Worked perfectly with ike=aes256-sha1-modp1024! esp=aes256-sha1-modp2048! I'm sorry I missed that, sorry for wasting your time.
On Mon, Feb 20, 2017 at 9:01 AM Noel Kuntze <[email protected]> wrote: > The remote side probably uses PFS. > Either set the correct DH group that corresponds to the configuration of > the remote side or disable PFS there. > > aes256-sha1 != aes256-sha1-modp2048 > > > Am 19. Februar 2017 16:31:08 MEZ schrieb Andrei-Florian Staicu < > [email protected]>: > > Hi, > > I have a site-to-site tunnel to a private classic Azure. > It starts and works perfectly but, after after approx 43 minutes (i think > it's the child rekeying interval), it starts looping like this: > > 08[KNL] creating rekey job for CHILD_SA ESP/0x066cf00c/<remote> > 06[IKE] establishing CHILD_SA CONNECTION{1} > 06[IKE] establishing CHILD_SA CONNECTION{1} > 06[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ] > 06[NET] sending packet: from <local>[4500] to <remote>[4500] (220 bytes) > 14[NET] received packet: from <remote>[4500] to <local>[4500] (76 bytes) > 14[ENC] parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ] > 14[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built > 14[IKE] failed to establish CHILD_SA, keeping IKE_SA > 14[IKE] CHILD_SA rekeying failed, trying again in 30 seconds > > strongswan statusall: > Status of IKE charon daemon (strongSwan 5.4.0, Linux > 3.10.0-514.2.2.el7.x86_64, x86_64): > uptime: 57 minutes, since Feb 19 16:17:21 2017 > malloc: sbrk 2703360, mmap 0, used 522128, free 2181232 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 5 > loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 > revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey > pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr > kernel-netlink resolve socket-default farp stroke vici updown eap-identity > eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic > xauth-eap xauth-pam xauth-noauth dhcp > Listening IP addresses: > <local> > Connections: > CONNECTION: <local>...<remote> IKEv2, dpddelay=30s > CONNECTION: local: [<local>] uses pre-shared key authentication > CONNECTION: remote: [<remote>] uses pre-shared key authentication > CONNECTION: child: 0.0.0.0/0 === 10.254.254.0/29 10.200.0.0/16 TUNNEL, > dpdaction=restart > Security Associations (1 up, 0 connecting): > CONNECTION[2]: ESTABLISHED 57 minutes ago, > <local>[<local>]...<remote>[<remote>] > CONNECTION[2]: IKEv2 SPIs: 01e5013ada90fe24_i 0fa0482414130fad_r*, > rekeying in 6 hours > CONNECTION[2]: IKE proposal: > AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > CONNECTION{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c62f2d74_i > 066cf00c_o > CONNECTION{2}: AES_CBC_256/HMAC_SHA1_96, 37046 bytes_i (739 pkts, 2s > ago), 36233 bytes_o (741 pkts, 420s ago), rekeying active > CONNECTION{2}: 0.0.0.0/0 === 10.200.0.0/16 10.254.254.0/29 > > > Any idea why it would be doing that, even though the initial connection > succeeds? > > Thanks. > > > ipsec.conf: > config setup > > conn CONNECTION > closeaction=restart > dpdaction=restart > ike=aes256-sha1-modp1024! > esp=aes256-sha1! > reauth=no > keyexchange=ikev2 > ikelifetime=28800s > keylife=3600s > keyingtries=%forever > authby=secret > type=tunnel > forceencaps=yes > left=<local> > leftid=<local> > leftsubnet=0.0.0.0/0 > right=<remote> > rightid=<remote> > rightsubnet=10.254.254.0/29,10.200.0.0/16 > auto=start > -- > Beware of programmers who carry screwdrivers. > > -- Beware of programmers who carry screwdrivers.
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
