[Swan] windows 10 Policy Match Error

Computerisms Corporation bob at computerisms.ca
Wed Oct 30 16:53:07 UTC 2019


just in case it helps someone:

came across another win10 laptop that would not connect yesterday, even 
though all the other win10 laptops do.  ended up setting both esp= and 
ike= to make it work, like so:

    esp=aes256-sha1-modp1024
    ike=aes256-sha1-modp1024


On 2019-10-04 11:29 a.m., Computerisms Corporation wrote:
> Hi Again,
> 
> Turns out that brand new laptop still does connect so long as I do not 
> specify an ike/esp line.  in the debug logs, it seems to choose this 
> proposal:
> 
> IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match] 
> 
> 
> Not sure how that helps me get the other ones connected, but it is 
> interesting, at least...
> 
> In the debug logs, I think this is the line that indicates what windows 
> is proposing that libreswan is rejecting:
> 
> pluto[30250]: "rw-ikev2"[1] 50.117.137.129 #5: no local proposal matches 
> remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED 
> 2:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED
> 
> so I put this in my conn:
> 
> esp=aes256-sha1-modp1024
> 
> and the connection worked.
> 
> so I go back to the wiki, which tells me to use this:
> 
> esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024 
> 
> 
> and I believe from reading the man page on the topic that this should 
> also match the aes256-sha1-modp1024 proposal, however evidence clearly 
> indicates it does not.
> 
> I tried messing with the syntax of the wiki line a bit, but nothing I 
> did worked, really not clear what I am missing.  Did I find a problem 
> that isn't supposed to be there?  Or am I just stuck with only accepting 
> the single esp proposal?
> 
> 
> 
> How do I interpret this and translate it to
> 
> On 2019-10-04 9:30 a.m., Computerisms Corporation wrote:
>> Hi Nels and Paul,
>>
>> Apologies for the delayed reply, I was overly busy at the moment and 
>> duct taped the immediate issue with some iptables rules and port 
>> forwarding.  But need something better and I am back to trying to 
>> solve this now.
>>
>> I tried setting ikev2 from yes to no, sadly did not change the situation.
>>
>> Oddly enough I put a brand new setup together about a week ago, with a 
>> brand new laptop, and it connected fine.  Yesterday I configured a 
>> bunch of other laptops to connect to that same firewall, and now 
>> nothing connects to it.  That causes me to wonder if a windows update 
>> that wasn't installed to begin with is there now on the brand new laptop.
>>
>> Regardless, I faced this problem with windows7 way back, and I managed 
>> to solve it that time with a post I found on the strong swan list.  So 
>> my instinct is telling me I need to find the correct ike=/esp= lines 
>> to fix this problem.  I did find a post from strong swan from Oct/Nov 
>> 2018:
>>
>> https://wiki.strongswan.org/issues/2808
>>
>> But none of those cipher lines worked.
>>
>> Similarly there are a set of ciphers listed on the libreswan wiki 
>> under the no_proposal_chosen section, and those are not working either.
>>
>> I am thinking the next task is to go through the debug log and find 
>> out what proposals windows is expecting, and try to construct 
>> appropriate ike=/esp= lines.  I found the parts of the man page that 
>> explain how to write the ciphers, but having a hard time translating 
>> the log entries into valid cipher descriptions for the conf file.
>>
>> Posting the debug log here in case any one is interested in having a 
>> look...
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan


More information about the Swan mailing list