[Swan] OSX Good, Win10 Good, now Win7
Mr. Jan Walter
hopping_hol at yahoo.com
Thu Jan 31 22:38:08 UTC 2019
Don't ask why.
A couple of differences with the machine certificate installation and how the system actually picks them up, userid at zzz.net makes extra double sure the machine can find the right client cert.
Set the registry DWORD for 2048 DH sets and now I get a policy error and NO_PROPOSAL_CHOSEN on re-key.
Jan 31 22:32:59 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048Jan 31 22:32:59 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}Jan 31 22:32:59 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389: certificate verified OK: O=w7test,CN=w7test at zzz.netJan 31 22:32:59 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=w7test at zzz.net, O=w7test'Jan 31 22:32:59 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389: Authenticated using RSAJan 31 22:32:59 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389: no local proposal matches remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED 2:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLEDJan 31 22:32:59 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #389: IKE_AUTH responder matching remote ESP/AH proposals failed, responder SA processing returned STF_FAIL+v2N_NO_PROPOSAL_CHOSENJan 31 22:32:59 ip-10-0-0-194 pluto[18497]: "ikev2-cp"[35] 22.22.22.22 #390: responding to IKE_AUTH message (ID 1) from 22.22.22.22:64153 with encrypted notification NO_PROPOSAL_CHOSEN
The relevant line in the ipsec.conf file is:
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048,aes-sha2;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024,aes-sha2;modp1024
For some reason Windows 7 still didn't want to play with the 1024 DH in spite of them being on the list above too, but that's not the problem I think.
Thoughts? What obvious step did I miss here?
Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190131/644060bc/attachment.html>
More information about the Swan
mailing list