OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: karaman on December 03, 2018, 03:54:52 pm
-
Hi,
OPNsense 18.7.8-amd64
FreeBSD 11.1-RELEASE-p15
OpenSSL 1.0.2q 20 Nov 2018
strongswan 5.7.1
When connecting a VPN, the following message appears:
Dec 3 13:48:08
charon: 09[CFG] <con1|52> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
Dec 3 13:48:08
charon: 09[CFG] <con1|52> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Config:
conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev1
mobike = yes
reauth = yes
rekey = yes
forceencaps = no
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
left = 37.xx.xx.xx
right = 78.xx.xx.xx
leftid = 37.xx.xx.xx
ikelifetime = 108000s
lifetime = 28800s
ike = aes256-sha256-modp2048,aes256-sha1-modp2048!
leftauth = psk
rightauth = psk
rightid = 78.xx.xx.xx
rightsubnet = 10.xx.xx.0/24
leftsubnet = 192.xx.xx.0/24
esp = aes256-sha1-modp1024,aes256-sha256-modp1024!
auto = add
However, in the phase 2 of the VPN connection, the PFS group was set to "Group 14" via the OPNsense web interface. But, in the configuration file stays always "esp = aes256-sha1-modp1024, aes256-sha256-modp1024!".
Any Solution?
-
Is this a mobile setup? Check VPN: IPsec: Mobile Clients as it has a separate PFS setting.
Cheers,
Franco
-
Hi,
no its no mobile configuration.
see screenshot.
-
I can't reproduce on a 18.7.8 .. have you switched browsers?
-
Yes... We tried 3 Browser... ::)
-
I'm not sure why "Is this a mobile setup? Check VPN: IPsec: Mobile Clients as it has a separate PFS setting." was ignored. :P
https://forum.opnsense.org/index.php?topic=10498.msg48068#msg48068
But okay ;)