Hello Marc, it would be helpful if you would tell us which IKE proposal was chosen by the Juniper box with strongswan 2.8.0.
Have you tried ike=aes128,3des ? Regards Andreas Marc Giger wrote: > Hi, > > I've had a working setup with strongswan 2.8.0 for connecting > to a juniper ipsec gateweay. The same setup fails with newer > strongswan versions. I've tried 4.2.17 and 4.3.5. Both are > failing with the following log entry: > > Dec 20 22:13:03 mgi ipsec_starter[5437]: Starting strongSwan 4.3.5 IPsec > [starter]... > Dec 20 22:13:03 mgi pluto[5448]: Starting IKEv1 pluto daemon (strongSwan > 4.3.5) THREADS VENDORID > Dec 20 22:13:03 mgi pluto[5448]: loaded plugins: aes des sha1 sha2 md5 random > x509 pubkey pkcs1 pgp dnskey pem hmac gmp > Dec 20 22:13:03 mgi pluto[5448]: | inserting event EVENT_REINIT_SECRET, > timeout in 3600 seconds > Dec 20 22:13:03 mgi pluto[5448]: including NAT-Traversal patch (Version > 0.6c) > Dec 20 22:13:03 mgi pluto[5448]: | xauth module: using default get_secret() > function > Dec 20 22:13:03 mgi pluto[5448]: | xauth module: using default > verify_secret() function > Dec 20 22:13:03 mgi pluto[5448]: Using Linux 2.6 IPsec interface code > > Dec 20 22:13:03 mgi ipsec_starter[5445]: pluto (5448) started after 20 ms > > Dec 20 22:13:03 mgi pluto[5448]: loading ca certificates from > '/etc/ipsec.d/cacerts' > Dec 20 22:13:03 mgi pluto[5448]: loading aa certificates from > '/etc/ipsec.d/aacerts' > Dec 20 22:13:03 mgi pluto[5448]: loading ocsp certificates from > '/etc/ipsec.d/ocspcerts' > Dec 20 22:13:03 mgi pluto[5448]: Changing to directory '/etc/ipsec.d/crls' > > Dec 20 22:13:03 mgi pluto[5448]: loading attribute certificates from > '/etc/ipsec.d/acerts' > Dec 20 22:13:03 mgi pluto[5448]: | inserting event EVENT_LOG_DAILY, timeout > in 6417 seconds > Dec 20 22:13:03 mgi pluto[5448]: | next event EVENT_REINIT_SECRET in 3600 > seconds > Dec 20 22:13:03 mgi pluto[5448]: | > > Dec 20 22:13:03 mgi pluto[5448]: | *received whack message > > Dec 20 22:13:03 mgi pluto[5448]: listening for IKE messages > > Dec 20 22:13:03 mgi pluto[5448]: | found lo with address 127.0.0.1 > > Dec 20 22:13:03 mgi pluto[5448]: | found br0 with address 10.0.0.1 > > Dec 20 22:13:03 mgi pluto[5448]: | found wlan0 with address 192.168.0.5 > > Dec 20 22:13:03 mgi pluto[5448]: adding interface wlan0/wlan0 192.168.0.5:500 > > Dec 20 22:13:03 mgi pluto[5448]: adding interface wlan0/wlan0 > 192.168.0.5:4500 > Dec 20 22:13:03 mgi pluto[5448]: adding interface br0/br0 10.0.0.1:500 > > Dec 20 22:13:03 mgi pluto[5448]: adding interface br0/br0 10.0.0.1:4500 > > Dec 20 22:13:03 mgi pluto[5448]: adding interface lo/lo 127.0.0.1:500 > > Dec 20 22:13:03 mgi pluto[5448]: adding interface lo/lo 127.0.0.1:4500 > > Dec 20 22:13:03 mgi pluto[5448]: | found lo with address > 0000:0000:0000:0000:0000:0000:0000:0001 > Dec 20 22:13:03 mgi pluto[5448]: | found wlan0 with address > fd01:ab11:c742:0000:0000:0000:0000:0005 > Dec 20 22:13:03 mgi pluto[5448]: adding interface wlan0/wlan0 > fd01:ab11:c742::5:500 > Dec 20 22:13:03 mgi pluto[5448]: adding interface lo/lo ::1:500 > > Dec 20 22:13:03 mgi pluto[5448]: loading secrets from "/etc/ipsec.secrets" > > Dec 20 22:13:03 mgi pluto[5448]: loaded private key from 'mgi-Key.pem' > > Dec 20 22:13:03 mgi pluto[5448]: | next event EVENT_REINIT_SECRET in 3600 > seconds > Dec 20 22:13:03 mgi pluto[5448]: | > > Dec 20 22:13:03 mgi pluto[5448]: | *received whack message > > Dec 20 22:13:03 mgi pluto[5448]: | from whack: got > --esp=aes128-sha1,3des-sha1 > Dec 20 22:13:03 mgi pluto[5448]: | esp proposal: AES_CBC_128/HMAC_SHA1, > 3DES_CBC/HMAC_SHA1, > Dec 20 22:13:03 mgi pluto[5448]: | from whack: got > --ike=aes128-sha1-modp2048,3des-sha1-modp1536 > Dec 20 22:13:03 mgi pluto[5448]: | ike proposal: > AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536, > Dec 20 22:13:03 mgi pluto[5448]: loaded host certificate from > '/etc/ipsec.d/certs/mgi.pem' > Dec 20 22:13:03 mgi pluto[5448]: | certificate is valid > > Dec 20 22:13:03 mgi pluto[5448]: | x509 cert inserted > > Dec 20 22:13:03 mgi pluto[5448]: added connection description "roadwarrior" > > Dec 20 22:13:03 mgi pluto[5448]: | > 192.168.0.5/32===192.168.0....@y.z]---192.168.0.100...xxx.xxx.xxx.xxx[x.y.z]===192.168.26.0/24 > > > Dec 20 22:13:03 mgi pluto[5448]: | ike_life: 10800s; ipsec_life: 3600s; > rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy: > PUBKEY+ENCRYPT+TUNNEL+PFS > > Dec 20 22:13:03 mgi pluto[5448]: | next event EVENT_REINIT_SECRET in 3600 > seconds > Dec 20 22:13:03 mgi pluto[5448]: | > > Dec 20 22:13:03 mgi pluto[5448]: | *received whack message > > Dec 20 22:13:03 mgi pluto[5448]: | creating state object #1 at 0x18e6760 > > Dec 20 22:13:03 mgi pluto[5448]: | ICOOKIE: 3f 0a c4 e8 8a 9f 89 fe > > Dec 20 22:13:03 mgi pluto[5448]: | RCOOKIE: 00 00 00 00 00 00 00 00 > > Dec 20 22:13:03 mgi pluto[5448]: | peer: c1 f7 79 a5 > > Dec 20 22:13:03 mgi pluto[5448]: | state hash entry 23 > > Dec 20 22:13:03 mgi pluto[5448]: | inserting event EVENT_SO_DISCARD, timeout > in 0 seconds for #1 > Dec 20 22:13:03 mgi pluto[5448]: | Queuing pending Quick Mode with > xxx.xxx.xxx.xxx "roadwarrior" > Dec 20 22:13:03 mgi pluto[5448]: "roadwarrior" #1: initiating Main Mode > Dec 20 22:13:03 mgi pluto[5448]: | ike proposal: > AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536, > Dec 20 22:13:03 mgi pluto[5448]: | inserting event EVENT_RETRANSMIT, timeout > in 10 seconds for #1 > Dec 20 22:13:03 mgi pluto[5448]: | next event EVENT_RETRANSMIT in 10 seconds > for #1 > Dec 20 22:13:03 mgi pluto[5448]: | > Dec 20 22:13:03 mgi pluto[5448]: | *received 64 bytes from > xxx.xxx.xxx.xxx:500 on wlan0 > Dec 20 22:13:03 mgi pluto[5448]: | ICOOKIE: 3f 0a c4 e8 8a 9f 89 fe > Dec 20 22:13:03 mgi pluto[5448]: | RCOOKIE: c8 79 38 ab 0b 51 25 79 > Dec 20 22:13:03 mgi pluto[5448]: | peer: c1 f7 79 a5 > Dec 20 22:13:03 mgi pluto[5448]: | state hash entry 5 > Dec 20 22:13:03 mgi pluto[5448]: | state object not found > Dec 20 22:13:03 mgi pluto[5448]: packet from xxx.xxx.xxx.xxx:500: ignoring > informational payload, type NO_PROPOSAL_CHOSEN > > I've tried different combinations of esp= and ike= configuration settings > without luck. > The old working config: > > version 2.0 > > config setup > interfaces=%defaultroute > nat_traversal=yes > #strictcrlpolicy=no > #klipsdebug=all > plutodebug=control > #plutodebug=all > #overridemtu=500 > #plutowait=yes > #nhelpers=0 > charonstart=no > > conn %default > keyingtries=1 > compress=no > authby=rsasig > leftrsasigkey=%cert > rightrsasigkey=%cert > #esp=aes128-sha1 > #ike=aes128-sha1-modp1024 > #ike=aes128-sha-modp1024 > #esp=aes128-sha1 > #ike=3des-md5-modp1536 > #esp=3des-md5 > #ike=3des-md5-modp1536 > #esp=3des-md5 > > conn roadwarrior > #left=%defaultroute > left=xxx.xxx.xxx.xxx > leftsubnet=192.168.26.0/24 > leftsendcert=always > leftid="@xy.z" > right=%defaultroute > rightsendcert=always > rightid="x...@y.z" > rightsubnet=192.168.0.5/32 > rightcert=mgi.pem > auto=start > pfs=yes > > What needs to be done to get this running again? > Thank you! > > Kind Regards > > Marc ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
