Discussion:
[strongSwan] Strange error
Christian Salway
2018-08-11 21:31:47 UTC
Permalink
I am unable to connect from StrongSwan client with an error that doesnt make sense:


Aug 11 21:26:17 15[CFG] looking for an ike config for 10.0.1.216...x.x.x.x
Aug 11 21:26:17 15[CFG] candidate: %any...%any, prio 28
Aug 11 21:26:17 15[CFG] found matching ike config: %any...%any with prio 28
Aug 11 21:26:17 15[IKE] x.x.x.x is initiating an IKE_SA
Aug 11 21:26:17 15[IKE] IKE_SA (unnamed)[21] state change: CREATED => CONNECTING
Aug 11 21:26:17 15[CFG] selecting proposal:
Aug 11 21:26:17 15[CFG] proposal matches
Aug 11 21:26:17 15[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Aug 11 21:26:17 15[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 11 21:26:17 15[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Aug 11 21:26:17 15[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Aug 11 21:26:17 15[IKE] local host is behind NAT, sending keep alives
Aug 11 21:26:17 15[IKE] remote host is behind NAT
Aug 11 21:26:17 15[IKE] DH group ECP_384 inacceptable, requesting ECP_384

CLIENT
conn %default
ike=aes256gcm16-prfsha384-ecp384!
esp=aes256gcm16-ecp384!
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn test
leftsourceip=%config4
leftauth=eap
eap_identity=christian.salway
rightid=vpnserver
right=x.x.x.x
rightauth=pubkey
rightsubnet=0.0.0.0/0
auto=start


SERVER
config setup
uniqueids = replace

conn %default
ike=aes256gcm16-prfsha384-ecp384,aes128gcm16-prfsha256-ecp256,aes256-sha384-ecp384,aes128-sha256-ecp256,aes256-sha256-modp2048!
esp=aes256gcm16-ecp384,aes128gcm16-ecp256,aes256gmac-ecp384,aes128gmac-ecp256,aes256-sha256,aes256-sha1!
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn pod
leftid=vpnserver
leftauth=pubkey
leftcert=vpnserver.crt
leftsendcert=always
leftsubnet=10.0.0.0/8
rightid=%any
rightsourceip=10.0.76.0/22
rightauth=eap-radius
eap_identity=%identity
auto=start
Christian Salway
2018-08-11 21:52:51 UTC
Permalink
forgot to add the --enable-openssl to the ./configure
Post by Christian Salway
Aug 11 21:26:17 15[CFG] looking for an ike config for 10.0.1.216...x.x.x.x
Aug 11 21:26:17 15[CFG] candidate: %any...%any, prio 28
Aug 11 21:26:17 15[CFG] found matching ike config: %any...%any with prio 28
Aug 11 21:26:17 15[IKE] x.x.x.x is initiating an IKE_SA
Aug 11 21:26:17 15[IKE] IKE_SA (unnamed)[21] state change: CREATED => CONNECTING
Aug 11 21:26:17 15[CFG] proposal matches
Aug 11 21:26:17 15[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Aug 11 21:26:17 15[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 11 21:26:17 15[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Aug 11 21:26:17 15[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Aug 11 21:26:17 15[IKE] local host is behind NAT, sending keep alives
Aug 11 21:26:17 15[IKE] remote host is behind NAT
Aug 11 21:26:17 15[IKE] DH group ECP_384 inacceptable, requesting ECP_384
CLIENT
conn %default
ike=aes256gcm16-prfsha384-ecp384!
esp=aes256gcm16-ecp384!
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn test
leftsourceip=%config4
leftauth=eap
eap_identity=christian.salway
rightid=vpnserver
right=x.x.x.x
rightauth=pubkey
rightsubnet=0.0.0.0/0
auto=start
SERVER
config setup
uniqueids = replace
conn %default
ike=aes256gcm16-prfsha384-ecp384,aes128gcm16-prfsha256-ecp256,aes256-sha384-ecp384,aes128-sha256-ecp256,aes256-sha256-modp2048!
esp=aes256gcm16-ecp384,aes128gcm16-ecp256,aes256gmac-ecp384,aes128gmac-ecp256,aes256-sha256,aes256-sha1!
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn pod
leftid=vpnserver
leftauth=pubkey
leftcert=vpnserver.crt
leftsendcert=always
leftsubnet=10.0.0.0/8
rightid=%any
rightsourceip=10.0.76.0/22
rightauth=eap-radius
eap_identity=%identity
auto=start
Christian Salway
2018-08-12 04:23:40 UTC
Permalink
That wasn't the problem. still getting DH group ECP_256 inacceptable, requesting ECP_384


Aug 12 04:22:10 06[CFG] looking for an ike config for 10.0.1.216...86.2.58.36
Aug 12 04:22:10 06[CFG] candidate: %any...%any, prio 28
Aug 12 04:22:10 06[CFG] candidate: %any...%any, prio 28
Aug 12 04:22:10 06[CFG] found matching ike config: %any...%any with prio 28
Aug 12 04:22:10 06[IKE] 86.2.58.36 is initiating an IKE_SA
Aug 12 04:22:10 06[IKE] IKE_SA (unnamed)[7] state change: CREATED => CONNECTING
Aug 12 04:22:10 06[CFG] selecting proposal:
Aug 12 04:22:10 06[CFG] no acceptable ENCRYPTION_ALGORITHM found
Aug 12 04:22:10 06[CFG] selecting proposal:
Aug 12 04:22:10 06[CFG] proposal matches
Aug 12 04:22:10 06[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Aug 12 04:22:10 06[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 12 04:22:10 06[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Aug 12 04:22:10 06[CFG] received supported signature hash algorithms: sha256 sha384 sha512
Aug 12 04:22:10 06[IKE] local host is behind NAT, sending keep alives
Aug 12 04:22:10 06[IKE] remote host is behind NAT
Aug 12 04:22:10 06[IKE] DH group ECP_256 inacceptable, requesting ECP_384
Post by Christian Salway
forgot to add the --enable-openssl to the ./configure
Post by Christian Salway
Aug 11 21:26:17 15[CFG] looking for an ike config for 10.0.1.216...x.x.x.x
Aug 11 21:26:17 15[CFG] candidate: %any...%any, prio 28
Aug 11 21:26:17 15[CFG] found matching ike config: %any...%any with prio 28
Aug 11 21:26:17 15[IKE] x.x.x.x is initiating an IKE_SA
Aug 11 21:26:17 15[IKE] IKE_SA (unnamed)[21] state change: CREATED => CONNECTING
Aug 11 21:26:17 15[CFG] proposal matches
Aug 11 21:26:17 15[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Aug 11 21:26:17 15[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 11 21:26:17 15[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Aug 11 21:26:17 15[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Aug 11 21:26:17 15[IKE] local host is behind NAT, sending keep alives
Aug 11 21:26:17 15[IKE] remote host is behind NAT
Aug 11 21:26:17 15[IKE] DH group ECP_384 inacceptable, requesting ECP_384
CLIENT
conn %default
ike=aes256gcm16-prfsha384-ecp384!
esp=aes256gcm16-ecp384!
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn test
leftsourceip=%config4
leftauth=eap
eap_identity=christian.salway
rightid=vpnserver
right=x.x.x.x
rightauth=pubkey
rightsubnet=0.0.0.0/0
auto=start
SERVER
config setup
uniqueids = replace
conn %default
ike=aes256gcm16-prfsha384-ecp384,aes128gcm16-prfsha256-ecp256,aes256-sha384-ecp384,aes128-sha256-ecp256,aes256-sha256-modp2048!
esp=aes256gcm16-ecp384,aes128gcm16-ecp256,aes256gmac-ecp384,aes128gmac-ecp256,aes256-sha256,aes256-sha1!
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn pod
leftid=vpnserver
leftauth=pubkey
leftcert=vpnserver.crt
leftsendcert=always
leftsubnet=10.0.0.0/8
rightid=%any
rightsourceip=10.0.76.0/22
rightauth=eap-radius
eap_identity=%identity
auto=start
Christian Salway
2018-08-12 05:08:49 UTC
Permalink
Sorry, you can ignore this one. It goes on to try the next signature hash algorithm (ECP_384) and succeeds.
Post by Christian Salway
That wasn't the problem. still getting DH group ECP_256 inacceptable, requesting ECP_384
Aug 12 04:22:10 06[CFG] looking for an ike config for 10.0.1.216...86.2.58.36
Aug 12 04:22:10 06[CFG] candidate: %any...%any, prio 28
Aug 12 04:22:10 06[CFG] candidate: %any...%any, prio 28
Aug 12 04:22:10 06[CFG] found matching ike config: %any...%any with prio 28
Aug 12 04:22:10 06[IKE] 86.2.58.36 is initiating an IKE_SA
Aug 12 04:22:10 06[IKE] IKE_SA (unnamed)[7] state change: CREATED => CONNECTING
Aug 12 04:22:10 06[CFG] no acceptable ENCRYPTION_ALGORITHM found
Aug 12 04:22:10 06[CFG] proposal matches
Aug 12 04:22:10 06[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Aug 12 04:22:10 06[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 12 04:22:10 06[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Aug 12 04:22:10 06[CFG] received supported signature hash algorithms: sha256 sha384 sha512
Aug 12 04:22:10 06[IKE] local host is behind NAT, sending keep alives
Aug 12 04:22:10 06[IKE] remote host is behind NAT
Aug 12 04:22:10 06[IKE] DH group ECP_256 inacceptable, requesting ECP_384
Post by Christian Salway
forgot to add the --enable-openssl to the ./configure
Post by Christian Salway
Aug 11 21:26:17 15[CFG] looking for an ike config for 10.0.1.216...x.x.x.x
Aug 11 21:26:17 15[CFG] candidate: %any...%any, prio 28
Aug 11 21:26:17 15[CFG] found matching ike config: %any...%any with prio 28
Aug 11 21:26:17 15[IKE] x.x.x.x is initiating an IKE_SA
Aug 11 21:26:17 15[IKE] IKE_SA (unnamed)[21] state change: CREATED => CONNECTING
Aug 11 21:26:17 15[CFG] proposal matches
Aug 11 21:26:17 15[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Aug 11 21:26:17 15[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 11 21:26:17 15[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Aug 11 21:26:17 15[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Aug 11 21:26:17 15[IKE] local host is behind NAT, sending keep alives
Aug 11 21:26:17 15[IKE] remote host is behind NAT
Aug 11 21:26:17 15[IKE] DH group ECP_384 inacceptable, requesting ECP_384
CLIENT
conn %default
ike=aes256gcm16-prfsha384-ecp384!
esp=aes256gcm16-ecp384!
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn test
leftsourceip=%config4
leftauth=eap
eap_identity=christian.salway
rightid=vpnserver
right=x.x.x.x
rightauth=pubkey
rightsubnet=0.0.0.0/0
auto=start
SERVER
config setup
uniqueids = replace
conn %default
ike=aes256gcm16-prfsha384-ecp384,aes128gcm16-prfsha256-ecp256,aes256-sha384-ecp384,aes128-sha256-ecp256,aes256-sha256-modp2048!
esp=aes256gcm16-ecp384,aes128gcm16-ecp256,aes256gmac-ecp384,aes128gmac-ecp256,aes256-sha256,aes256-sha1!
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn pod
leftid=vpnserver
leftauth=pubkey
leftcert=vpnserver.crt
leftsendcert=always
leftsubnet=10.0.0.0/8
rightid=%any
rightsourceip=10.0.76.0/22
rightauth=eap-radius
eap_identity=%identity
auto=start
Continue reading on narkive:
Loading...