Feature #167
esp configration in ipsec.conf
| Status: | Closed | Start date: | 05.01.2012 | |
|---|---|---|---|---|
| Priority: | Low | Due date: | ||
| Assignee: | Martin Willi | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Resolution: |
Description
Hi,
I use StrongSwan 4.5.1 in both server and client side.
In client side, I set "esp=3des-aesxcbc!".
In server side, I set "esp=aes128-sha1!".
I think IKEV2 handshake procedure will failed, but it successed. IKE_SA state change to ESTABLISHED in server side.
Although subsequent data transmission failed in IPSec tunnel, but the state didn't changed(always ESTABLISHED)
PS. Parameter "ike" worked well in my test.
I'm not familiar with IKEV2 protocol, I think ESP encryption/authentication algorithms are negotiated in IKE_AUTH message. Am I right?
But IKE_AUTH is encrypted, I can't see the detail information in it. Are there some methods to check the encrypted message?
Thank you
Jianfeng Wang
History
Updated by Martin Willi 5 months ago
- Status changed from New to Closed
- Assignee set to Martin Willi
- Priority changed from Normal to Low
"esp" defines the algorithms for the IPsec tunnel, used to protect your traffic. "ike" defines the algorithms for the IKE_SA, the management connection.
In IKEv2, a first CHILD_SA (ESP tunnel) can be negotiated in IKE_AUTH. But even if it fails (and it probably has with your setup), the IKE_SA gets established. But of course you can't send traffic, unless you establish another CHILD_SA successfully on that IKE_SA.
You can by the way force the IKE_SA to get closed if setting up the CHILD_SA failed. Set
charon {
close_ike_on_child_failure = yes
}in strongswan.conf.