[Swan] OSX Connectivity debugging
Paul Wouters
paul at nohats.ca
Wed Jan 23 18:38:35 UTC 2019
On Tue, 22 Jan 2019, Mr. Jan Walter wrote:
> Generated cert with now-changed public IP address for client. Does the --extSAN ip:xx.xx.xx.xx need to the public ip address of the client's
> NAT gateway or the internal IPv4 address on the LAN of the client?
The SAN should be the IP that others connect to. So the public/elastic
one.
> How does this connection use case address roaming clients?
Client certificates should not use IP based SAN's. They can use a @fqdn
SAN or just stick with sending the Distinguished Name (DN) using leftif=%fromcert
> matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
> 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED
> 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED
> Jan 22 17:20:06 ip-10-0-0-194 pluto[19256]: "ikev2-cp"[2] xx.xx.xx.xx #2: no local proposal matches remote proposals
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 2:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED
> 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED
> 5:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED
> Jan 22 17:20:06 ip-10-0-0-194 pluto[19256]: "ikev2-cp"[2] xx.xx.xx.xx #2: IKE_AUTH responder matching remote ESP/AH proposals failed, responder
> SA processing returned STF_FAIL+v2N_NO_PROPOSAL_CHOSEN
This is a phase2/esp mismatch. Looks like DH groups might not match. Try
changing the pfs= setting?
Paul
More information about the Swan
mailing list