Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrading to 2.4.2 broke my IPSEC VPN!

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      XakEp
      last edited by

      When i try to connect, now I get this in my logs… No change to the config, was working a day before the upgrade. Help? Client is StrongSwan on Android.

      Time Process PID Message
      Dec 5 15:16:09 charon 01[NET] <3> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[9313] (36 bytes)
      Dec 5 15:16:09 charon 01[ENC] <3> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
      Dec 5 15:16:09 charon 01[IKE] <3> received proposals inacceptable
      Dec 5 15:16:09 charon 01[IKE] <3> remote host is behind NAT
      Dec 5 15:16:09 charon 01[CFG] <3> received supported signature hash algorithms: sha256 sha384 sha512 identity
      Dec 5 15:16:09 charon 01[CFG] <3> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Dec 5 15:16:09 charon 01[CFG] <3> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048
      Dec 5 15:16:09 charon 01[CFG] <3> no acceptable ENCRYPTION_ALGORITHM found
      Dec 5 15:16:09 charon 01[CFG] <3> selecting proposal:
      Dec 5 15:16:09 charon 01[CFG] <3> no acceptable DIFFIE_HELLMAN_GROUP found
      Dec 5 15:16:09 charon 01[CFG] <3> selecting proposal:

      Dec 5 15:16:09 charon 01[IKE] <3> xxx.xxx.xxx.xxx is initiating an IKE_SA
      Dec 5 15:16:09 charon 01[CFG] <3> found matching ike config: xxx.xxx.xxx.xxx…%any with prio 1052
      Dec 5 15:16:09 charon 01[CFG] <3> candidate: xxx.xxx.xxx.xxx…%any, prio 1052
      Dec 5 15:16:09 charon 01[CFG] <3> candidate: %any…%any, prio 24
      Dec 5 15:16:09 charon 01[CFG] <3> looking for an ike config for xxx.xxx.xxx.xxx…xxx.xxx.xxx.xxx
      Dec 5 15:16:09 charon 01[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Dec 5 15:16:09 charon 01[NET] <3> received packet: from xxx.xxx.xxx.xxx[9313] to xxx.xxx.xxx.xxx[500] (704 bytes)

      Client error is -

      Dec  5 15:46:50 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1dr3, Android 7.0 - NRD90M.G955USQU1AQK3/2017-10-01, SM-G955U - samsung/dream2qltesq/samsung, Linux 4.4.16-11982677, aarch64)
      Dec  5 15:46:50 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
      Dec  5 15:46:50 00[JOB] spawning 16 worker threads
      Dec  5 15:46:50 08[IKE] initiating IKE_SA android[32] to xxx.xxx.xxx.xxx
      Dec  5 15:46:50 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Dec  5 15:46:50 08[NET] sending packet: from xxx.xxx.xxx.xxx[55518] to xxx.xxx.xxx.xxx[500] (704 bytes)
      Dec  5 15:46:50 09[NET] received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[55518] (36 bytes)
      Dec  5 15:46:50 09[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
      Dec  5 15:46:50 09[IKE] received NO_PROPOSAL_CHOSEN notify error

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Your side is configured to use this:

        IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

        The other side is configured to use these:

        IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048 <– No MODP_1024
        IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048

        None of them match. PFS Group 2 (MODP_1024) is not acceptable to the other side in the Phase 1. Try Group 14 (MODP_2048) there.

        Might be a good time to switch to AES_CBC_128 and HMAC_SHA2_256_128 while you're messing with it.

        You might need to do the same kind of thing for the Phase 2. Those will look similar in the logs but be prefixed by ESP: instead of IKE:

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • X
          XakEp
          last edited by

          Well honk my hooter you're right! When I'm back in the building later tonight I'll fiddle with it an update.

          Thank you very much, it's a pain for my old eyes to spot that stuff these days, it's much appreciated.

          1 Reply Last reply Reply Quote 0
          • X
            XakEp
            last edited by

            Update - you were absolutely right! Switching DH groups fixed it. Wish I had spotted that, thank you!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.