[strongSwan] Having a problem creating a basic Site-to-Site config !!
Shashi Yash
shashi007 at gmail.com
Thu Aug 25 22:02:41 CEST 2011
Thanks Nguyen / Andreas / Martin for you responses !!!
I took your suggestions and changed the ipsec.conf as follows and it worked !!!
Also i had an error with ipsec.secrets file, for some reason strong
swan expects the key to be in DER format. So I had to convert my keys
to DER format with the below command.
openssl rsa -in rh1_Key.pem -outform DER -out rh1_Key.der
RH1:
--------
conn net-net
left=10.19.61.35
leftsubnet=192.168.100.0/24
leftcert=rh1_Cert.pem
right=10.19.61.67
rightsubnet=192.168.200.0/24
rightid="C=us, ST=il, O=ics, OU=mp, CN=RH6-2"
auto=start
keyexchange=ikev2
#authby=secret
auth=esp
ike=3des-sha1-modp2048
esp=3des-sha1-modp2048
RH2:
----------
conn net-net
left=10.19.61.67
leftsubnet=192.168.200.0/24
leftcert=rh2_Cert.pem
right=10.19.61.35
rightsubnet=192.168.100.0/24
rightid="C=us, ST=il, O=ics, OU=mp, CN=RH6-1"
auto=start
keyexchange=ikev2
#authby=secret
auth=esp
ike=3des-sha1-modp2048
esp=3des-sha1-modp2048
Thanks Again
-shashi..
On Wed, Aug 24, 2011 at 5:58 PM, Shashi Yash <shashi007 at gmail.com> wrote:
> Trying to setup ipsec site to site scenario on two red hat machines. I
> get the following error: "no acceptable proposal found" on both
> machines. Can you guys please tell me why I'm getting the following
> error.
>
> I jave pasted the configs and logs from both machines.
>
> RH1: ipsec.conf
> conn net-net
> left=10.19.61.35
> leftsubnet=192.168.100.0/24
> leftcert=rh1_Cert.pem
> right=10.19.61.67
> rightsubnet=192.168.200.0/24
> leftid="C=us, ST=il, O=ics, OU=mp, CN=RH6-1"
> auto=start
> ike=3des
> esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048
>
>
>
> RH2:ipsec.conf
> conn net-net
> left=10.19.61.67
> leftsubnet=192.168.200.0/24
> leftcert=rh2_Cert.pem
> right=10.19.61.35
> rightsubnet=192.168.100.0/24
> rightid="C=us, ST=il, O=ics, OU=mp, CN=RH6-2"
> auto=start
> ike=3des
> esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048
>
>
> RH1 Log:
> -------------------
> 13[NET] received packet: from 10.19.61.67[500] to 10.19.61.35[500]
> 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 13[IKE] 10.19.61.67 is initiating an IKE_SA
> 13[IKE] no acceptable proposal found
> 13[ENC] generating IKE_SA_INIT response 0 [ ]
> 13[NET] sending packet: from 10.19.61.35[500] to 10.19.61.67[500]
> 14[NET] received packet: from 10.19.61.67[500] to 10.19.61.35[500]
> 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 14[IKE] 10.19.61.67 is initiating an IKE_SA
> 14[IKE] no acceptable proposal found
>
>
> RH2 Log:
> ---------------------
>
> 10[IKE] initiating IKE_SA net-net[1] to 10.19.61.35
> 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 10[NET] sending packet: from 10.19.61.67[500] to 10.19.61.35[500]
> 11[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500]
> 11[ENC] payload of type SECURITY_ASSOCIATION not occurred 1 times (0)
> 11[IKE] IKE_SA_INIT response with message ID 0 processing failed
> 12[IKE] retransmit 1 of request with message ID 0
> 12[NET] sending packet: from 10.19.61.67[500] to 10.19.61.35[500]
> 13[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500]
> 13[ENC] payload of type SECURITY_ASSOCIATION not occurred 1 times (0)
> 13[IKE] IKE_SA_INIT response with message ID 0 processing failed
> 14[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500]
> 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 14[IKE] 10.19.61.35 is initiating an IKE_SA
> 14[IKE] no acceptable proposal found
>
> Thanks in Advance
> -shashi..
>
--
-shashi..
More information about the Users
mailing list