > auto=add > > conn CertBased > leftid="C=US, ST=IL, L=Glenwood, O=[Private redacted], CN=[Private > redacted], E=[Private redacted]" > leftcert=[Private redacted],crt > leftsendcert=always > ike=3des-sha1-modp1024! > esp=3des-sha1-modp1024! > conn Netgear > rightsubnet=192.168.190.0/24 > right=%any > also=CertBased > > conn testzyxel > rightsubnet=192.168.221.0/24 > leftsendcert=no > authby=psk > compress=no > ikelifetime=8h > lifetime=8h > ike=aes256-sha256-modp1024! > esp=aes256-sha256-modp1024! > > The Netgear connections work. The testzyxel connections fail. > > I've tried it with the ike= and esp= lines commented out too. > > When I set ike logging to level 2: ipsec stroke loglevel ike 2, I see this in > the logs: > > Jan 21 23:04:25 cw1 charon: 10[IKE] 207.8.183.25 is initiating a Main Mode > IKE_SA > Jan 21 23:04:25 cw1 charon: 10[IKE] IKE_SA (unnamed)[19] state change: > CREATED => CONNECTING > Jan 21 23:04:25 cw1 charon: 10[CFG] received proposals: > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 > Jan 21 23:04:25 cw1 charon: 10[CFG] configured proposals: > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > Jan 21 23:04:25 cw1 charon: 10[IKE] no proposal found > > I have tried every combination of encryption & integrity algorigthms > that I could think of. It always claims to be configured for > 3DES_CBC/HMAC_SHA1_96 instead of AES_CBC_256/HMAC_SHA2_256_128. Can this > be fixed? > > I consulted https://wiki.strongswan.org/projects/1/wiki/IKEv1CipherSuites > and so I would think specifying aes256-sha256-modp1024 should work. Why isn't > strongswan accepting it? > > In /etc/strongswan.d/charon.conf, I added the line > # Plugins to load in the IKE daemon charon. > load = openssl aes sha1 sha2 hmac x509 > > I included the part of the configuration that uses certs to authenticate > our Netgear clients. Could the ike= and esp= lines needed for the Netgears > be blocking the testzyxel stanza from using aes256-sha256? > > Here is the output of "ipsec listalgs": > > List of registered IKE algorithms: > > sudo ipsec listalgs > > List of registered IKE algorithms: > > encryption: AES_CBC[af-alg] DES_CBC[af-alg] DES_ECB[af-alg] > 3DES_CBC[af-alg] AES_CTR[af-alg] CAMELLIA_CBC[af-alg] > CAMELLIA_CTR[af-alg] CAST_CBC[af-alg] BLOWFISH_CBC[af-alg] > SERPENT_CBC[af-alg] TWOFISH_CBC[af-alg] > NULL[openssl] RC2_CBC[rc2] > integrity: HMAC_SHA1_96[af-alg] HMAC_SHA1_128[af-alg] > HMAC_SHA1_160[af-alg] HMAC_SHA2_256_96[af-alg] > HMAC_SHA2_256_128[af-alg] HMAC_MD5_96[af-alg] > HMAC_MD5_128[af-alg] HMAC_SHA2_256_256[af-alg] > HMAC_SHA2_384_192[af-alg] HMAC_SHA2_384_384[af-alg] > HMAC_SHA2_512_256[af-alg] HMAC_SHA2_512_512[af-alg] > AES_XCBC_96[af-alg] CAMELLIA_XCBC_96[af-alg] AES_CMAC_96[cmac] > aead: AES_CCM_8[ccm] AES_CCM_12[ccm] AES_CCM_16[ccm] > CAMELLIA_CCM_8[ccm] CAMELLIA_CCM_12[ccm] > CAMELLIA_CCM_16[ccm] AES_GCM_8[gcm] AES_GCM_12[gcm] > AES_GCM_16[gcm] > hasher: HASH_SHA1[af-alg] HASH_MD4[af-alg] HASH_MD5[af-alg] > HASH_SHA224[af-alg] HASH_SHA256[af-alg] > HASH_SHA384[af-alg] HASH_SHA512[af-alg] > prf: PRF_HMAC_SHA1[af-alg] PRF_HMAC_SHA2_256[af-alg] > PRF_HMAC_MD5[af-alg] PRF_HMAC_SHA2_384[af-alg] > PRF_HMAC_SHA2_512[af-alg] PRF_AES128_XCBC[af-alg] > PRF_CAMELLIA128_XCBC[af-alg] PRF_AES128_CMAC[cmac] > PRF_KEYED_SHA1[openssl] PRF_FIPS_SHA1_160[fips-prf] > dh-group: MODP_2048[gcrypt] MODP_2048_224[gcrypt] MODP_2048_256[gcrypt] > MODP_1536[gcrypt] MODP_3072[gcrypt] > MODP_4096[gcrypt] MODP_6144[gcrypt] MODP_8192[gcrypt] > MODP_1024[gcrypt] MODP_1024_160[gcrypt] > MODP_768[gcrypt] MODP_CUSTOM[gcrypt] ECP_256[openssl] > ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] > ECP_192[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl] > ECP_384_BP[openssl] ECP_512_BP[openssl] > random-gen: RNG_WEAK[gcrypt] RNG_STRONG[gcrypt] RNG_TRUE[gcrypt] > nonce-gen: [nonce] > > Do I need to specify another plugin? Am I missing a Debian package that > provides the aes256 encryption algorithm? > > As a last try I wondered if maybe I need to configure strongswan with 3des by > adding the des plugin and trying with these line in and commented out: > ike=3des-sha1-modp1024! > esp=3des-sha1-modp1024! > > Of course, I wasn't thinking backward and it didn't work. Any suggestions? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWofZwAAoJEGK31ONirBTGs10P/21MpxdKYcT6hDXX2Qs/56dp n4HEO+UJn1Y7zgGn0iu8/bRRWq6wQ4tXZFrszCrPPj3IquGBwzVBIcfQUP30fFCa 76YiVob9mbcwzlHvzyrHneLEgZW7fHW7VLzzCtIS+nPD/wh+/PRqUbu6aWasgFcE O8NDMzeaWyue0yBkC0b2HiudATlDAYpNpV1r6H2JE5G25jP46vjpVfgHZtDqu7SJ MwIqfYC5PagVkWk75J55guPbs6lZ5/UuKRmpN1KS3YbYZlNSKM0yR9tJ9TVcWQHV HUAFToqKCm9EUANY+U5TLgDKAkMp9hmtpNewUgC9NUqDM130qv1VRCYrLTpFWXpc wTU+n05PbhJUFZVl3UyNpLJ6D8o7RL5LPltVSWsPnL9AvIC7Pt0sQhZJDL90+Ps6 VyrpmFyiewIcHSGHiu2suF6LC4B9ZKOvU3XHEPZFv5zoRIhLNN1+WXdpKQH2/XdS wKX4o+3WT9Qm40myiiRGs7H7kO3M3V3xTUOlzQMVQtCkZQ7Y9z1zh6MyZA3YAF9+ h68wtMnC2VQOu+MuXLgGw0tltITGM+T15B52GwlG6OvzHum3cKmI2ZVXG3y8m1HT ypp6kvtJC5usQN2qa8If8PTtUufEmvCakw+a7DiPcdBrNVsDDBXakyiSqbrs1iQt gsc46EUmSgyvoR7dwUQm =GxjK -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
