IKEv1 ipsec sha256 and pfs problems

soomanyquestions · February 28, 2017, 9:52pm

I’m trying to setup an ipsec ikev1 vpn using sha256 instead of sha1, but neither my Android 7 phone and windows 10 computer establish the connection with sha256. I can see from the logs that the both devices do send that they support sha256. I also think that the android phone dosent use pfs at all because i cant find anything related to dh grousp in the logs but when im connecting with the windows machine theres info about dh groups in the logs. Anyone know what to try?

Feb/28/2017 16:49:50 ipsec,debug peers single bundle:
Feb/28/2017 16:49:50 ipsec,debug  (proto_id=ESP spisize=4 spi=09282815 spi_p=00000000 encmode=Transport reqid=0:0)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=AES-CBC encklen=256 authtype=hmac-sha256)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=AES-CBC encklen=256 authtype=hmac-sha1)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=AES-CBC encklen=256 authtype=hmac-md5)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha256)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-sha1)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=AES-CBC encklen=128 authtype=hmac-md5)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha256)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-sha1)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=3DES encklen=0 authtype=hmac-md5)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=DES encklen=0 authtype=hmac-sha256)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=DES encklen=0 authtype=hmac-sha1)
Feb/28/2017 16:49:50 ipsec,debug   (trns_id=DES encklen=0 authtype=hmac-md5)

# feb/28/2017 23:30:40 by RouterOS 6.39rc38
# software id = YA84-5K8U
#
/ip ipsec proposal
add  auth-algorithms=sha1 enc-algorithms=aes-256-cbc name=proposal1 pfs-group=modp8192
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024 dpd-interval=15s enc-algorithm=aes-256 exchange-mode=main-l2tp \
    generate-policy=port-strict lifetime=1h32m secret=redacted send-initial-contact=no
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 proposal=proposal1 src-address=0.0.0.0/0 template=yes

soomanyquestions · March 3, 2017, 6:25pm

Has anyone tried this?

y64xkuo · March 3, 2017, 11:33pm

Remove modp8192 or lower dh group in your proposal. I believe it’s a matter of compatibility.

soomanyquestions · March 5, 2017, 12:08pm

Thanks for the reply but that did not make either of the machines work

y64xkuo · March 13, 2017, 7:42pm

It was a wild guess to see if there where something with your proposal. I think I answered the thread too quickly and I am sorry about that. I have myself never configured a IKE VPN before. Did you manage to get this to work?

soomanyquestions · March 24, 2017, 6:37pm

I still haven’t been able to get this working or ikev2 either haha