Hello! It looks like there are some problems with StronSwan connectivity. (I've tried both on Android and Linux) Or I'm doing something wrong. I've set up everything as per instructions, I am able to connect from Windows 10 native client, but connecting from StrongSwan fails with logs like:
packet from 188.233.186.70:58230: roadwarriors IKE proposals for initial responder: 1:IKE:ENCR=AES_GCM_C_256,AES_GCM_C_128;PRF=HMAC_SHA2_256;INTEG=NONE;DH= ECP_256 2:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_25 6_128;DH=ECP_256 3:IKE:ENCR=SERPENT_CBC_256,SERPENT_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC _SHA2_256_128;DH=ECP_256 4:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_25 6_128;DH=MODP1024 packet from 188.233.186.70:58230: proposal 2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256 chosen from: 1:IKE:ENCR=AES_CBC_128;ENCR=AES_CBC_192;ENCR=AES_CBC_256;ENCR=3DES;INTE G=HMAC_SHA2_256_128;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_512_256;INT EG=HMAC_SHA1_96;INTEG=AES_XCBC_96;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;P RF=HMAC_SHA2_512;PRF=AES128_XCBC;PRF=HMAC_SHA1;DH=ECP_256;DH=ECP_384;DH =ECP_521;DH=BRAINPOOL_P256R1;DH=BRAINPOOL_P384R1;DH=BRAINPOOL_P512R1;DH =CURVE25519;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=MODP2048[first- match] 2:IKE:ENCR=AES_GCM_C_128;ENCR=AES_GCM_C_192;ENCR=AES_GCM_C_256;ENCR=CHA CHA20_POLY1305_256;ENCR=AES_GCM_B_128;ENCR=AES_GCM_B_192;ENCR=AES_GCM_B _256;ENCR=AES_GCM_A_128;ENCR=AES_GCM_A_192;ENCR=AES_GCM_A_256;PRF=HMAC_ SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_XCBC;PRF=HMAC_S HA1;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=BRAINPOOL_P256R1;DH=BRAINPOOL_P 384R1;DH=BRAINPOOL_P512R1;DH=CURVE25519;DH=MODP3072;DH=MODP4096;DH=MODP 8192;DH=MODP2048[better-match] "roadwarriors"[1] 188.233.186.70 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_256 group=DH19} "roadwarriors"[1] 188.233.186.70 #1: certificate verified OK: C=RU,ST=Volgograd oblast,L=Volgograd,O=eQueo IPSec,OU=IT Dept.,CN=j.doe "roadwarriors"[1] 188.233.186.70 #1: No matching subjectAltName found "roadwarriors"[1] 188.233.186.70 #1: certificate does not contain ID_IP subjectAltName=188.233.186.70 "roadwarriors"[1] 188.233.186.70 #1: Peer public key SubjectAltName does not match peer ID for this connection "roadwarriors"[1] 188.233.186.70 #1: switched from "roadwarriors"[1] 188.233.186.70 to "roadwarriors" "roadwarriors"[2] 188.233.186.70 #1: deleting connection "roadwarriors"[1] 188.233.186.70 instance with peer 188.233.186.70 {isakmp=#0/ipsec=#0} "roadwarriors"[2] 188.233.186.70 #1: certificate verified OK: C=RU,ST=Volgograd oblast,L=Volgograd,O=eQueo IPSec,OU=IT Dept.,CN=j.doe "roadwarriors"[2] 188.233.186.70 #1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=j.doe, OU=IT Dept., O=eQueo IPSec, L=Volgograd, ST=Volgograd oblast, C=RU' "roadwarriors"[2] 188.233.186.70 #1: DigSig: no compatible DigSig hash algo | ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_NO_PROPOSAL_CHOSEN "roadwarriors"[2] 188.233.186.70 #1: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to 188.233.186.70:59155 packet from 188.233.186.70:59155: sending unencrypted notification v2N_INVALID_IKE_SPI to 188.233.186.70:59155 packet from 188.233.186.70:59155: sending unencrypted notification v2N_INVALID_IKE_SPI to 188.233.186.70:59155 packet from 188.233.186.70:59155: sending unencrypted notification v2N_INVALID_IKE_SPI to 188.233.186.70:59155 packet from 188.233.186.70:59155: sending unencrypted notification v2N_INVALID_IKE_SPI to 188.233.186.70:59155 packet from 188.233.186.70:59155: sending unencrypted notification v2N_INVALID_IKE_SPI to 188.233.186.70:59155 packet from 188.233.186.70:59155: sending unencrypted notification v2N_INVALID_IKE_SPI to 188.233.186.70:59155 packet from 188.233.186.70:59155: sending unencrypted notification v2N_INVALID_IKE_SPI to 188.233.186.70:59155 packet from 188.233.186.70:59155: sending unencrypted notification v2N_INVALID_IKE_SPI to 188.233.186.70:59155 packet from 188.233.186.70:59155: sending unencrypted notification v2N_INVALID_IKE_SPI to 188.233.186.70:59155 packet from 188.233.186.70:59155: sending unencrypted notification v2N_INVALID_IKE_SPI to 188.233.186.70:59155 The config is: config setup protostack = netkey uniqueids = no conn roadwarriors ikev2=insist mobike=yes fragmentation=yes narrowing=yes left=1.2.3.4 leftsendcert=always leftsubnet=0.0.0.0/0 leftcert="Main IPSec Gateway" leftid=%fromcert leftrsasigkey=%cert leftxauthserver=yes leftmodecfgserver=yes right=%any rightca=%same rightrsasigkey=%cert rightaddresspool=100.64.0.0-100.64.0.254 rightxauthclient=yes rightmodecfgclient=yes modecfgdns="1.1.1.1,8.8.8.8" modecfgpull=yes ike=aes_gcm_c-sha2;dh19,aes-sha2;dh19,serpent-sha2;dh19,aes- sha2;modp1024 phase2=esp authby=rsasig xauthby=alwaysok auto=add rekey=no dpddelay=30 I am running CentOS 7 with libreswan 3.23 on "left" side. Any ideas? Thanks!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan