OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: logreg on December 13, 2018, 12:19:32 pm
-
Privet everybody,
Android clients support DH2 (modp1024) and not support DH14(2048).
in OPNsense web settings: VPN: IPsec: Tunnel Settings for VPN: DH key group = 2(1024 bits)
but in IPsec log:
Dec 13 15:10:05 charon: 16[IKE] <146> negotiated DH group not supported
How to enable DH2 support?
OPNsense 18.7.4-amd64
-
Do you have a different setting in mobile vpn page?
-
settings
-
For Android always use AES256, a mix of SHA1 and 256 and DH2.
I tested this successfully.
-
I tried that, but still "Dec 14 09:37:26 charon: 05[IKE] <160> negotiated DH group not supported"
-
contents of /usr/local/etc/ipsec.conf please ...
-
root@OPNsense:~ # cat /usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
uniqueids = yes
charondebug=""
conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev1
mobike = yes
reauth = yes
rekey = yes
forceencaps = yes
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
left = xx.xx.xx.xx
right = %any
leftid = xx.xx.xx.xx
ikelifetime = 86400s
lifetime = 28800s
rightsourceip = 192.168.254.0/24
ike = aes256-sha1-modp1024!
leftauth = psk
rightauth = psk
rightauth2 = xauth-generic
leftsubnet = 0.0.0.0/0
esp = aes256-sha1!
auto = add
root@OPNsense:~ #
-
I found that DH2 disabled in new versions of Strongswan (because insecure). And now it is impossible to connect Android devices with DH2? Or it is possible to enable DH2?
-
No, it looks good, DH2 = MODP1024.
Can you show some more logs and not just this line?
-
root@OPNsense:~ # cat /var/log/ipsec.log
...
Dec 14 10:27:19 OPNsense charon: 14[CFG] added configuration 'con1'
Dec 14 11:51:30 OPNsense charon: 14[NET] <205> received packet: from Android_IP[406] to opnsense_IP[500] (476 bytes)
Dec 14 11:51:30 OPNsense charon: 14[ENC] <205> parsed ID_PROT request 0 [ SA V V V V V V V V ]
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received NAT-T (RFC 3947) vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received XAuth vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received Cisco Unity vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received FRAGMENTATION vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> received DPD vendor ID
Dec 14 11:51:30 OPNsense charon: 14[IKE] <205> Android_IP is initiating a Main Mode IKE_SA
Dec 14 11:51:30 OPNsense charon: 14[ENC] <205> generating ID_PROT response 0 [ SA V V V V ]
Dec 14 11:51:30 OPNsense charon: 14[NET] <205> sending packet: from opnsense_IP[500] to Android_IP[406] (160 bytes)
Dec 14 11:51:31 OPNsense charon: 14[NET] <205> received packet: from Android_IP[406] to opnsense_IP[500] (228 bytes)
Dec 14 11:51:31 OPNsense charon: 14[ENC] <205> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 14 11:51:31 OPNsense charon: 14[IKE] <205> negotiated DH group not supported
Dec 14 11:51:31 OPNsense charon: 14[ENC] <205> generating INFORMATIONAL_V1 request 2040954333 [ N(INVAL_KE) ]
Dec 14 11:51:31 OPNsense charon: 14[NET] <205> sending packet: from opnsense_IP[500] to Android_IP[406] (56 bytes)
root@OPNsense:~ #
-
In Phase1, can you set SHA1+SHA256 and DH2+DH14?
-
How?
in web-interface i can choise only one of them.
-
Then you're not on the latest version ...
-
Really, after upgrading 18.7.4 -> 18.7.9 android with DH2 was able to connect (charon: 11[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024)
Thanks a lot.
Topic can be deleted.
-
You can add *SOLVED* in the topic :)