[Swan] No proposal chosen in version 3.21

Dynastic Space dynasticspace at gmail.com
Fri Sep 15 07:23:12 UTC 2017 

Hi,

In version 3.19 we used the following configuration:

# libreswan /etc/ipsec.conf configuration file
config setup
  protostack=netkey
  # exclude networks used on server side by adding %v4:!a.b.c.0/24
  virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
  # PSK clients can have the same ID if they send it based on IP address.
  uniqueids=no
  plutostderrlog=/var/log/libreswan



conn xauth-psk
    authby=secret
    pfs=no
    auto=add
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    rightaddresspool=10.231.247.10-10.231.247.254
    right=%any
    # make cisco clients happy
    cisco-unity=yes
    # address of your internal DNS server
    modecfgdns1=172.31.14.50
    leftxauthserver=yes
    rightxauthclient=yes
    leftmodecfgserver=yes
    rightmodecfgclient=yes
    modecfgpull=yes
    xauthby=file
    # xauthby=alwaysok MUST NOT be used with PSK
    # Can be played with below
    #dpddelay=30
    #dpdtimeout=120
    #dpdaction=clear
    # xauthfail=soft
    ike-frag=yes
    ikev2=never

I just upgraded to version 3.21, using this same configuration. the client
is sending the following proposal:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=15
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha2-256)(type=group desc value=modp2048))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha1)(type=group desc value=modp2048))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=md5)(type=group desc value=modp2048))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha2-512)(type=group desc value=modp2048))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha2-256)(type=group desc value=modp1536))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha1)(type=group desc value=modp1536))
            (t: #7 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=md5)(type=group desc value=modp1536))
            (t: #8 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #9 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #10 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0080)(type=auth
value=fde9)(type=hash value=sha1)(type=group desc value=modp1024))
            (t: #11 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0080)(type=auth
value=fde9)(type=hash value=md5)(type=group desc value=modp1024))
            (t: #12 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=auth value=fde9)(type=hash
value=sha1)(type=group desc value=modp1024))
            (t: #13 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=auth value=fde9)(type=hash
value=md5)(type=group desc value=modp1024))
            (t: #14 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=1des)(type=auth value=fde9)(type=hash
value=sha1)(type=group desc value=modp1024))
            (t: #15 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=1des)(type=auth value=fde9)(type=hash
value=md5)(type=group desc value=modp1024))))
    (vid: len=16 4a131c81070358455c5728f20e95452f)
    (vid: len=16 4df37928e9fc4fd1b3262170d515c662)
    (vid: len=16 8f8d83826d246b6fc7a8a6a428c11de8)
    (vid: len=16 439b59f8ba676c4c7737ae22eab8f582)
    (vid: len=16 4d1e0e136deafa34c4f3ea9f02ec7285)
    (vid: len=16 80d0bb3def54565ee84645d4c85ce3ee)
    (vid: len=16 9909b64eed937c6573de52ace952fa6b)
    (vid: len=16 7d9419a65310ca6f2c179d9215529d56)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
    (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
    (vid: len=8 09002689dfd6b712)
    (vid: len=16 12f5f28c457168a9702d9fe274cc0100)
    (vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
    (vid: len=16 afcad71368a1f1c96b8696fc77570100)

but the server is responding with
    (n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)

what am i doing wrong?

Thanks,

Dynastic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170915/e8f8cf1e/attachment.html>

More information about the Swan mailing list