i am using racoon in my linux pc to enable ipsecurity. when i configure PC1 with "aes256" phase1 encryption and PC2 configured with "aes128".when i ping PC2 to PC1 tunnel established failed with error
2021-08-18 07:18:02: ERROR: no suitable proposal found.
2021-08-18 07:18:02: [192.168.95.236] ERROR: failed to get valid proposal.
2021-08-18 07:18:02: [192.168.95.236] ERROR: failed to process ph1 packet (side: 1, status: 1).
when i ping from PC1 to PC2 tunnel established. why that happen?
from detailed log i seen that, when i start ping to PC1(aes256) to PC2(aes128). then both devices receive packets with encryption length of 256.
Why PC2 send packet with encrypt length 256 insted of 128.
how to avoid establishing tunnel when both devices use different aes encryption size
what are the additional configuration for that?
is this racoon daemon default behavior?
my configuration and log file are shown below
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/root/my_target/disk2/my-pki";
timer {
natt_keepalive 10sec;
}
listen {
adminsock "/var/racoon/racoon.sock"; }
#start of crypto map block {
remote 192.168.95.236 {
# proposal_check obey;
verify_identifier on;
exchange_mode main;
lifetime time 86400 seconds;
nat_traversal on;
proposal {
encryption_algorithm aes256;
hash_algorithm sha1;
dh_group modp2048;
authentication_method pre_shared_key;
}
}
sainfo address 192.168.51.0/24 any address 192.168.95.0/24 any {
encryption_algorithm aes256;
authentication_algorithm hmac_sha1;
pfs_group modp2048;
compression_algorithm deflate;
lifetime time 3600 seconds;
}
#end of crypto map block
PC1 log
PC1 log
ping PC2 to PC1 : phase 1 negotiation failed
---------------------------------------------
1970-01-01 03:00:29: DEBUG: begin.
1970-01-01 03:00:29: DEBUG: seen nptype=2(prop)
1970-01-01 03:00:29: DEBUG: succeed.
1970-01-01 03:00:29: DEBUG: proposal #1 len=48
1970-01-01 03:00:29: DEBUG: begin.
1970-01-01 03:00:29: DEBUG: seen nptype=3(trns)
1970-01-01 03:00:29: DEBUG: succeed.
1970-01-01 03:00:29: DEBUG: transform #1 len=40
1970-01-01 03:00:29: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
1970-01-01 03:00:29: DEBUG: type=Life Duration, flag=0x0000, lorv=4
1970-01-01 03:00:29: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
1970-01-01 03:00:29: DEBUG: encryption(aes)
1970-01-01 03:00:29: DEBUG: type=Key Length, flag=0x8000, lorv=128
1970-01-01 03:00:29: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
1970-01-01 03:00:29: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
1970-01-01 03:00:29: DEBUG: hash(sha1)
1970-01-01 03:00:29: DEBUG: type=Group Description, flag=0x8000, lorv=2048-bit MODP group
1970-01-01 03:00:29: DEBUG: hmac(modp2048)
1970-01-01 03:00:29: DEBUG: pair 1:
1970-01-01 03:00:29: DEBUG: 0xb77138: next=(nil) tnext=(nil)
1970-01-01 03:00:29: DEBUG: proposal #1: 1 transform
1970-01-01 03:00:29: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
1970-01-01 03:00:29: DEBUG: type=Life Duration, flag=0x0000, lorv=4
1970-01-01 03:00:29: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
1970-01-01 03:00:29: DEBUG: type=Key Length, flag=0x8000, lorv=128
1970-01-01 03:00:29: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
1970-01-01 03:00:29: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
1970-01-01 03:00:29: DEBUG: type=Group Description, flag=0x8000, lorv=2048-bit MODP group
1970-01-01 03:00:29: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
1970-01-01 03:00:29: DEBUG: trns#=1, trns-id=IKE
1970-01-01 03:00:29: DEBUG: lifetime = 86400
1970-01-01 03:00:29: DEBUG: lifebyte = 0
1970-01-01 03:00:29: DEBUG: enctype = AES-CBC
1970-01-01 03:00:29: DEBUG: **encklen = 128**
1970-01-01 03:00:29: DEBUG: hashtype = SHA
1970-01-01 03:00:29: DEBUG: authmethod = pre-shared key
1970-01-01 03:00:29: DEBUG: dh_group = 2048-bit MODP group
1970-01-01 03:00:29: ERROR: no suitable proposal found.
1970-01-01 03:00:29: [192.168.95.236] ERROR: failed to get valid proposal.
1970-01-01 03:00:29: [192.168.95.236] ERROR: failed to process ph1 packet (side: 1, status: 1).
1970-01-01 03:00:39: DEBUG: ===
---------------------------------------------
ping PC1 to PC2 : tunnel established
---------------------------------------------
970-01-01 03:04:51: DEBUG: hmac(hmac_sha1)
1970-01-01 03:04:51: DEBUG: encryption(aes)
1970-01-01 03:04:51: DEBUG: hmac(sha1)
1970-01-01 03:04:51: DEBUG: **encklen=256** authklen=160
1970-01-01 03:04:51: DEBUG: generating 640 bits of key (dupkeymat=4)
1970-01-01 03:04:51: DEBUG: generating K1...K4 for KEYMAT.
1970-01-01 03:04:51: DEBUG: hmac(hmac_sha1)
1970-01-01 03:04:51: DEBUG: hmac(hmac_sha1)
1970-01-01 03:04:51: DEBUG: hmac(hmac_sha1)
1970-01-01 03:04:51: DEBUG:
2abfd8d1 ee097b9f 00218a52 7319d021 987fe829 895a5bd4 fa13723c c63061b1
975e5184 bd8bd297 75b3ab45 31a9d440 a2ced002 5f216fd6 34618b39 b23d259b
e80d14b1 a72244d9 f7983742 2b82d222
1970-01-01 03:04:51: DEBUG: KEYMAT computed.
1970-01-01 03:04:51: DEBUG: call pk_sendupdate
1970-01-01 03:04:51: DEBUG: encryption(aes)
1970-01-01 03:04:51: DEBUG: hmac(sha1)
1970-01-01 03:04:51: DEBUG: call pfkey_send_update2
1970-01-01 03:04:51: DEBUG: pfkey update sent.
1970-01-01 03:04:51: DEBUG: encryption(aes)
1970-01-01 03:04:51: DEBUG: hmac(sha1)
1970-01-01 03:04:51: DEBUG: call pfkey_send_add2 (NAT flavor)
1970-01-01 03:04:51: DEBUG: call pfkey_send_add2
1970-01-01 03:04:51: DEBUG: pfkey add sent.
1970-01-01 03:04:51: DEBUG: pk_recv: retry[0] recv()
1970-01-01 03:04:51: DEBUG: got pfkey UPDATE message
1970-01-01 03:04:51: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel 192.168.51.185[500]->192.168.95.236[500] spi=6990731(0x6aab8b)
1970-01-01 03:04:51: INFO: IPsec-SA established: ESP/Tunnel 192.168.51.185[500]->192.168.95.236[500] spi=6990731(0x6aab8b)
1970-01-01 03:04:51: DEBUG: ===
1970-01-01 03:04:51: DEBUG: pk_recv: retry[0] recv()
1970-01-01 03:04:51: DEBUG: got pfkey ADD message
1970-01-01 03:04:51: INFO: IPsec-SA established: ESP/Tunnel 192.168.51.185[500]->192.168.95.236[500] spi=220361463(0xd2272f7)
1970-01-01 03:04:51: DEBUG: ===
PC2 Log
PC2 log file
ENCRYPTION: PC1(aes256) & PC2(aes128)
ping PC to PC1 output : phase 1 negotiation failed
---------------------------------------------
2021-08-17 13:25:31: DEBUG: pk_recv: retry[0] recv()
2021-08-17 13:25:31: DEBUG: got pfkey ACQUIRE message
2021-08-17 13:25:31: DEBUG: suitable outbound SP found: 192.168.95.0/24[0] 192.168.51.0/24[0] proto=any dir=out.
2021-08-17 13:25:31: DEBUG: sub:0x7ffffdefdbe0: 192.168.51.0/24[0] 192.168.95.0/24[0] proto=any dir=in
2021-08-17 13:25:31: DEBUG: db :0x18ce680: 192.168.51.0/24[0] 192.168.95.0/24[0] proto=any dir=fwd
2021-08-17 13:25:31: DEBUG: sub:0x7ffffdefdbe0: 192.168.51.0/24[0] 192.168.95.0/24[0] proto=any dir=in
2021-08-17 13:25:31: DEBUG: db :0x18ce900: 192.168.51.0/24[0] 192.168.95.0/24[0] proto=any dir=in
2021-08-17 13:25:31: DEBUG: suitable inbound SP found: 192.168.51.0/24[0] 192.168.95.0/24[0] proto=any dir=in.
2021-08-17 13:25:31: DEBUG: new acquire 192.168.95.0/24[0] 192.168.51.0/24[0] proto=any dir=out
2021-08-17 13:25:31: [192.168.51.185] DEBUG: configuration "192.168.51.185[500]" selected.
2021-08-17 13:25:31: DEBUG: getsainfo params: loc='192.168.95.0/24' rmt='192.168.51.0/24' peer='NULL' client='NULL' id=0
2021-08-17 13:25:31: DEBUG: evaluating sainfo: loc='192.168.95.0/24', rmt='192.168.51.0/24', peer='ANY', id=0
2021-08-17 13:25:31: DEBUG: check and compare ids : values matched (IPv4_subnet)
2021-08-17 13:25:31: DEBUG: cmpid target: '192.168.95.0/24'
2021-08-17 13:25:31: DEBUG: cmpid source: '192.168.95.0/24'
2021-08-17 13:25:31: DEBUG: check and compare ids : values matched (IPv4_subnet)
2021-08-17 13:25:31: DEBUG: cmpid target: '192.168.51.0/24'
2021-08-17 13:25:31: DEBUG: cmpid source: '192.168.51.0/24'
2021-08-17 13:25:31: DEBUG: selected sainfo: loc='192.168.95.0/24', rmt='192.168.51.0/24', peer='ANY', id=0
2021-08-17 13:25:31: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2021-08-17 13:25:31: DEBUG: (trns_id=AES encklen=256 authtype=hmac-sha)
2021-08-17 13:25:31: DEBUG: in post_acquire
2021-08-17 13:25:31: [192.168.51.185] DEBUG: configuration "192.168.51.185[500]" selected.
2021-08-17 13:25:31: INFO: IPsec-SA request for 192.168.51.185 queued due to no phase1 found.
2021-08-17 13:25:31: DEBUG: ===
2021-08-17 13:25:31: INFO: initiate new phase 1 negotiation: 192.168.95.236[500]<=>192.168.51.185[500]
---------------------------------------------
ping PC1 to PC output : tunnel established
---------------------------------------------
2021-08-17 13:20:22: DEBUG: hmac(hmac_sha1)
2021-08-17 13:20:22: DEBUG: encryption(aes)
2021-08-17 13:20:22: DEBUG: hmac(sha1)
2021-08-17 13:20:22: DEBUG: **encklen=256** authklen=160
2021-08-17 13:20:22: DEBUG: generating 640 bits of key (dupkeymat=4)
2021-08-17 13:20:22: DEBUG: generating K1...K4 for KEYMAT.
2021-08-17 13:20:22: DEBUG: hmac(hmac_sha1)
2021-08-17 13:20:22: DEBUG: hmac(hmac_sha1)
2021-08-17 13:20:22: DEBUG: hmac(hmac_sha1)
2021-08-17 13:20:22: DEBUG:
6694f3e3 caaf74af 16233ea5 e788fc89 d1e5c074 5b881f77 5a90bf3e 90a94d46
bbb404d5 91f9ef97 77c805e4 2c741f9d c5438870 dc3d983c af70180c 35a2c3b2
ab212480 69c0ae71 23b7a340 1b1455d0
2021-08-17 13:20:22: DEBUG: KEYMAT computed.
2021-08-17 13:20:22: DEBUG: call pk_sendupdate
2021-08-17 13:20:22: DEBUG: encryption(aes)
2021-08-17 13:20:22: DEBUG: hmac(sha1)
2021-08-17 13:20:22: DEBUG: call pfkey_send_update2
2021-08-17 13:20:22: DEBUG: pfkey update sent.
2021-08-17 13:20:22: DEBUG: encryption(aes)
2021-08-17 13:20:22: DEBUG: hmac(sha1)
2021-08-17 13:20:22: DEBUG: call pfkey_send_add2 (NAT flavor)
2021-08-17 13:20:22: DEBUG: call pfkey_send_add2
2021-08-17 13:20:22: DEBUG: pfkey add sent.
2021-08-17 13:20:22: DEBUG: pk_recv: retry[0] recv()
2021-08-17 13:20:22: DEBUG: got pfkey UPDATE message
2021-08-17 13:20:22: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel 192.168.95.236[500]->192.168.51.185[500] spi=220361463(0xd2272f7)
2021-08-17 13:20:22: INFO: IPsec-SA established: ESP/Tunnel 192.168.95.236[500]->192.168.51.185[500] spi=220361463(0xd2272f7)
2021-08-17 13:20:22: DEBUG: ===
2021-08-17 13:20:22: DEBUG: pk_recv: retry[0] recv()
2021-08-17 13:20:22: DEBUG: got pfkey ADD message
2021-08-17 13:20:22: INFO: IPsec-SA established: ESP/Tunnel 192.168.95.236[500]->192.168.51.185[500] spi=6990731(0x6aab8b)
2021-08-17 13:20:22: DEBUG: ===