Thanks for your responses.
Try adding some non-modp2048 options. Maybe look at the SA installed
from the initial negotiation (ipsecctl -vvsa) for ideas.
I think this is the right answer. The log tells you what the other side sent:
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ENCR=AES_CBC-256
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA2_256_128
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA1_96
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ESN=NONE
There isn't any DH group for PFS here, so drop the modp2048 or add it on the
other side.
I tried countless different childsa lines, without success. Modp2048
didn't show up because I deactivated PFS. I didn't knew this was
correlated. Now it shows up:
ikev2_log_proposal: ESP #1 DH=MODP_2048
I than removed SHA1 and AES-CBC-256 from the IKE-/Child-SA hash/chiper
list on the VPN-router. Having now only:
DH group: DH14 (MODP-2048)
PFS: Yes
IKE-/Child-SA: Chiper: AES-GCM-256, Hash: SHA-256
(Available settings are described here
https://www.lancom-systems.com/docs/LCOS/Refmanual/EN/#topics/lanconfig_vpn_ikev2-ipsec_encryption.html
)
And this line in iked.conf:
childsa enc aes-256-gcm group modp2048 \
At first it looks ok. iked reports:
spi=0xf3e9aaf0b7009e4e: recv CREATE_CHILD_SA req 0 peer
88.14.XXX.YYY:4500 local 192.168.1.210:4500, 461 bytes, policy 'rathaus'
spi=0xf3e9aaf0b7009e4e: send CREATE_CHILD_SA res 0 peer
88.14.XXX.YYY:4500 local 192.168.1.210:4500, 497 bytes, NAT-T
spi=0xf3e9aaf0b7009e4e: ikev2_childsa_enable: loaded SPIs: 0x2f843f59,
0x18f271c6 (enc aes-256-gcm group modp2048)
But the VPN-Router has a IKE-I-General-failure 0x21ff. All of the sudden
it's a problem that I only want to route specific networks?! IPSec is so
exhausting.
For those who are interested, this is what the VPN-router reports:
...
[VPN-Status] 2023/02/25 02:01:49,268 Devicetime: 2023/02/25 02:01:49,040
Peer O2 [responder]: Received an CREATE_CHILD_SA-RESPONSE of 497 bytes
(encrypted)
Gateways: 88.14.XXX.YYY:4500<--84.17.XXX.ZZZ:4500
SPIs: 0xF3E9AAF0B7009E4E6A017F990A97DF8F, Message-ID 0
Determining best intersection for TSi
Expected TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Received TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Intersection:( 0, 0-65535, 0.0.0.0-255.255.255.255)
Determining best intersection for TSi
Expected TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Received TS :( 0, 0-65535, 192.168.0.0-192.168.0.255 )
Intersection:( 0, 0-65535, 192.168.0.0-192.168.0.255 )
Determining best intersection for TSi
Expected TS :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Received TS :( 0, 0-65535, 192.168.11.55-192.168.11.55 )
Intersection:( 0, 0-65535, 192.168.11.55-192.168.11.55 )
Best :( 0, 0-65535, 0.0.0.0-255.255.255.255)
Determining best intersection for TSr
Expected TS :( 0, 0-65535, 192.168.0.206-192.168.0.206 )
Received TS :( 0, 0-65535, 192.168.0.0-192.168.0.255 )
Intersection:( 0, 0-65535, 192.168.0.206-192.168.0.206 )
Determining best intersection for TSr
Expected TS :( 0, 0-65535, 192.168.0.206-192.168.0.206 )
Received TS :( 0, 0-65535, 0.0.0.0-0.0.0.0 )
-No intersection
Best :( 0, 0-65535, 192.168.0.206-192.168.0.206 )
-Received Traffic selectors are super set of proposed traffic selectors
-> abort
Proposed TSi: ( 0, 0-65535, 0.0.0.0-255.255.255.255)
Proposed TSr: ( 0, 0-65535, 192.168.0.206-192.168.0.206 )
[VPN-Status] 2023/02/25 02:01:49,268 Devicetime: 2023/02/25 02:01:49,041
Hard lifetime event occurred for '' (initiator flags 0x0000400800000000)
CHILD_SA ESP
No IKE_SA found for
[VPN-Status] 2023/02/25 02:01:49,268 Devicetime: 2023/02/25 02:01:49,041
VPN: policy manager error indication: O2 (84.17.XXX.ZZZ), cause: 8703
[VPN-Status] 2023/02/25 02:01:49,268 Devicetime: 2023/02/25 02:01:49,048
VPN: Error: IKE-I-General-failure (0x21ff) for O2 (84.17.XXX.ZZZ) IKEv2
