<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Thanks for your answer Paul,</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">I have tried the options you said with similar results, the connection is not stablished in any case.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">The other side configuration is mandatory, so the AES256 must be effective.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">We have seen that the aes256 configuration selects AES_CBC and the 256 bit option have to be selected.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Does libreswan accepts this 256 bits option on AES_CBC?</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Looking on the libreswan wiki the <a href="https://libreswan.org/wiki/Implemented_Standards">Implemented Standards</a> I can see that the option is possible but I cannot assure that when cipherkey is selected as AES_CBC the 256 bits are selected.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">The other peer is sure that the problem is about this and I don't know if the 256 bits option is effective when the Payload is negotiated.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Maybe you can bring me some clarity,</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Thanks in advance!</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">El mié, 10 mar 2021 a las 4:16, Paul Wouters (<<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, 8 Mar 2021, Miguel Ponce Antolin wrote:<br>
<br>
> I think we are facing issues with the IKE algorithms.<br>
> <br>
> The Cisco peer has the next configuration:<br>
> - pfs group14<br>
> - ikev2 ipsec-proposal AES256-SHA256<br>
> - security-association lifetime seconds 28800<br>
> <br>
> So the libreswan side is configured in the ipsec.d/vpn.conf with similar parameters using the yum repository last version 3.25:<br>
> <br>
> conn vpn<br>
>     type=tunnel<br>
>     authby=secret<br>
>     auto=start<br>
>     left=%defaultroute<br>
>     leftid=xxx.xxx.xxx.120<br>
>     leftsubnets=10.xxx.xxx.xxx/28<br>
>     right=xxx.xxx.xxx.45<br>
>     rightsubnets=xxx.xxx.xxx.17/32<br>
>     leftsourceip=xxx.xxx.xxx.92<br>
>     leftnexthop=%defaultroute<br>
>     ikev2=insist<br>
>     ike=aes256-sha2;dh14<br>
>     keyexchange=ike<br>
>     ikelifetime=28800s<br>
>     salifetime=28800s<br>
>     dpddelay=30<br>
>     dpdtimeout=120<br>
>     dpdaction=restart<br>
>     remote_peer_type=cisco<br>
>     aggrmode=yes<br>
>     initial-contact=yes<br>
>     encapsulation=no <br>
<br>
Delete the lines with remote_peer_type, aggrmode, and encapsulation<br>
<br>
Try using ike=aes256-sha2_256;dh14<br>
<br>
> Mar  8 12:33:25.540325: | selected state microcode Initiator: process AUTHENTICATION_FAILED AUTH notification<br>
<br>
It could also be that they are expected a different leftid= then you think?<br>
<br>
Despite them claiming pfs, you can try pfs=no as well to see if that<br>
makes a difference.<br>
<br>
Paul<br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>
          <div><div>
          <div><div>
                  <div><div>
                  <div><br>

                    <img alt="Logo Especialidad" src="https://webs.paradigmadigital.com/pd-signature/img/Sistemaschico.png" width="60">

                    <p><strong><span style="margin-top:10px;font-size:17px;color:black">Miguel Ponce Antolín</span><span style="color:rgb(255,69,67);font-size:16px">.</span></strong><br>

                        <span style="font-size:11px;color:black">Sistemas</span>  

                        <span style="font-size:11px;color:black"> ·    +34 670 360 655</span><br>

                        

                        <img style="margin-top: 10px; margin-bottom: 10px;" alt="Linea" src="https://webs.paradigmadigital.com/pd-signature/img/linea.png"><br>

                        <img alt="Logo Paradigma" src="https://webs.paradigmadigital.com/pd-signature/img/logo.png" width="14">  

                        <span style="color:rgb(24,31,44);font-size:11px">·</span>  

                        <a style="color:rgb(24,31,44);text-decoration:none" href="https://www.paradigmadigital.com/" target="_blank"><font size="1">paradig.ma</font></a>  

                        <span style="color:rgb(24,31,44);font-size:11px">·</span>  

                        <a style="color:rgb(24,31,44);text-decoration:none" href="https://www.paradigmadigital.com/contacto" target="_blank"><font size="1">contáctanos</font></a>  

                        <span style="color:rgb(24,31,44);font-size:11px">·</span>  

                        <a href="https://twitter.com/paradigmate" target="_blank"><img style="margin-top: 2px;" alt="Twitter" src="https://webs.paradigmadigital.com/pd-signature/img/twitter.png" width="13"></a> 

                        <a href="https://www.youtube.com/user/ParadigmaTe?feature=watch" target="_blank"><img style="margin-top: 2px;" alt="Youtube" src="https://webs.paradigmadigital.com/pd-signature/img/youtube.png" width="13"></a> 

                        <a href="https://www.linkedin.com/company/paradigma-digital/" target="_blank"><img style="margin-top: 2px;" alt="Linkedin" src="https://webs.paradigmadigital.com/pd-signature/img/linkedin.png" width="13"></a> 

                        <a href="https://www.instagram.com/paradigma_digital/?hl=es" target="_blank"><img style="margin-top: 2px;" alt="Instagram" src="https://webs.paradigmadigital.com/pd-signature/img/instagram.png" width="13"></a> 
                    </p>
        </div>
      </div></div>
      </div></div>
      </div></div>
      </div></div></div></div></div>