Actually all of them are identified: 12.10.219.4 Main Mode Handshake returned HDR=(CKY-R=8d51ab7841c04271) SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800) 12.10.219.4 Main Mode Handshake returned HDR=(CKY-R=8d51ab78aa98b745) SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800) 12.10.219.4 Main Mode Handshake returned HDR=(CKY-R=8d51ab78faedcf4f) SA=(Enc=3DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
But strong swan set for all: 12[ENC] parsed INFORMATIONAL_V1 request 76122219 [ HASH N(NO_PROP) ] 12[IKE] received NO_PROPOSAL_CHOSEN error notify Thank you, AP > On Mar 19, 2018, at 15:22, Andrii Petrenko <apl...@gmail.com> wrote: > > Tobias, > > I’ve tried ike-scan and what I see: > > ~/ike-scan$ sudo ike-scan --verbose --trans=7/256,2,1,5 xx.xx.xx.xx > sudo: unable to resolve host stratus01 > DEBUG: pkt len=88 bytes, bandwidth=56000 bps, int=16571 us > Starting ike-scan 1.9.4 with 1 hosts > (http://www.nta-monitor.com/tools/ike-scan/ > <http://www.nta-monitor.com/tools/ike-scan/>) > xx.xx.xx.xx Main Mode Handshake returned HDR=(CKY-R=8d51ab78888680ad) > SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=5:modp1536 Auth=PSK > LifeType=Seconds LifeDuration=28800) > > > > >> On Mar 19, 2018, at 11:01, Andrii Petrenko <apl...@gmail.com >> <mailto:apl...@gmail.com>> wrote: >> >> Tobias, thank you for reply. >> >> Remote side is not supporting pfs. >> >> IKE Phase One Parameters: >> Encryption Algorithm: AES 256 >> Hash Algorithm: SHA >> Authentication Method: Pre-shared key >> Key Exchange: Diffie Hellman Group 5 >> IKE SA Lifetime: 86400 (Cisco default) >> IKE Phase Two Parameters (IPSEC): >> Authentication: ESP with SHA-HMAC >> Encryption Algorithm: ESP-AES 256 >> SA Establishment: ipsec-isakmp (IKE negotiated) >> IPSEC Mode Tunnel (Cisco default) >> IPSEC SA Lifetime (time) 3600 seconds >> IPSEC SA Lifetime (volume) 4608000 kilobytes >> PFS (Perfect Forward Secrecy) No >> Optional encryption if requirements differ from above: >> esp-3des esp-md5-hmac >> esp-aes 256 esp-sha-hmac >> esp-aes 128 esp-sha-hmac >> >> This information I have from remote side. >> >> Is it possible to se what offer remote side? >> >> Thank you, >> AP >> >> >>> On Mar 19, 2018, at 10:52, Tobias Brunner <tob...@strongswan.org >>> <mailto:tob...@strongswan.org>> wrote: >>> >>> Hi Andrii, >>> >>>> I see the problem on IKE side, but don’t know how to debug and fix it. >>> >>> The log tells you _exactly_ what the problem is: >>> >>>> 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ] >>>> 12[IKE] received NO_PROPOSAL_CHOSEN error notify >>> >>> The peer doesn't like the crypto proposal sent by the client. So fix >>> the `esp` setting in the config (maybe you have to enabled PFS by adding >>> a DH group, ask the other server admin for the correct algorithms). >>> >>> Regards, >>> Tobias >> >
