[Swan] StrongSwan connectivity problems IKEv2 (Android/Linux)
bessonov.victor at e-queo.com
bessonov.victor at e-queo.com
Wed Apr 25 14:24:04 UTC 2018
Hello! It looks like there are some problems with StronSwan
connectivity. (I've tried both on Android and Linux) Or I'm doing
something wrong. I've set up everything as per instructions, I am able
to connect from Windows 10 native client, but connecting from
StrongSwan fails with logs like:
packet from 188.233.186.70:58230: roadwarriors IKE proposals for
initial responder:
1:IKE:ENCR=AES_GCM_C_256,AES_GCM_C_128;PRF=HMAC_SHA2_256;INTEG=NONE;DH=
ECP_256
2:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_25
6_128;DH=ECP_256
3:IKE:ENCR=SERPENT_CBC_256,SERPENT_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC
_SHA2_256_128;DH=ECP_256
4:IKE:ENCR=AES_CBC_256,AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_25
6_128;DH=MODP1024
packet from 188.233.186.70:58230: proposal
2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=ECP_256 chosen from:
1:IKE:ENCR=AES_CBC_128;ENCR=AES_CBC_192;ENCR=AES_CBC_256;ENCR=3DES;INTE
G=HMAC_SHA2_256_128;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_512_256;INT
EG=HMAC_SHA1_96;INTEG=AES_XCBC_96;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;P
RF=HMAC_SHA2_512;PRF=AES128_XCBC;PRF=HMAC_SHA1;DH=ECP_256;DH=ECP_384;DH
=ECP_521;DH=BRAINPOOL_P256R1;DH=BRAINPOOL_P384R1;DH=BRAINPOOL_P512R1;DH
=CURVE25519;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=MODP2048[first-
match]
2:IKE:ENCR=AES_GCM_C_128;ENCR=AES_GCM_C_192;ENCR=AES_GCM_C_256;ENCR=CHA
CHA20_POLY1305_256;ENCR=AES_GCM_B_128;ENCR=AES_GCM_B_192;ENCR=AES_GCM_B
_256;ENCR=AES_GCM_A_128;ENCR=AES_GCM_A_192;ENCR=AES_GCM_A_256;PRF=HMAC_
SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;PRF=AES128_XCBC;PRF=HMAC_S
HA1;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=BRAINPOOL_P256R1;DH=BRAINPOOL_P
384R1;DH=BRAINPOOL_P512R1;DH=CURVE25519;DH=MODP3072;DH=MODP4096;DH=MODP
8192;DH=MODP2048[better-match]
"roadwarriors"[1] 188.233.186.70 #1: STATE_PARENT_R1: received v2I1,
sent v2R1 {auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_256
group=DH19}
"roadwarriors"[1] 188.233.186.70 #1: certificate verified OK:
C=RU,ST=Volgograd oblast,L=Volgograd,O=eQueo IPSec,OU=IT Dept.,CN=j.doe
"roadwarriors"[1] 188.233.186.70 #1: No matching subjectAltName found
"roadwarriors"[1] 188.233.186.70 #1: certificate does not contain ID_IP
subjectAltName=188.233.186.70
"roadwarriors"[1] 188.233.186.70 #1: Peer public key SubjectAltName
does not match peer ID for this connection
"roadwarriors"[1] 188.233.186.70 #1: switched from "roadwarriors"[1]
188.233.186.70 to "roadwarriors"
"roadwarriors"[2] 188.233.186.70 #1: deleting connection
"roadwarriors"[1] 188.233.186.70 instance with peer 188.233.186.70
{isakmp=#0/ipsec=#0}
"roadwarriors"[2] 188.233.186.70 #1: certificate verified OK:
C=RU,ST=Volgograd oblast,L=Volgograd,O=eQueo IPSec,OU=IT Dept.,CN=j.doe
"roadwarriors"[2] 188.233.186.70 #1: IKEv2 mode peer ID is
ID_DER_ASN1_DN: 'CN=j.doe, OU=IT Dept., O=eQueo IPSec, L=Volgograd,
ST=Volgograd oblast, C=RU'
"roadwarriors"[2] 188.233.186.70 #1: DigSig: no compatible DigSig hash
algo
| ikev2_parent_inI2outR2_tail returned STF_FAIL with
v2N_NO_PROPOSAL_CHOSEN
"roadwarriors"[2] 188.233.186.70 #1: sending unencrypted notification
v2N_NO_PROPOSAL_CHOSEN to 188.233.186.70:59155
packet from 188.233.186.70:59155: sending unencrypted notification
v2N_INVALID_IKE_SPI to 188.233.186.70:59155
packet from 188.233.186.70:59155: sending unencrypted notification
v2N_INVALID_IKE_SPI to 188.233.186.70:59155
packet from 188.233.186.70:59155: sending unencrypted notification
v2N_INVALID_IKE_SPI to 188.233.186.70:59155
packet from 188.233.186.70:59155: sending unencrypted notification
v2N_INVALID_IKE_SPI to 188.233.186.70:59155
packet from 188.233.186.70:59155: sending unencrypted notification
v2N_INVALID_IKE_SPI to 188.233.186.70:59155
packet from 188.233.186.70:59155: sending unencrypted notification
v2N_INVALID_IKE_SPI to 188.233.186.70:59155
packet from 188.233.186.70:59155: sending unencrypted notification
v2N_INVALID_IKE_SPI to 188.233.186.70:59155
packet from 188.233.186.70:59155: sending unencrypted notification
v2N_INVALID_IKE_SPI to 188.233.186.70:59155
packet from 188.233.186.70:59155: sending unencrypted notification
v2N_INVALID_IKE_SPI to 188.233.186.70:59155
packet from 188.233.186.70:59155: sending unencrypted notification
v2N_INVALID_IKE_SPI to 188.233.186.70:59155
The config is:
config setup
protostack = netkey
uniqueids = no
conn roadwarriors
ikev2=insist
mobike=yes
fragmentation=yes
narrowing=yes
left=1.2.3.4
leftsendcert=always
leftsubnet=0.0.0.0/0
leftcert="Main IPSec Gateway"
leftid=%fromcert
leftrsasigkey=%cert
leftxauthserver=yes
leftmodecfgserver=yes
right=%any
rightca=%same
rightrsasigkey=%cert
rightaddresspool=100.64.0.0-100.64.0.254
rightxauthclient=yes
rightmodecfgclient=yes
modecfgdns="1.1.1.1,8.8.8.8"
modecfgpull=yes
ike=aes_gcm_c-sha2;dh19,aes-sha2;dh19,serpent-sha2;dh19,aes-
sha2;modp1024
phase2=esp
authby=rsasig
xauthby=alwaysok
auto=add
rekey=no
dpddelay=30
I am running CentOS 7 with libreswan 3.23 on "left" side.
Any ideas? Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5246 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180425/2c412f1a/attachment.bin>
More information about the Swan
mailing list