Hi all,
I have succeeded connecting by adding the following line
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
to config. The
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
line I've found in options doesn't work well with libreswan 4.5 I'm
using. Perhaps someone should update the cookbooks on the libreswan.org
site?
Thanks for the thought and all the help.
Kind regards,
Mirsad Todorovac
On 1/4/2022 10:38 PM, Mirsad Goran Todorovac wrote:
Hi all,
I have recreated the pub and priv certs according to instructions
again. This time I was lucky and the connection made in through the
initial message exchange and SA negotiation.
However, when libreswan tries to negotiate CHILD SA, something goes
wrong, and it can't choose right ESP proposal. I tried to set it
manually (the recommended commented esp), but then even the first
phase doesn't come through:
Jan 4 22:19:06.408740: "MYCONN-ikev2-cp"[1] 94.253.211.242 #3: no
local proposal matches remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED
2:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED
3:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED
4:ESP:ENCR=DES(UNUSED);INTEG=HMAC_SHA1_96;ESN=DISABLED
5:ESP:ENCR=NULL;INTEG=HMAC_SHA1_96;ESN=DISABLED
Jan 4 22:19:06.408749: "MYCONN-ikev2-cp"[1] 94.253.211.242 #3:
IKE_AUTH responder matching remote ESP/AH proposals failed, responder
SA processing returned STF_FAIL+v2N_NO_PROPOSAL_CHOSEN
Jan 4 22:19:06.408756: | process_v2_childs_sa_payload returned
STF_FAIL+v2N_NO_PROPOSAL_CHOSEN
Jan 4 22:19:06.408762: | should_send_delete: #3? no, IKEv2 SA in
state STATE_V2_IKE_AUTH_CHILD_R0 is not established
Jan 4 22:19:06.408769: | deleting state (STATE_V2_IKE_AUTH_CHILD_R0)
aged 0.001362s and NOT sending notification
Here is the session log:
https://domac.alu.hr/mtodorov/ikev2-20220104-06.log
/etc/ipsec.d/ikev2.conf:
conn MYCONN-ikev2-cp
# The server's actual IP goes here - not elastic IPs
left=161.53.235.3
leftcert=vpn.alu.hr
[email protected]
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
# Clients
right=%any
# your addresspool to use - you might need NAT rules if
providing full internet to clients
rightaddresspool=192.168.100.10-192.168.100.253
# optional rightid with restrictions
rightid="O=ALU-UNIZG,CN=win7client.alu.hr"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns=8.8.8.8,192.168.100.1
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=8.8.8.8
#modecfgdns2=193.110.157.123
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
#
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
# ikev2 fragmentation support requires libreswan 3.14 or newer
fragmentation=yes
# optional PAM username verification (eg to implement
bandwidth quota
# pam-authorize=yes
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
