StrongSwan configuration

Support for security such as Firewalls and securing linux
Post Reply
ogost
Posts: 2
Joined: 2020/05/07 08:57:23

StrongSwan configuration

Post by ogost » 2020/05/07 09:39:13

Hello

I'm trying to connect to a host via IPSec, and the other party gave me these instructions:

Code: Select all

Phase 1

Authentication Method PSK: Pre-Shared Key
Encryption Scheme: IKE
Diffie-Hellman Group: Group 2
Encryption Algorithm: Aes 256
Hashing Algorithm: Sha 1
Main or Aggressive: Mode Main mode
Lifetime (for renegotiation): 86400s

Phase 2

Encapsulation (ESP or AH): ESP
Encryption Algorithm: Aes 256
Authentication Algorithm: Sha 1
Perfect Forward Secrecy: no PFS 
Lifetime (for renegotiation): 86400s
Which look like a configuration of a some kind of network device, such as router or a firewall.
I tried to translate these into a strongswan configuration, which doesn't work. Here's what I did:

Code: Select all

conn %default
        authby=secret
        keyexchange=ikev1
        keyingtries=1
        aggressive=no
        pfs=no
        ah=sha1-aes256-modp1024
        lifetime=24h

conn site2site
        left=<my server's public ip>
        leftsubnet=<my server's internal ip>/32
        right=<other party's public ip>
        rightsubnet=<other party's internal ip>
        esp=sha1-aes256
        lifetime=24h
        auto=start
Which fails. In logs of strongswan I see that the other party is not responding to my requests. Please help to create correct configuration.

aks
Posts: 2992
Joined: 2014/09/20 11:22:14

Re: StrongSwan configuration

Post by aks » 2020/05/08 09:09:19

At a guess, change:
leftsubnet=<my server's internal ip>/32
put in the "real" subnet mask it's a subnet, not a host.

ogost
Posts: 2
Joined: 2020/05/07 08:57:23

Re: StrongSwan configuration

Post by ogost » 2020/05/09 05:45:05

Thank you for your reply.
I just tried that and nothing changed.
The other party says they have this in their logs:

Code: Select all

Received No proposal chosen message.
I checked the loaded plugins for strongswan and there's no modp1024 (which, if i understand correctly, stands for Diffie-Hellman group 2), which makes sense as it is deprecated. Most certain that this is causing the problem, now i need to figure out how to load this module. Any ideas?

aks
Posts: 2992
Joined: 2014/09/20 11:22:14

Re: StrongSwan configuration

Post by aks » 2020/05/09 10:25:38

Correct that is DH group 2 1024 bits.

"strongSwan's default proposal does not include the modp1024 group anymore since 5.6.1"
See Logjam entry at https://wiki.strongswan.org/projects/st ... mendations
Received No proposal chosen message.
Usually means we can't agree on ciphers.

From https://wiki.strongswan.org/projects/st ... onnSection:

"Only either the ah or the esp keyword may be used, AH+ESP bundles are not supported."

According to https://wiki.strongswan.org/projects/st ... pherSuites

modp1024 provided by gmp/openssl/gcrypt plugins

Post Reply

Return to “CentOS 7 - Security Support”