<div dir="ltr">Success! Looks like the "kernel-netlink" plugin was required. Now that I understand what better to look for, I'm going to trim it down to the minimal number of packages required. Thanks for the pointers in the right direction<br>
<br><div class="gmail_quote">On Fri, Jan 28, 2011 at 2:10 PM, Robert Wicks <span dir="ltr"><<a href="mailto:robwicks@gmail.com">robwicks@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div dir="ltr">I think I'm making progress. I turned debug logging back on, and I see this on the server:<div><br></div><div><div>Jan 28 14:05:41 gateway.linux.bogus syslog: 02[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ </div>
<div>Jan 28 14:05:41 gateway.linux.bogus syslog: 02[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ </div>
<div>Jan 28 14:05:41 gateway.linux.bogus syslog: 02[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ </div><div>Jan 28 14:05:41 gateway.linux.bogus syslog: 02[IKE] allocating SPI failed </div><div><br></div>
<div><br></div><div>I think this means I failed to add a particular plugin to strongswan when I installed it. I'm putting this on a router with space limitations, so I cannot install every plugin. Any idea which plugin will enable this proposal?</div>
<div><div></div><div class="h5">
<div><br></div><br><div class="gmail_quote">On Fri, Jan 28, 2011 at 1:58 PM, Robert Wicks <span dir="ltr"><<a href="mailto:robwicks@gmail.com" target="_blank">robwicks@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I then changed the server side and removed "rightsubnetwithin," instead using<div>rightsourceip=<a href="http://10.3.0.0/16" target="_blank">10.3.0.0/16</a></div><div><br></div><div>Now, I get this on the client:</div>
<div><br></div><div><div>scheduling reauthentication in 9740s</div><div>maximum IKE_SA lifetime 10280s</div><div>installing new virtual IP 10.3.0.1</div><div>received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built</div><div>
<br></div><div><br></div><div>And I see this in my server logs:</div><div><br></div><div><div>Jan 28 13:56:10 gateway.linux.bogus syslog: 01[IKE] assigning virtual IP 10.3.0.1 to peer </div><div>Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG] looking for a child config for <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> </div>
<div>Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG] proposing traffic selectors for us: </div><div>Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG] <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> (derived from <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a>) </div>
<div>Jan 28 13:56:10 gateway.linux.bogus syslog: 01[NET] sending packet: from <Server Public IP>[4500] to <Client Gateway IP>[22226] </div></div><div><div></div><div><div><br></div><br><div class="gmail_quote">
On Fri, Jan 28, 2011 at 8:57 AM, Robert Wicks <span dir="ltr"><<a href="mailto:robwicks@gmail.com" target="_blank">robwicks@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I then changed the leftsourceip setting on the client side to "%config" and got this on my server side logs:<div>
<br></div><div><div>Jan 28 08:53:56 gateway.linux.bogus syslog: 05[NET] received packet: from <Client Public Gateway>[5990] to <Server Public IP>[4500] </div>
<div>Jan 28 08:53:56 gateway.linux.bogus syslog: 05[ENC] parsed INFORMATIONAL request 2 [ D ] </div><div>Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] received DELETE for IKE_SA nat-t[1] </div><div>Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] deleting IKE_SA nat-t[1] between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>]...<Client Public Gateway>[C=US, ST=GA, L=Atlanta, O=WQCS, </div>
<div>Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] IKE_SA deleted </div><div>Jan 28 08:53:56 gateway.linux.bogus syslog: 05[ENC] generating INFORMATIONAL response 2 [ ] </div><div>Jan 28 08:54:19 gateway.linux.bogus syslog: 07[NET] received packet: from <Client Public Gateway>[8057] to <Server Public IP>[500] </div>
<div>Jan 28 08:54:19 gateway.linux.bogus syslog: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] </div><div>Jan 28 08:54:19 gateway.linux.bogus syslog: 07[IKE] <Client Public Gateway> is initiating an IKE_SA </div>
<div>Jan 28 08:54:20 gateway.linux.bogus syslog: 07[IKE] remote host is behind NAT </div><div>Jan 28 08:54:20 gateway.linux.bogus syslog: 07[IKE] sending cert request for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>Jan 28 08:54:20 gateway.linux.bogus syslog: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] </div><div>Jan 28 08:54:20 gateway.linux.bogus syslog: 07[NET] sending packet: from <Server Public IP>[500] to <Client Public Gateway>[8057] </div>
<div>Jan 28 08:54:20 gateway.linux.bogus syslog: 08[NET] received packet: from <Client Public Gateway>[5990] to <Server Public IP>[4500] </div><div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] </div>
<div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] received cert request for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] received end entity cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] looking for peer configs matching <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>]...<Client Public Gateway>[C=US, ST=GA, L=Atlanta, O=WQCS, </div>
<div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] selected peer config 'nat-t' </div><div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] using certificate "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] using trusted ca certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] checking certificate status of "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] certificate status is not available </div><div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] reached self-signed root ca with a path length of 0 </div><div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] authentication of 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>' with RSA signature successful </div>
<div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] peer supports MOBIKE </div><div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] authentication of 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>' (myself) with RSA signature successful </div>
<div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] IKE_SA nat-t[2] established between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>]...<Client Public Gateway>[C=US, ST=GA, L=Atlanta, O=Wicks Quick Computer Solution </div>
<div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] scheduling reauthentication in 10001s </div><div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] maximum IKE_SA lifetime 10541s </div><div>Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] sending end entity cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] peer requested virtual IP %any </div><div>Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE </div><div>Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] configuration payload negotation failed, no CHILD_SA built </div>
<div>Jan 28 08:54:22 gateway.linux.bogus syslog: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ] </div><div>Jan 28 08:54:22 gateway.linux.bogus syslog: 08[NET] sending packet: from <Server Public IP>[4500] to <Client Public Gateway>[5990] </div>
<div><div></div><div>
<div><br><div class="gmail_quote">On Fri, Jan 28, 2011 at 8:33 AM, Robert Wicks <span dir="ltr"><<a href="mailto:robwicks@gmail.com" target="_blank">robwicks@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Different results from outside the network. This is the response I got on the Ubuntu 10.10 client when I attempted to start the connection:<div><br></div><div><div>root@rwicks-m11:~# ipsec up roadwarrior</div>
<div>initiating IKE_SA roadwarrior[1] to <Server Public IP></div><div><div>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div></div><div>sending packet: from 10.0.34.103[500] to <Server Public IP>[500]</div>
<div>received packet: from <Server Public IP>[500] to 10.0.34.103[500]</div><div>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]</div><div>local host is behind NAT, sending keep alives</div>
<div>received cert request for "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ, CN=WQCS CA, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>"</div><div>sending cert request for "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ, CN=WQCS CA, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>"</div>
<div>authentication of 'C=US, ST=GA, L=Snellville, O=WQCS, CN=toshibakey, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>' (myself) with RSA signature successful</div><div>sending end entity cert "C=US, ST=GA, L=Snellville, O=WQCS, CN=toshibakey, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>"</div>
<div>establishing CHILD_SA roadwarrior</div><div>generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]</div><div>sending packet: from 10.0.34.103[4500] to <Server Public IP>[4500]</div>
<div>received packet: from <Server Public IP>[4500] to 10.0.34.103[4500]</div><div>parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]</div><div>received end entity cert "C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>"</div>
<div> using trusted ca certificate "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ, CN=WQCS CA, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>"</div><div>checking certificate status of "C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>"</div>
<div>certificate status is not available</div><div> reached self-signed root ca with a path length of 0</div><div> using trusted certificate "C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>"</div>
<div>authentication of 'C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>' with RSA signature successful</div><div>IKE_SA roadwarrior[1] established between 10.0.34.103[C=US, ST=GA, L=Snellville, O=WQCS, CN=toshibakey, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>]...<Server Public IP>[C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>]</div>
<div>scheduling reauthentication in 10033s</div><div>maximum IKE_SA lifetime 10573s</div><div>received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built</div></div><div><br></div><div><br></div><div>Here are the server side logs:<div>
<br></div><div><div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.7) </div><div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[NET] unable to create raw socket: Address family not supported by protocol </div>
<div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[NET] could not open IPv6 receive socket, IPv6 disabled </div><div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'curl': failed to load '/usr/lib/ipsec/plugins/libstrongswan-curl.so' - File not found </div>
<div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'ldap': failed to load '/usr/lib/ipsec/plugins/libstrongswan-ldap.so' - File not found </div><div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'blowfish': failed to load '/usr/lib/ipsec/plugins/libstrongswan-blowfish.so' - File not found </div>
<div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'mysql': failed to load '/usr/lib/ipsec/plugins/libstrongswan-mysql.so' - File not found </div><div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'sqlite': failed to load '/usr/lib/ipsec/plugins/libstrongswan-sqlite.so' - File not found </div>
<div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'attr-sql': failed to load '/usr/lib/ipsec/plugins/libstrongswan-attr-sql.so' - File not found </div><div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'gcrypt': failed to load '/usr/lib/ipsec/plugins/libstrongswan-gcrypt.so' - File not found </div>
<div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'agent': failed to load '/usr/lib/ipsec/plugins/libstrongswan-agent.so' - File not found </div><div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'load-tester': failed to load '/usr/lib/ipsec/plugins/libstrongswan-load-tester.so' - File not found </div>
<div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' </div><div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loaded ca certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" from '/etc/ipsec.d/cacerts/ca.crt' </div>
<div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' </div><div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' </div>
<div>Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' </div><div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls' </div>
<div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets' </div><div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server.key' </div>
<div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'smp': failed to load '/usr/lib/ipsec/plugins/libstrongswan-smp.so' - File not found </div><div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'sql': failed to load '/usr/lib/ipsec/plugins/libstrongswan-sql.so' - File not found </div>
<div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-md5': failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-md5.so' - File not found </div><div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-mschapv2': failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so' - File not found </div>
<div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-radius': failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-radius.so' - File not found </div><div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'medsrv': failed to load '/usr/lib/ipsec/plugins/libstrongswan-medsrv.so' - File not found </div>
<div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'medcli': failed to load '/usr/lib/ipsec/plugins/libstrongswan-medcli.so' - File not found </div><div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'uci': failed to load '/usr/lib/ipsec/plugins/libstrongswan-uci.so' - File not found </div>
<div>Jan 28 08:22:21 gateway.linux.bogus syslog: 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac gmp stroke updown attr resolve </div><div>Jan 28 08:22:22 gateway.linux.bogus syslog: 05[CFG] left nor right host is our side, assuming left=local </div>
<div>Jan 28 08:22:22 gateway.linux.bogus syslog: 05[CFG] loaded certificate "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" from 'server.crt' </div>
<div>Jan 28 08:25:23 gateway.linux.bogus syslog: 07[NET] received packet: from <Client Public Gateway>[2678] to <Server Public IP>[500] </div><div>Jan 28 08:25:24 gateway.linux.bogus syslog: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] </div>
<div>Jan 28 08:25:24 gateway.linux.bogus syslog: 07[IKE] <Client Public Gateway> is initiating an IKE_SA </div><div>Jan 28 08:25:25 gateway.linux.bogus syslog: 07[IKE] remote host is behind NAT </div><div>Jan 28 08:25:25 gateway.linux.bogus syslog: 07[IKE] sending cert request for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>Jan 28 08:25:25 gateway.linux.bogus syslog: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] </div><div>Jan 28 08:25:25 gateway.linux.bogus syslog: 07[NET] sending packet: from <Server Public IP>[500] to <Client Public Gateway>[2678] </div>
<div>Jan 28 08:25:25 gateway.linux.bogus syslog: 08[NET] received packet: from <Client Public Gateway>[5990] to <Server Public IP>[4500] </div><div>Jan 28 08:25:25 gateway.linux.bogus syslog: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] </div>
<div>Jan 28 08:25:25 gateway.linux.bogus syslog: 08[IKE] received cert request for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>
Jan 28 08:25:25 gateway.linux.bogus syslog: 08[IKE] received end entity cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>Jan 28 08:25:25 gateway.linux.bogus syslog: 08[CFG] looking for peer configs matching <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>]...<Client Public Gateway>[C=US, ST=GA, L=Atlanta, O=WQCS, </div>
<div>Jan 28 08:25:25 gateway.linux.bogus syslog: 08[CFG] selected peer config 'nat-t' </div><div>Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] using certificate "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] using trusted ca certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] checking certificate status of "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>
Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] certificate status is not available </div><div>Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] reached self-signed root ca with a path length of 0 </div><div>Jan 28 08:25:26 gateway.linux.bogus syslog: 08[IKE] authentication of 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>' with RSA signature successful </div>
<div>Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] peer supports MOBIKE </div><div>Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] authentication of 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>' (myself) with RSA signature successful </div>
<div>Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] IKE_SA nat-t[1] established between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>]...<Client Public Gateway>[C=US, ST=GA, L=Atlanta, O=Wicks Quick Computer Solution </div>
<div>Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] scheduling reauthentication in 10044s </div><div>Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] maximum IKE_SA lifetime 10584s </div><div>Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] sending end entity cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=<a href="mailto:wicksquick@gmail.com" target="_blank">wicksquick@gmail.com</a>" </div>
<div>Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] peer requested virtual IP 10.3.0.5 </div><div>Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE </div><div>
Jan 28 08:25:28 gateway.linux.bogus syslog: 08[IKE] configuration payload negotation failed, no CHILD_SA built </div>
<div>Jan 28 08:25:28 gateway.linux.bogus syslog: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ] </div><div>Jan 28 08:25:28 gateway.linux.bogus syslog: 08[NET] sending packet: from <Server Public IP>[4500] to <Client Public Gateway>[5990] </div>
<div><br></div><div><br></div><div>Here is the ipsec.conf from the server:</div><div><br></div><div><div><div>config setup</div><div><span style="white-space:pre-wrap"> </span>nat_traversal=yes</div><div><span style="white-space:pre-wrap"> </span>strictcrlpolicy=no</div>
</div><div><div><span style="white-space:pre-wrap"> </span>plutostart=no</div><div><span style="white-space:pre-wrap"> </span></div><div>conn nat-t</div><div><span style="white-space:pre-wrap"> </span>authby=rsasig</div>
<div><span style="white-space:pre-wrap"> </span>keyexchange=ikev2</div><div><span style="white-space:pre-wrap"> </span>leftfirewall=yes</div><div><span style="white-space:pre-wrap"> </span>left=%defaultroute</div>
</div><div><span style="white-space:pre-wrap"> </span>ike=3des-sha1</div><div><div><span style="white-space:pre-wrap"> </span>leftcert=server.crt</div><div><span style="white-space:pre-wrap"> </span>rightsubnetwithin=<a href="http://10.3.0.0/16" target="_blank">10.3.0.0/16</a></div>
<div><span style="white-space:pre-wrap"> </span>leftsubnet=<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a></div><div><span style="white-space:pre-wrap"> </span>right=%any</div><div><span style="white-space:pre-wrap"> </span>auto=add</div>
</div></div><div><br></div><div>Here is the ipsec.conf from the client:</div><div><br></div><div><div>config setup</div><div><span style="white-space:pre-wrap"> </span>charondebug=all</div><div><span style="white-space:pre-wrap"> </span>nat_traversal=yes</div>
<div><br></div><div>conn roadwarrior</div><div><div><span style="white-space:pre-wrap"> </span>left=%defaultroute</div><div><span style="white-space:pre-wrap"> </span>leftcert=toshiba.crt</div>
</div><div><span style="white-space:pre-wrap"> </span>leftsourceip=10.3.0.5</div><div><span style="white-space:pre-wrap"> </span>leftauth=rsasig</div><div><span style="white-space:pre-wrap"> </span>leftfirewall=yes</div>
<div><span style="white-space:pre-wrap"> </span>right=<Server Public IP></div><div><span style="white-space:pre-wrap"> </span>rightsubnet=<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a></div>
<div><span style="white-space:pre-wrap"> </span>keyexchange=ikev2</div><div><div><span style="white-space:pre-wrap"> </span>rightcert=server.crt</div><div><span style="white-space:pre-wrap"> </span>auto=add</div>
</div></div><div><div></div><div><div><br></div><br><div class="gmail_quote">On Fri, Jan 28, 2011 at 2:22 AM, Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" target="_blank">martin@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<div><br>
> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]<br>
> received NO_PROPOSAL_CHOSEN notify error<br>
<br>
</div>The responder either didn't like the proposal, or couldn't find a<br>
matching connection at all for the used IPs.<br>
<div><br>
> I see the following debug output from the gateway:<br>
<br>
</div>Your gateway log does not help much, as it does not show the relevant<br>
parts. Please set the loglevels [1] to "default = 1" and "cfg = 2" and<br>
post what you get during the connection attempt.<br>
<br>
Regards<br>
Martin<br>
<br>
[1]<a href="http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration</a><br>
<br>
<br>
</blockquote></div><br><br clear="all"><br></div></div><div>-- <br>Rob Wicks<br><a href="mailto:robwicks@gmail.com" target="_blank">robwicks@gmail.com</a><br><a href="http://robwicks.wordpress.com" target="_blank">http://robwicks.wordpress.com</a><br>
</div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br>Rob Wicks<br><a href="mailto:robwicks@gmail.com" target="_blank">robwicks@gmail.com</a><br><a href="http://robwicks.wordpress.com" target="_blank">http://robwicks.wordpress.com</a><br>
</div></div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br>Rob Wicks<br><a href="mailto:robwicks@gmail.com" target="_blank">robwicks@gmail.com</a><br><a href="http://robwicks.wordpress.com" target="_blank">http://robwicks.wordpress.com</a><br>
</div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br>Rob Wicks<br><a href="mailto:robwicks@gmail.com" target="_blank">robwicks@gmail.com</a><br><a href="http://robwicks.wordpress.com" target="_blank">http://robwicks.wordpress.com</a><br>
</div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br>Rob Wicks<br><a href="mailto:robwicks@gmail.com">robwicks@gmail.com</a><br><a href="http://robwicks.wordpress.com">http://robwicks.wordpress.com</a><br>
</div>