Integrity is not support in ipsec configuration

Keyvan · September 29, 2020, 9:11am

Hey

I am trying to establish an IPSec with IKEv2 between VyOS and other vendors but the issue is that Vyos is not supported integrity in ESP mode.

I want to have the below parameters and this is my configuration:

IKEv2

phase-1 parameters:
DH group: 14
authentication: aes256
integrity: hmac-sha2-256
hash: SHA2-256
lifetime: 86400

phase-2 parameters:
Encryption protocol mode: ESP tunnel
authentication: aes256
hash: sha256
PFS: none
lifetime: 3600

set esp-group VR02_esp lifetime ‘3600’
set esp-group VR02_esp mode ‘tunnel’
set esp-group VR02_esp pfs ‘disable’
set esp-group VR02_esp proposal 1 encryption ‘aes256’
set esp-group VR02_esp proposal 1 hash ‘sha256’
set ike-group VR02_ike key-exchange ‘ikev2’
set ike-group VR02_ike lifetime ‘86400’
set ike-group VR02_ike proposal 1 dh-group ‘14’
set ike-group VR02_ike proposal 1 encryption ‘aes256’
set ike-group VR02_ike proposal 1 hash ‘sha256’

but there is nowhere to configure integrity: hmac-sha2-256

regards
Keyvan

rob · September 29, 2020, 3:32pm

this should be the hash in the esp group.

vagrant@vyos# set ike-group VR02_ike proposal 1 hash
Possible completions:
   md5          MD5 HMAC
   md5_128      MD5_128 HMAC
   sha1         SHA1 HMAC (default)
   sha1_160     SHA1_160 HMAC
   sha256       SHA2_256_128 HMAC
   ...

does the tunnel goes up?

Keyvan · September 30, 2020, 6:35am

Thanks rob for the quick answer.

As you can see in my configuration, I already did this one but the tunnel is still down.

I will check with the other side of the tunnel to check all parameters.

rob · September 30, 2020, 2:33pm

is something in the logs?

you can increase the log level here:

set vpn ipsec logging ...

this overview with strongswan error helps me always a lot.
https://www.xinux.net/index.php/Strongswan_errors