[Swan] No PARENT proposal selected

Sun Nov 22 04:56:12 UTC 2015

Thanks! I'll add it to the faq

Sent from my iPhone

> On Nov 21, 2015, at 22:50, Bob Miller <bob at computerisms.ca> wrote:
> 
> For the benefit of anyone having trouble with getting this incantation just right, adding to my conn:
> 
> ike=aes256-sha384-modp1024
> 
> made my windows 7 client work.  Seems windows 7 only supports modp1024, which is disabled by default in libreswan3.14+.
> 
>> On 15-10-10 05:12 PM, Bob Miller wrote:
>> Matt,
>> 
>> Thank you sooo much for giving me a proper interpretation, probably
>> saved me a pile of time chasing that to no conclusion.
>> 
>>> You should check further down in the logs to see what is happening
>>> when the proposal
>>> is rejected.
>> 
>> It looks like this is the part you are referring to.  There are a couple
>> dozen stanzas like the following:
>> 
>> |proposal 1 failed encr= (policy:AES_CBC(-2) vs offered:3DES(-1))
>> |considering Transform Type TRANS_TYPE_INTEG, TransID 5
>> |failed integ=(policy:AUTH_AES_XCBC_96(-2) vs
>> offered:AUTH_HMAC_SHA1_96(-1))
>> |considering Transform Type TRANS_TYPE_PRF, TransID 4
>> |failed prf=  (policy:PRF_AES128-XCBC(-2) vs offered:PRF_HMAC_SHA1(-1))
>> |considering Transform Type TRANS_TYPE_DH, TransID 14
>> |failed dh=   (policy:OAKLEY_GROUP_MODP2048 vs
>> offered:OAKLEY_GROUP_MODP1024)
>> |proposal 1 failed encr= (policy:AES_CBC(-2) vs offered:3DES(-1))
>> |failed integ=(policy:AUTH_AES_XCBC_96 vs offered:AUTH_HMAC_SHA1_96)
>> |failed prf=  (policy:PRF_AES128-XCBC vs offered:PRF_HMAC_SHA1)
>> |failed dh=   (policy:OAKLEY_GROUP_MODP2048 vs
>> offered:OAKLEY_GROUP_MODP1024)
>> 
>> This one is the closest I see to a success:
>> 
>> |considering Transform Type TRANS_TYPE_ENCR, TransID 12
>> |IKEv2_KEY_LENGTH attribute 128
>> |encrid(12), keylen(128), encr_keylen(-1)
>> |proposal 1 failed encr= (policy:AES_CBC(-2) vs offered:3DES(-1))
>> |considering Transform Type TRANS_TYPE_INTEG, TransID 2
>> |succeeded integ=(policy:AUTH_HMAC_SHA1_96(-1) vs
>> offered:AUTH_HMAC_SHA1_96(-1))
>> |considering Transform Type TRANS_TYPE_PRF, TransID 2
>> |succeeded prf=  (policy:PRF_HMAC_SHA1(-1) vs offered:PRF_HMAC_SHA1(-1))
>> |considering Transform Type TRANS_TYPE_DH, TransID 14
>> |failed dh=   (policy:OAKLEY_GROUP_MODP2048 vs
>> offered:OAKLEY_GROUP_MODP1024)
>> |proposal 1 failed encr= (policy:AES_CBC(-2) vs offered:3DES(-1))
>> |succeeded integ=(policy:AUTH_HMAC_SHA1_96 vs offered:AUTH_HMAC_SHA1_96)
>> |succeeded prf=  (policy:PRF_HMAC_SHA1 vs offered:PRF_HMAC_SHA1)
>> |failed dh=   (policy:OAKLEY_GROUP_MODP2048 vs
>> offered:OAKLEY_GROUP_MODP1024)
>> 
>> So I looked through all the lines that say failed dh=, and the lowest
>> policy is OAKLEY_GROUP_MODP1536, but I am guessing from this that
>> windows is requiring modp1024.  I found in the man page that ike should
>> allow modp1024, modp1536, and modp2048, and that modp1024 will be
>> removed in the near future.  I also find in my logs attempts with
>> modp4096 and modp8192, which are not mentioned in the man page.  And the
>> man page says I should use a value of ipsec_spi(8)'s --ike option, but
>> man 8 ipsec_spi has no reference to ike in it.  So I am not sure if I am
>> referencing the correct bit of documentation to match the problem.
>> 
>> for that matter, I am not sure that my assessment that windows is
>> providing too low a level of OAKLEY_GROUP_MODP is correct.  I tried
>> adding a few lines like ike=3des-sha1;modp1024 to my conn, but all the
>> things I tried seemed to get stuck at STATE_PARENT_R1.
>> 
>> I have been using openswan/libreswan almost a decade and I have never
>> had to dig into this side of the docs before.  Pointers would be
>> appreciated; I will keep seeing what I can figure in the meantime...
>> 
>> 
>> 
>>> 
>>> Matt
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan