Encryption

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
howlingcat
Posts: 10
Joined: Thu Oct 20, 2016 9:17 pm

Encryption

Post by howlingcat » Thu Oct 20, 2016 9:24 pm

I've created a VPN adapter on my Windows machine, not using SoftEther's client.
I specified the correct PKS in an L2TP/IPSec connection. This is my vpnserver setting:
declare IPsec
{
bool EtherIP_IPsec true
string IPsec_Secret <some secret>
string L2TP_DefaultHub DEFAULT
bool L2TP_IPsec true
bool L2TP_Raw true

declare EtherIP_IDSettingsList
{
}
}

Entered the correct username and password.

This is the log on the server side:
<date and time> IPsec Client 35 (xxx.xxx.xxx.xxx:500 -> yyy.yyy.yyy.yyy:500): A new IPsec client is created.
<date and time> IPsec Client 35 (xxx.xxx.xxx.xxx:500 -> yyy.yyy.yyy.yyy:500): There are no acceptable transform proposals from the client for establishing an IKE SA.

Capturing the conversation I see that on each of my Windows encryption proposal offers the server responds with "no proposal chosen".

Where do I configure the types of encryption the server can support? It seems that my server is not configured to support the types that the default Windows offers.

This is what is offered by the client:
User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)
Source Port: 500
Destination Port: 500
Length: 392
Checksum: 0xd38d [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 10]
Internet Security Association and Key Management Protocol
Initiator SPI: 54984f09dcf0371f
Responder SPI: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
0001 .... = MjVer: 0x01
.... 0000 = MnVer: 0x00
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x00000000
Length: 384
Type Payload: Security Association (1)
Next payload: Vendor ID (13)
Payload length: 212
Domain of interpretation: IPSEC (1)
Situation: 00000001
.... .... .... .... .... .... .... ...1 = Identity Only: True
.... .... .... .... .... .... .... ..0. = Secrecy: False
.... .... .... .... .... .... .... .0.. = Integrity: False
Type Payload: Proposal (2) # 1
Next payload: NONE / No Next Payload (0)
Payload length: 200
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 5
Type Payload: Transform (3) # 1
Next payload: Transform (3)
Payload length: 40
Transform number: 1
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Encryption-Algorithm (1)
Value: 0007
Encryption Algorithm: AES-CBC (7)
Transform IKE Attribute Type (t=14,l=2) Key-Length : 256
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Key-Length (14)
Value: 0100
Key Length: 256
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Hash-Algorithm (2)
Value: 0002
HASH Algorithm: SHA (2)
Transform IKE Attribute Type (t=4,l=2) Group-Description : 384-bit random ECP group
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Group-Description (4)
Value: 0014
Group Description: 384-bit random ECP group (20)
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Authentication-Method (3)
Value: 0003
Authentication Method: RSA-SIG (3)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Life-Type (11)
Value: 0001
Life Type: Seconds (1)
Transform IKE Attribute Type (t=12,l=4) Life-Duration : 28800
0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
Transform IKE Attribute Type: Life-Duration (12)
Length: 4
Value: 00007080
Life Duration: 28800
Type Payload: Transform (3) # 2
Next payload: Transform (3)
Payload length: 40
Transform number: 2
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Encryption-Algorithm (1)
Value: 0007
Encryption Algorithm: AES-CBC (7)
Transform IKE Attribute Type (t=14,l=2) Key-Length : 128
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Key-Length (14)
Value: 0080
Key Length: 128
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Hash-Algorithm (2)
Value: 0002
HASH Algorithm: SHA (2)
Transform IKE Attribute Type (t=4,l=2) Group-Description : 256-bit random ECP group
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Group-Description (4)
Value: 0013
Group Description: 256-bit random ECP group (19)
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Authentication-Method (3)
Value: 0003
Authentication Method: RSA-SIG (3)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Life-Type (11)
Value: 0001
Life Type: Seconds (1)
Transform IKE Attribute Type (t=12,l=4) Life-Duration : 28800
0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
Transform IKE Attribute Type: Life-Duration (12)
Length: 4
Value: 00007080
Life Duration: 28800
Type Payload: Transform (3) # 3
Next payload: Transform (3)
Payload length: 40
Transform number: 3
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Encryption-Algorithm (1)
Value: 0007
Encryption Algorithm: AES-CBC (7)
Transform IKE Attribute Type (t=14,l=2) Key-Length : 256
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Key-Length (14)
Value: 0100
Key Length: 256
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Hash-Algorithm (2)
Value: 0002
HASH Algorithm: SHA (2)
Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Group-Description (4)
Value: 000e
Group Description: 2048 bit MODP group (14)
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Authentication-Method (3)
Value: 0003
Authentication Method: RSA-SIG (3)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Life-Type (11)
Value: 0001
Life Type: Seconds (1)
Transform IKE Attribute Type (t=12,l=4) Life-Duration : 28800
0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
Transform IKE Attribute Type: Life-Duration (12)
Length: 4
Value: 00007080
Life Duration: 28800
Type Payload: Transform (3) # 4
Next payload: Transform (3)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : 3DES-CBC
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Encryption-Algorithm (1)
Value: 0005
Encryption Algorithm: 3DES-CBC (5)
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Hash-Algorithm (2)
Value: 0002
HASH Algorithm: SHA (2)
Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Group-Description (4)
Value: 000e
Group Description: 2048 bit MODP group (14)
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Authentication-Method (3)
Value: 0003
Authentication Method: RSA-SIG (3)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Life-Type (11)
Value: 0001
Life Type: Seconds (1)
Transform IKE Attribute Type (t=12,l=4) Life-Duration : 28800
0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
Transform IKE Attribute Type: Life-Duration (12)
Length: 4
Value: 00007080
Life Duration: 28800
Type Payload: Transform (3) # 5
Next payload: NONE / No Next Payload (0)
Payload length: 36
Transform number: 5
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : 3DES-CBC
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Encryption-Algorithm (1)
Value: 0005
Encryption Algorithm: 3DES-CBC (5)
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Hash-Algorithm (2)
Value: 0002
HASH Algorithm: SHA (2)
Transform IKE Attribute Type (t=4,l=2) Group-Description : Alternate 1024-bit MODP group
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Group-Description (4)
Value: 0002
Group Description: Alternate 1024-bit MODP group (2)
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Authentication-Method (3)
Value: 0003
Authentication Method: RSA-SIG (3)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Life-Type (11)
Value: 0001
Life Type: Seconds (1)
Transform IKE Attribute Type (t=12,l=4) Life-Duration : 28800
0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
Transform IKE Attribute Type: Life-Duration (12)
Length: 4
Value: 00007080
Life Duration: 28800
Type Payload: Vendor ID (13) : MS NT5 ISAKMPOAKLEY
Next payload: Vendor ID (13)
Payload length: 24
Vendor ID: 1e2b516905991c7d7c96fcbfb587e46100000008
Vendor ID: MS NT5 ISAKMPOAKLEY
MS NT5 ISAKMPOAKLEY: Unknown (8)
Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 4a131c81070358455c5728f20e95452f
Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 90cb80913ebb696e086381b5ec427b1f
Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
Type Payload: Vendor ID (13) : Cisco Fragmentation
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d3
Vendor ID: Cisco Fragmentation
Type Payload: Vendor ID (13) : MS-Negotiation Discovery Capable
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: fb1de3cdf341b7ea16b7e5be0855f120
Vendor ID: MS-Negotiation Discovery Capable
Type Payload: Vendor ID (13) : Microsoft Vid-Initial-Contact
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 26244d38eddb61b3172a36e3d0cfb819
Vendor ID: Microsoft Vid-Initial-Contact
Type Payload: Vendor ID (13) : IKE CGA Version 1
Next payload: NONE / No Next Payload (0)
Payload length: 20
Vendor ID: e3a5966a76379fe707228231e5ce8652
Vendor ID: IKE CGA Version 1

And this is the response:

User Datagram Protocol, Src Port: 500 (500), Dst Port: 500 (500)
Source Port: 500
Destination Port: 500
Length: 64
Checksum: 0x8fe4 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 10]
Internet Security Association and Key Management Protocol
Initiator SPI: bd1c59a97c9797fa
Responder SPI: 0000000000000000
Next payload: Notification (11)
Version: 1.0
0001 .... = MjVer: 0x01
.... 0000 = MnVer: 0x00
Exchange type: Informational (5)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x27c13c77
Length: 56
Type Payload: Notification (11)
Next payload: NONE / No Next Payload (0)
Payload length: 28
Domain of interpretation: ISAKMP (0)
Protocol ID: ISAKMP (1)
SPI Size: 16
Notify Message Type: NO-PROPOSAL-CHOSEN (14)
SPI: 54984f09dcf0371f0000000000000000
Notification DATA: <MISSING>

Thank you for your assistance.
Top
howlingcat
Posts: 10
Joined: Thu Oct 20, 2016 9:17 pm

Re: Encryption

Post by howlingcat » Fri Oct 21, 2016 10:24 pm

Never mind. Somehow I missed entering the PSK. Sorry for the trouble.
Top
Post Reply

Return to “SoftEther VPN General Discussion”