<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Hi,</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Finally it is working with this config:</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">conn vpn<br> type=tunnel<br> authby=secret<br> auto=start<br> left=%defaultroute<br> leftid=xxx.xxx.xxx.120</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"> leftsubnets=10.xxx.xxx.80/28<br> right=xxx.xxx.xxx.45<br> rightid=xxx.xxx.xxx.45<br> rightsubnets={10.xxx.xxx.0/22 ... 10.xxx.xxx.xxx/32}<br> leftsourceip=xxx.xxx.xxx.92<br> #leftnexthop=%defaultroute<br> ikev2=insist<br> ike=aes256-sha2;dh14 (It is not especified this way on the documentation, a collegue has noticed me that this is a really problematic point, I think it was failing to connect phase 1 because of this)<br> esp=aes256-sha256<br> keyexchange=ike<br> ikelifetime=28800s<br> salifetime=28800s<br> dpddelay=30<br> dpdtimeout=120<br> dpdaction=restart_by_peer<br> encapsulation=no (Needed to avoid connect using Nat-T, it is not configured in any side but it keeps going through port 4500)<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Also I have tcpdump and analized with wireshark the packets sent by both peers and see that the AES_CBC is sent with key lenght 256 bits.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Payload: Transform (3) Next payload: </div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Transform (3) Reserved: 00 Payload length: 12 Transform Type: Encryption Algorithm (ENCR) (1) Reserved: 00 Transform ID (ENCR): <b>ENCR_AES_CBC</b> (12) Transform Attribute (t=14,l=2): Key Length: <b>256</b> 1... .... .... .... = Format: Type/Value (TV) Type: Key Length (14) Value: 0100 Key Length: <b>256 </b></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"> Payload: Transform (3) Next payload: </div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Transform (3) Reserved: 00 Payload length: 8 Transform Type: Pseudo-random Function (PRF) (2) Reserved: 00 Transform ID (PRF): PRF_HMAC_SHA2_256 (5) </div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"> Payload: Transform (3) Next payload: </div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Transform (3) Reserved: 00 Payload length: 8 Transform Type: Integrity Algorithm (INTEG) (3) Reserved: 00 Transform ID (INTEG): AUTH_HMAC_SHA2_256_128 (12) </div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"> Payload: Transform (3) Next payload: NONE / No Next Payload (0) Reserved: 00 Payload length: 8 Transform Type: Diffie-Hellman Group (D-H) (4) Reserved: 00 <br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Thanks for your help and being there as support.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Best regards!</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">El mié, 10 mar 2021 a las 12:30, Nick Howitt (<<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On 10/03/2021 11:17, Miguel Ponce Antolin wrote:<br>
> Thanks for your answer Paul,<br>
> <br>
> I have tried the options you said with similar results, the connection <br>
> is not stablished in any case.<br>
> <br>
> The other side configuration is mandatory, so the AES256 must be effective.<br>
> <br>
> We have seen that the aes256 configuration selects AES_CBC and the 256 <br>
> bit option have to be selected.<br>
> <br>
> Does libreswan accepts this 256 bits option on AES_CBC?<br>
> <br>
> Looking on the libreswan wiki the Implemented Standards <br>
> <<a href="https://libreswan.org/wiki/Implemented_Standards" rel="noreferrer" target="_blank">https://libreswan.org/wiki/Implemented_Standards</a>> I can see that the <br>
> option is possible but I cannot assure that when cipherkey is selected <br>
> as AES_CBC the 256 bits are selected.<br>
> <br>
> The other peer is sure that the problem is about this and I don't know <br>
> if the 256 bits option is effective when the Payload is negotiated.<br>
> <br>
> Maybe you can bring me some clarity,<br>
> <br>
> Thanks in advance!<br>
> <br>
> El mié, 10 mar 2021 a las 4:16, Paul Wouters (<<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a> <br>
> <mailto:<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>>>) escribió:<br>
> <br>
> On Mon, 8 Mar 2021, Miguel Ponce Antolin wrote:<br>
> <br>
> > I think we are facing issues with the IKE algorithms.<br>
> ><br>
> > The Cisco peer has the next configuration:<br>
> > - pfs group14<br>
> > - ikev2 ipsec-proposal AES256-SHA256<br>
> > - security-association lifetime seconds 28800<br>
> ><br>
> > So the libreswan side is configured in the ipsec.d/vpn.conf with<br>
> similar parameters using the yum repository last version 3.25:<br>
> ><br>
> > conn vpn<br>
> > type=tunnel<br>
> > authby=secret<br>
> > auto=start<br>
> > left=%defaultroute<br>
> > leftid=xxx.xxx.xxx.120<br>
> > leftsubnets=10.xxx.xxx.xxx/28<br>
> > right=xxx.xxx.xxx.45<br>
> > rightsubnets=xxx.xxx.xxx.17/32<br>
> > leftsourceip=xxx.xxx.xxx.92<br>
> > leftnexthop=%defaultroute<br>
> > ikev2=insist<br>
> > ike=aes256-sha2;dh14<br>
> > keyexchange=ike<br>
> > ikelifetime=28800s<br>
> > salifetime=28800s<br>
> > dpddelay=30<br>
> > dpdtimeout=120<br>
> > dpdaction=restart<br>
> > remote_peer_type=cisco<br>
> > aggrmode=yes<br>
> > initial-contact=yes<br>
> > encapsulation=no<br>
> <br>
> Delete the lines with remote_peer_type, aggrmode, and encapsulation<br>
> <br>
> Try using ike=aes256-sha2_256;dh14<br>
> <br>
> > Mar 8 12:33:25.540325: | selected state microcode Initiator:<br>
> process AUTHENTICATION_FAILED AUTH notification<br>
> <br>
> It could also be that they are expected a different leftid= then you<br>
> think?<br>
> <br>
> Despite them claiming pfs, you can try pfs=no as well to see if that<br>
> makes a difference.<br>
> <br>
> Paul<br>
> <br>
> <br>
> <br>
> -- <br>
> <br>
> Logo Especialidad<br>
> <br>
> *Miguel Ponce Antolín.*<br>
> Sistemas · +34 670 360 655<br>
> Linea<br>
> Logo Paradigma · <a href="http://paradig.ma" rel="noreferrer" target="_blank">paradig.ma</a> <<a href="https://www.paradigmadigital.com/" rel="noreferrer" target="_blank">https://www.paradigmadigital.com/</a>> · <br>
> contáctanos <<a href="https://www.paradigmadigital.com/contacto" rel="noreferrer" target="_blank">https://www.paradigmadigital.com/contacto</a>> · Twitter <br>
> <<a href="https://twitter.com/paradigmate" rel="noreferrer" target="_blank">https://twitter.com/paradigmate</a>> Youtube <br>
> <<a href="https://www.youtube.com/user/ParadigmaTe?feature=watch" rel="noreferrer" target="_blank">https://www.youtube.com/user/ParadigmaTe?feature=watch</a>> Linkedin <br>
> <<a href="https://www.linkedin.com/company/paradigma-digital/" rel="noreferrer" target="_blank">https://www.linkedin.com/company/paradigma-digital/</a>> Instagram <br>
> <<a href="https://www.instagram.com/paradigma_digital/?hl=es" rel="noreferrer" target="_blank">https://www.instagram.com/paradigma_digital/?hl=es</a>><br>
> <br>
> <br>
> _______________________________________________<br>
> Swan mailing list<br>
> <a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a><br>
> <a href="https://lists.libreswan.org/mailman/listinfo/swan" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
> <br>
Is "sha2-truncbug = yes" relevant?<br>
_______________________________________________<br>
Swan mailing list<br>
<a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div>
<div><div>
<div><div>
<div><div>
<div><br>
<img alt="Logo Especialidad" src="https://webs.paradigmadigital.com/pd-signature/img/Sistemaschico.png" width="60">
<p><b><span style="margin-top:10px;font-size:17px;color:black">Miguel Ponce Antolín</span><span style="color:rgb(255,69,67);font-size:16px">.</span></b><br>
<span style="font-size:11px;color:black">Sistemas</span>
<span style="font-size:11px;color:black"> · +34 670 360 655</span><br>
<img style="margin-top:10px;margin-bottom:10px" alt="Linea" src="https://webs.paradigmadigital.com/pd-signature/img/linea.png"><br>
<img alt="Logo Paradigma" src="https://webs.paradigmadigital.com/pd-signature/img/logo.png" width="14">
<span style="color:rgb(24,31,44);font-size:11px">·</span>
<a style="color:rgb(24,31,44);text-decoration:none" href="https://www.paradigmadigital.com/" target="_blank"><font size="1">paradig.ma</font></a>
<span style="color:rgb(24,31,44);font-size:11px">·</span>
<a style="color:rgb(24,31,44);text-decoration:none" href="https://www.paradigmadigital.com/contacto" target="_blank"><font size="1">contáctanos</font></a>
<span style="color:rgb(24,31,44);font-size:11px">·</span>
<a href="https://twitter.com/paradigmate" target="_blank"><img style="margin-top:2px" alt="Twitter" src="https://webs.paradigmadigital.com/pd-signature/img/twitter.png" width="13"></a>
<a href="https://www.youtube.com/user/ParadigmaTe?feature=watch" target="_blank"><img style="margin-top:2px" alt="Youtube" src="https://webs.paradigmadigital.com/pd-signature/img/youtube.png" width="13"></a>
<a href="https://www.linkedin.com/company/paradigma-digital/" target="_blank"><img style="margin-top:2px" alt="Linkedin" src="https://webs.paradigmadigital.com/pd-signature/img/linkedin.png" width="13"></a>
<a href="https://www.instagram.com/paradigma_digital/?hl=es" target="_blank"><img style="margin-top:2px" alt="Instagram" src="https://webs.paradigmadigital.com/pd-signature/img/instagram.png" width="13"></a>
</p>
</div>
</div></div>
</div></div>
</div></div>
</div></div></div></div></div></div>