Hello Bill, it seems that the Mocana client wants to do Perfect Forward Secrecy (PFS) in the CHILD_SA but strongSwan hasn't enabled PFS:
esp=aes256gcm16,aes128gcm16! Try esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048! Regards Andreas On 11/13/2010 04:16 PM, William Greene wrote: > > I am perplexed. It looks to me like both sides could agree on a proposal > but do not for some reason. I'm trying to set up an ipsec connection > between StrongSwan on CentOS linux and a Mocana stack implementation on > an embedded Linux device. I'm new to StrongSwan and if anyone can > provide some guidance or suggestions, I'd be mucho appreciative. I've > attached some relevant information below. > > Thanks in advance, > Bill > > > Nov 12 16:50:17 13[ENC] found payload of type TRAFFIC_SELECTOR_RESPONDER > Nov 12 16:50:17 13[ENC] parsed CREATE_CHILD_SA request 13 [ > N(USE_TRANSP) SA No KE TSi TSr ] > Nov 12 16:50:17 13[LIB] size of DH secret exponent: 1023 bits > Nov 12 16:50:17 13[CFG] looking for a child config for > 10.168.80.8/32[icmp] === 10.168.65.1/32[icmp] > Nov 12 16:50:17 13[CFG] proposing traffic selectors for us: > Nov 12 16:50:17 13[CFG] 10.168.80.8/32 (derived from dynamic) > Nov 12 16:50:17 13[CFG] proposing traffic selectors for other: > Nov 12 16:50:17 13[CFG] 10.168.65.1/32 (derived from dynamic) > Nov 12 16:50:17 13[CFG] candidate "testipsec" with prio 1+1 > Nov 12 16:50:17 13[CFG] found matching child config "testipsec" with prio 2 > Nov 12 16:50:17 13[CFG] selecting proposal: > Nov 12 16:50:17 13[CFG] no acceptable DIFFIE_HELLMAN_GROUP found > Nov 12 16:50:17 13[CFG] selecting proposal: > Nov 12 16:50:17 13[CFG] no acceptable DIFFIE_HELLMAN_GROUP found > Nov 12 16:50:17 13[CFG] received proposals: > ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/HMAC_SHA2_256_128/MODP_1024/MODP_768/MODP_1536/MODP_2048/MODP_NONE/NO_EXT_SEQ > Nov 12 16:50:17 13[CFG] configured proposals: > ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ > Nov 12 16:50:17 13[IKE] no acceptable proposal found > Nov 12 16:50:17 13[ENC] added payload of type NOTIFY to message > Nov 12 16:50:17 13[ENC] added payload of type NOTIFY to message > Nov 12 16:50:17 13[ENC] generating CREATE_CHILD_SA response 13 [ > N(NO_PROP) ] > Nov 12 16:50:17 13[ENC] insert payload NOTIFY to encryption payload > Nov 12 16:50:17 13[ENC] generating payload of type HEADER > > > [r...@kap8 etc]# ipsec statusall > Status of IKEv2 charon daemon (strongSwan 4.5.0): > uptime: 4 minutes, since Nov 12 16:48:36 2010 > malloc: sbrk 253952, mmap 0, used 175408, free 78544 > worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2 > loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey > pkcs1 pgp pem openssl gcrypt fips-prf gmp xcbc hmac gcm attr > kernel-netlink resolve socket-raw stroke updown > Listening IP addresses: > 10.168.80.8 > 2005:a8::21e:c9ff:feff:124 > 2004:a8::21e:c9ff:feff:124 > Connections: > testipsec: 10.168.80.8...10.168.65.1 > testipsec: local: [10.168.80.8] uses pre-shared key authentication > testipsec: remote: [10.168.65.1] uses any authentication > testipsec: child: dynamic === dynamic > Security Associations: > testipsec[1]: ESTABLISHED 3 minutes ago, > 10.168.80.8[10.168.80.8]...10.168.65.1[10.168.65.1] > testipsec[1]: IKE SPIs: 94ffc82723b04b1b_i* 07df56bf80bfe16f_r, > pre-shared key reauthentication in 52 minutes > testipsec[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > [r...@kap8 etc]# > [r...@kap8 etc]# > [r...@kap8 etc]# > [r...@kap8 etc]# ipsec listall > > List of registered IKEv2 Algorithms: > > encryption: AES_CBC 3DES_CBC DES_CBC DES_ECB CAMELLIA_CBC RC5_CBC > IDEA_CBC CAST_CBC BLOWFISH_CBC NULL AES_CTR CAMELLIA_CTR SERPENT_CBC > TWOFISH_CBC > integrity: AES_XCBC_96 CAMELLIA_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 > HMAC_SHA1_160 HMAC_SHA2_256_128 HMAC_SHA2_256_256 HMAC_MD5_96 > HMAC_MD5_128 HMAC_SHA2_384_192 HMAC_SHA2_384_384 HMAC_SHA2_512_256 > aead: AES_GCM_8 AES_GCM_12 AES_GCM_16 > hasher: HASH_SHA1 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512 > HASH_MD5 HASH_MD2 HASH_MD4 > prf: PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_XCBC > PRF_CAMELLIA128_XCBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 > PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512 > dh-group: MODP_2048 MODP_2048_224 MODP_2048_256 MODP_1536 ECP_256 > ECP_384 ECP_521 ECP_224 ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192 > MODP_1024 MODP_1024_160 MODP_768 MODP_CUSTOM > [r...@kap8 etc]# > > > [r...@kap8 etc]# cat ipsec.conf > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > # plutodebug=all > # crlcheckinterval=600 > # strictcrlpolicy=yes > # cachecrls=yes > # nat_traversal=yes > # charonstart=no > plutostart=no > > # Add connections here. > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > mobike=no > authby=secret > keyexchange=ikev2 > #ike=aes256-sha256-ecp256,aes128-sha256-ecp256! > esp=aes256gcm16,aes128gcm16! > > conn testipsec > type=transport > left=10.168.80.8 > #leftprotoport=icmp > #leftid=kap > right=10.168.65.1 > #rightprotoport=icmp > #rightid=cep > auto=add > [r...@kap8 etc]# > > [r...@kap8 etc]# ipsec version > Linux strongSwan U4.5.0/K2.6.36-1 > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil, Switzerland > See 'ipsec --copyright' for copyright information. > [r...@kap8 etc]# > [r...@kap8 etc]# openssl version > OpenSSL 0.9.8n 24 Mar 2010 > [r...@kap8 etc]# ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
