[Swan] No proposal chosen in version 3.21
Dynastic Space
dynasticspace at gmail.com
Fri Sep 15 07:23:12 UTC 2017
Hi,
In version 3.19 we used the following configuration:
# libreswan /etc/ipsec.conf configuration file
config setup
protostack=netkey
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
# PSK clients can have the same ID if they send it based on IP address.
uniqueids=no
plutostderrlog=/var/log/libreswan
conn xauth-psk
authby=secret
pfs=no
auto=add
rekey=no
left=%defaultroute
leftsubnet=0.0.0.0/0
rightaddresspool=10.231.247.10-10.231.247.254
right=%any
# make cisco clients happy
cisco-unity=yes
# address of your internal DNS server
modecfgdns1=172.31.14.50
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
# xauthby=alwaysok MUST NOT be used with PSK
# Can be played with below
#dpddelay=30
#dpdtimeout=120
#dpdaction=clear
# xauthfail=soft
ike-frag=yes
ikev2=never
I just upgraded to version 3.21, using this same configuration. the client
is sending the following proposal:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=15
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha2-256)(type=group desc value=modp2048))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha1)(type=group desc value=modp2048))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=md5)(type=group desc value=modp2048))
(t: #4 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha2-512)(type=group desc value=modp2048))
(t: #5 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha2-256)(type=group desc value=modp1536))
(t: #6 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha1)(type=group desc value=modp1536))
(t: #7 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=md5)(type=group desc value=modp1536))
(t: #8 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #9 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0100)(type=auth
value=fde9)(type=hash value=md5)(type=group desc value=modp1024))
(t: #10 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0080)(type=auth
value=fde9)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #11 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=aes)(type=keylen value=0080)(type=auth
value=fde9)(type=hash value=md5)(type=group desc value=modp1024))
(t: #12 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=auth value=fde9)(type=hash
value=sha1)(type=group desc value=modp1024))
(t: #13 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=auth value=fde9)(type=hash
value=md5)(type=group desc value=modp1024))
(t: #14 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=1des)(type=auth value=fde9)(type=hash
value=sha1)(type=group desc value=modp1024))
(t: #15 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=1des)(type=auth value=fde9)(type=hash
value=md5)(type=group desc value=modp1024))))
(vid: len=16 4a131c81070358455c5728f20e95452f)
(vid: len=16 4df37928e9fc4fd1b3262170d515c662)
(vid: len=16 8f8d83826d246b6fc7a8a6a428c11de8)
(vid: len=16 439b59f8ba676c4c7737ae22eab8f582)
(vid: len=16 4d1e0e136deafa34c4f3ea9f02ec7285)
(vid: len=16 80d0bb3def54565ee84645d4c85ce3ee)
(vid: len=16 9909b64eed937c6573de52ace952fa6b)
(vid: len=16 7d9419a65310ca6f2c179d9215529d56)
(vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
(vid: len=16 90cb80913ebb696e086381b5ec427b1f)
(vid: len=8 09002689dfd6b712)
(vid: len=16 12f5f28c457168a9702d9fe274cc0100)
(vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
(vid: len=16 afcad71368a1f1c96b8696fc77570100)
but the server is responding with
(n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)
what am i doing wrong?
Thanks,
Dynastic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170915/e8f8cf1e/attachment.html>
More information about the Swan
mailing list