[strongSwan] strongswan 4.3.6 IKEv1 not working for 3des-sha1

Hi, I am trying to establish tunnel in transport mode between two hosts. I am using strongswan 4.3.6 on both sides. when I use default configuration or AES algorithm, tunnel establishes successfully. But if I use 3des algorithm (ike=3des-sha1-modp1536) I am getting following errors. Nov

Re: [strongSwan] strongswan 4.3.6 IKEv1 not working for 3des-sha1

I am using openssl plugin for crypto. result of ipsec statusall is 000 Status of IKEv1 pluto daemon (strongSwan 4.3.6): 000 interface eth2/eth2 fec0::ef01:500 000 interface eth0/eth0 fec0::ee01:500 000 interface lo/lo ::1:500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 1.1.1.1:500

Re: [strongSwan] strongswan 4.3.6 IKEv1 not working for 3des-sha1

Hi Anand, I doubt that you are running strongSwan 4.3.6 on both sides because the peer sends some Vendor IDs which pluto does not recognize ;-) Pluto cannot decrypt the first encrypted IKE message. This usually means that either the Pre-Shared Secrets configured by each side are not equal (you

Re: [strongSwan] Authentication Problem using certificates

Hello Laurence, the normal thing to do is to put the end entity certificate MyBTS1.pem with subject DN C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN into /etc/ipsec.d/certs/ and the root CA certificate with subject DN C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, OU=Wireless, CN=SwanRoot

Re: [strongSwan] StrongSwan to accept IKE initiated from other end?

Hello Bill, which socket plugin are you using for charon? (The command ipsec statusall shows a list of all loaded plugins.) If both charon and pluto are running you *must* load the socket-raw plugin and if charon only is running then you *can* use either the socket-default plugin which binds to

Re: [strongSwan] charon too long to start...

Probably XFRM is not enabled in the kernel. Have look at the list of kernel modules which have to be activated: http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules Regards Andreas On 11/17/2010 08:51 PM, Zorgh wrote: Hi, I got error charon too long to start... - kill kill. Can

Re: [strongSwan] StrongSwan to accept IKE initiated from other end?

Charon and socket-raw. The SA listed was started from Strongswan to the far end. Thanks, Bill [r...@kap8 etc]# ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.5.0): uptime: 112 minutes, since Nov 17 14:01:20 2010 malloc: sbrk 253952, mmap 0, used 158000, free 95952 worker

Re: [strongSwan] charon too long to start...

Assuming from your /# prompt you are starting charon as root. So this cannot be the reason that charon can't bind to the XFRM socket. Andreas On 11/17/2010 10:11 PM, Zorgh wrote: Le 17/11/2010 21:56, Andreas Steffen a écrit : Probably XFRM is not enabled in the kernel. Have look at the list