Hi Andreas, starting with 5.4.0 strongSwan proposes a cipher suite with at least 128 bit security strength in th first place even though the weaker algorithms are still proposed but with a lower priority. For esp the default proposal is now
esp=aes128-sha256,... followed by some more algorithms including 3des. But we certainly don't propose md5 any more. So as a workaround please insert an explicit statement for the esp proposal. Regards Andreas On 04/17/2016 12:49 PM, Andreas Tscharner wrote: > Hello World, > > After strongswan was updated to 5.4.0 on my Debian system my formerly > working VPN connection does no longer work. I get the following message: > > initiating Main Mode IKE_SA vpn-metromec[1] to xxx.xxx.xxx.xxx > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from 192.168.0.12[500] to xxx.xxx.xxx.xxx[500] (212 bytes) > received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.12[500] (248 bytes) > parsed ID_PROT response 0 [ SA V V V V V V V V V ] > received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03 > received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57 > received draft-ietf-ipsec-nat-t-ike-02 vendor ID > received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > received draft-ietf-ipsec-nat-t-ike-03 vendor ID > received NAT-T (RFC 3947) vendor ID > received XAuth vendor ID > received DPD vendor ID > received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57 > generating ID_PROT request 0 [ KE No NAT-D NAT-D ] > sending packet: from 192.168.0.12[500] to xxx.xxx.xxx.xxx[500] (236 bytes) > received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.12[500] (220 bytes) > parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] > local host is behind NAT, sending keep alives > generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] > sending packet: from 192.168.0.12[4500] to xxx.xxx.xxx.xxx[4500] (92 bytes) > received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.12[500] (220 bytes) > received retransmit of response with ID 0, but next request already sent > received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.12[4500] (60 bytes) > parsed ID_PROT response 0 [ ID HASH ] > IKE_SA vpn-metromec[1] established between > 192.168.0.12[192.168.0.12]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] > scheduling reauthentication in 27872s > maximum IKE_SA lifetime 28412s > generating QUICK_MODE request 221974855 [ HASH SA No ID ID NAT-OA NAT-OA ] > sending packet: from 192.168.0.12[4500] to xxx.xxx.xxx.xxx[4500] (220 bytes) > received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.12[4500] (116 > bytes) > parsed INFORMATIONAL_V1 request 503827175 [ HASH N(NO_PROP) ] > received NO_PROPOSAL_CHOSEN error notify > establishing connection 'vpn-metromec' failed > > My /etc/ipsec.conf: > conn vpn-metromec > authby=secret > rekey=yes > keyingtries=3 > dpdaction=restart > ikelifetime=8h > keylife=1h > keyexchange=ikev1 > ike=3des-md5-modp1024 > type=transport > left=192.168.0.12 > leftsubnet=192.168.0.12[udp/1701] > right=xxx.xxx.xxx.xxx > rightsubnet=xxx.xxx.xxx.xxx[udp/1701] > auto=add > > Any ideas? How do I have to update my configuration ti make it work again? > > TIA and best regards > Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
