<div dir="ltr">Hi users<br><br>As a simple test on virtual ethernet with ipsec, I use this scenario:<div><br></div><div>system 1:</div><div style>ip address of ETH3 === <a href="http://192.168.20.110/24">192.168.20.110/24</a></div>
<div style>ip address of ETH3:0 === <a href="http://192.168.20.34/24">192.168.20.34/24</a></div><div>subnet="<a href="http://192.168.18.0/24">192.168.18.0/24</a>"<br></div><div><br></div><div>system2:</div><div>
ip address of ETH3 === 192.168.20.176</div><div>subnet="<a href="http://192.168.58.0/24">192.168.58.0/24</a>"<br></div><div style><br></div><div style>I ran ipsec in both systems, but NO_PROP error occurred. when I executed "ipsec up test8" on 192.168.20.176, tunnels were established.</div>
<div style>with a simple look in logs, this is clear that "system 2" received request from 192.168.20.110 instead of 192.168.20.34. this results in NO_PROP error.</div><div style><br></div><div style>If I change IP of virtual ethernet so that range of it differs from ip of ethernet, it resolves the problem. I don't know what causes the problem. I looked at the ARP table but it seemed right.</div>
<div style><br></div><div style>does anybody have any idea about it?</div><div style><br></div><div style>Best regards</div><div style>Ali</div><div><br></div><div>strongswan 5.0.1, kernel version == 2.6.34.1<br><br>############### ipsec.conf on <a href="http://192.168.20.110">192.168.20.110</a>:<div>
<div><br></div><div>config setup<br></div><div> uniqueids="no"</div><div> strictcrlpolicy="no"</div><div><br></div><div>conn %default</div><div> keyingtries="%forever"</div>
<div> leftsendcert="always"</div></div><div><br></div><div>conn test9<br></div><div><div> authby="psk"</div><div> auto="start"</div><div> type="tunnel"</div>
<div> compress="no"</div><div> rekeymargin="540s"</div><div> left="192.168.20.34"</div><div> leftid="999"</div><div> leftsubnet="<a href="http://192.168.18.0/24">192.168.18.0/24</a>"</div>
<div> right="192.168.20.176"</div><div> rightid="9999"</div><div> rightsubnet="<a href="http://192.168.58.0/24">192.168.58.0/24</a>"</div><div> ike="aes256-md5-modp4096!"</div>
<div> esp="aes256-md5-modp1024!"</div><div> ikelifetime="3600"</div><div> keylife="3600"</div><div> keyexchange="ikev2"</div><div> dpdaction = "restart"</div>
<div> dpddelay = "30s"</div><div> dpdtimeout = "165s"</div><div><br></div><div style>############# ipsec.secrets on <a href="http://192.168.20.110">192.168.20.110</a>:</div><div style><br>
</div><div style>999 9999 : PSK "my_secret"<br></div><div><br></div><div style>############# ipsec.conf on <a href="http://192.168.20.176">192.168.20.176</a>:</div><div style><br></div><div style><div><div>config setup<br>
</div><div> uniqueids="no"</div><div> strictcrlpolicy="no"</div><div><br></div><div>conn %default</div><div> keyingtries="%forever"</div><div> leftsendcert="always"</div>
</div><div><br></div></div><div style><div>conn test8</div><div> authby="psk"</div><div> auto="add"</div><div> type="tunnel"</div><div> compress="no"</div>
<div> rekeymargin="540s"</div><div> left="192.168.20.176"</div><div> leftid="9999"</div><div> leftsubnet="<a href="http://192.168.58.0/24">192.168.58.0/24</a>"</div>
<div> right="192.168.20.34"</div><div> rightid="999"</div><div> rightsubnet="<a href="http://192.168.18.0/24">192.168.18.0/24</a>"</div><div> ike="aes256-md5-modp4096!"</div>
<div> esp="aes256-md5-modp1024!"</div><div> ikelifetime="3600"</div><div> keylife="3600"</div><div> keyexchange="ikev2"</div><div> dpdaction = "restart"</div>
<div> dpddelay = "30s"</div><div> dpdtimeout = "900s"</div><div><br></div><div style>############# ipsec.secrets on <a href="http://192.168.20.176">192.168.20.176</a>:</div><div style><br>
</div><div style>9999 999 : PSK "my_secret"<br></div></div><br>log on <a href="http://192.168.20.110">192.168.20.110</a>:<br><br>Jun 22 12:18:12 04[NET] <test9|14> received packet: from 192.168.20.176[500] to 192.168.20.34[500]<br>
Jun 22 12:18:12 04[ENC] <test9|14> parsing body of message, first payload is NOTIFY<br>Jun 22 12:18:12 04[ENC] <test9|14> starting parsing a NOTIFY payload<br>Jun 22 12:18:12 04[ENC] <test9|14> parsing NOTIFY payload, 8 bytes left<br>
.</div><div>.</div><div>.</div><div>Jun 22 12:18:12 04[ENC] <test9|14> parsing NOTIFY payload finished<br>Jun 22 12:18:12 04[ENC] <test9|14> verifying payload of type NOTIFY<br>Jun 22 12:18:12 04[ENC] <test9|14> NOTIFY payload verified. Adding to payload list<br>
Jun 22 12:18:12 04[ENC] <test9|14> process payload of type NOTIFY<br>Jun 22 12:18:12 04[ENC] <test9|14> verifying message structure<br>Jun 22 12:18:12 04[ENC] <test9|14> found payload of type NOTIFY<br>Jun 22 12:18:12 04[ENC] <test9|14> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]<br>
Jun 22 12:18:12 04[IKE] <test9|14> received NO_PROPOSAL_CHOSEN notify error<br>Jun 22 12:18:12 04[MGR] <test9|14> checkin and destroy IKE_SA test9[14]<br>Jun 22 12:18:12 04[IKE] <test9|14> IKE_SA test9[14] state change: CONNECTING => DESTROYING<br>
Jun 22 12:18:12 04[MGR] check-in and destroy of IKE_SA successful<br><br><br>log on <a href="http://192.168.20.176">192.168.20.176</a>:<br><br>Jun 23 09:01:07 10[ENC] <13> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
Jun 23 09:01:07 10[CFG] <13> looking for an ike config for 192.168.20.176...192.168.20.110<br>Jun 23 09:01:07 10[CFG] <13> ike config match: 0 (192.168.20.176 192.168.20.110)<br>Jun 23 09:01:07 10[CFG] <13> ike config match: 0 (192.168.20.176 192.168.20.110)<br>
Jun 23 09:01:07 10[CFG] <13> ike config match: 0 (192.168.20.176 192.168.20.110)<br>Jun 23 09:01:07 10[CFG] <13> ike config match: 0 (192.168.20.176 192.168.20.110)<br>Jun 23 09:01:07 10[IKE] <13> no IKE config found for 192.168.20.176...<font color="#000000">192.168.20.110</font>, sending NO_PROPOSAL_CHOSEN<br>
Jun 23 09:01:07 10[ENC] <13> added payload of type NOTIFY to message<br>Jun 23 09:01:07 10[ENC] <13> added payload of type NOTIFY to message<br>Jun 23 09:01:07 10[ENC] <13> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]</div>
</div></div>