[Swan] Ike v2 negotiation

Renzo Dani arons7 at gmail.com
Tue Oct 18 09:18:20 UTC 2016 

Dear All,
we are recently add a new vpn to a customer using ikev2.
Here the config:

conn myName
         authby=secret
         disablearrivalcheck=no
         # Local
         left=%defaultroute
         leftid=x.x.x.x
         leftsubnet=
         # Remote
         right=a.a.a.a
         rightid=a.a.a.a
         rightsubnet=
         # PHASE 1
         # negothiation mode
         aggrmode=no
         ikev2=insist
         narrowing=no
         ike=aes256-sha2_512;modp2048
         ikelifetime=24h
         # PHASE 2
         type=tunnel
         phase2=esp
         phase2alg=aes256-sha2_512;modp2048
         salifetime=1h
         pfs=yes
         auto=start

If we start the tunnel everything works and the tunnel is correctly 
established:

Oct 18 10:46:16 lofw pluto[1411]:  #579: initiating v2 parent SA
Oct 18 10:46:16 lofw pluto[1411]:  #579: myName IKE proposals: 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2-512;INTEG=HMAC_SHA2_512_256;DH=MODP2048
Oct 18 10:46:16 lofw pluto[1411]:  #579: STATE_PARENT_I1: sent v2I1, 
expected v2R1
Oct 18 10:46:16 lofw pluto[1411]:  #579: myName ESP/AH proposals: 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;ESN=DISABLED
Oct 18 10:46:16 lofw pluto[1411]:  #580: STATE_PARENT_I2: sent v2I2, 
expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha512_256 
prf=OAKLEY_SHA2_512 group=MODP2048}
Oct 18 10:46:16 lofw pluto[1411]:  #580: IKEv2 mode peer ID is 
ID_IPV4_ADDR: 'a.a.a.a'
Oct 18 10:46:16 lofw pluto[1411]:  #580: negotiated connection [......] 
-> [....]
Oct 18 10:46:16 lofw pluto[1411]:  #580: STATE_PARENT_I3: PARENT SA 
established tunnel mode {ESP.....


Instead if the process is started from the other side they send us 
different proposals:

Oct 18 10:45:24 lofw pluto[1411]: packet from a.a.a.a:500: proposal 
2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2-256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 

    chosen from:
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2-512;INTEG=HMAC_SHA2_512_256;DH=MODP2048 

2:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2-256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] 

3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048

and we end up choosing the option 2 instead of option 1 and the tunnel 
is not working.

Any idea why is that happening?
I think option 1 is the only matching the configuration or I think it wrong?


Thanks
Renzo

More information about the Swan mailing list