<div dir="ltr"><div>Where do I increase the logging for cfg?<br><br></div>I added the options you mentioned. I also added a leftauth and rightauth<br><br>config setup<br> strictcrlpolicy=no<br> # uniqueids = no<br> charondebug="ike 4"<br><br># Add connections here.<br>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> keyingtries=1<br> keyexchange=ikev2<br><br>conn rw<br> ike=aes128-sha1-modp1024<br> esp=aes128-sha1<br> authby=secret<br> leftauth=psk<br> rightauth=psk<br> left=10.100.1.20<br> leftid=10.100.1.20<br> leftfirewall=no<br> right=10.100.1.131<br> rightid=10.100.1.131<br> auto=add<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 16, 2015 at 4:48 PM, Randy Wyatt <span dir="ltr"><<a href="mailto:rwwyatt01@gmail.com" target="_blank">rwwyatt01@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It appears that we will need increased logging for cfg as well. Have you thought about my suggestion and just hardcoding the proposal for now?<div><div class="h5"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 16, 2015 at 4:44 PM, Aaron <span dir="ltr"><<a href="mailto:hawaiiaaron@gmail.com" target="_blank">hawaiiaaron@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Thanks. I've added the two lines to the ipsec.conf file and increased debugging. It appears to be the same error.<br><br></div>Here is the log from the left side and right side as well as the strongswan.conf file.<br></div><div>You'll see in the logs that some certs are loaded but I am not using them in my ipsec.conf. I just want to use PSK's at this time.<br></div><div><br></div>#left side log<br><div>Jul 16 23:27:17 vpn02 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.29.2.el6.x86_64, x86_64)<br>Jul 16 23:27:17 vpn02 charon: 00[LIB] openssl FIPS mode(2) - enabled <br>Jul 16 23:27:17 vpn02 charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'<br>Jul 16 23:27:17 vpn02 charon: 00[CFG] loaded ca certificate "C=US, ST=WA, L=xxxx, O=xxxx, OU=xxxx, CN=StrongSwan Intermediate CA" from '/etc/strongswan/ipsec.d/cacerts/int.pem'<br>Jul 16 23:27:17 vpn02 charon: 00[CFG] loaded ca certificate "C=US, ST=WA, L=xxxx, O=xxxx, OU=xxxx, CN=StrongSwan Root CA" from '/etc/strongswan/ipsec.d/cacerts/rootCa.crt.pem'<br>Jul 16 23:27:17 vpn02 charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'<br>Jul 16 23:27:17 vpn02 charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'<br>Jul 16 23:27:17 vpn02 charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'<br>Jul 16 23:27:17 vpn02 charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'<br>Jul 16 23:27:17 vpn02 charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'<br>Jul 16 23:27:17 vpn02 charon: 00[CFG] loaded IKE secret for %any<br>Jul 16 23:27:17 vpn02 charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp<br>Jul 16 23:27:17 vpn02 charon: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)<br>Jul 16 23:27:17 vpn02 charon: 00[JOB] spawning 16 worker threads<br>Jul 16 23:27:17 vpn02 charon: 08[CFG] received stroke: add connection 'rw'<br>Jul 16 23:27:17 vpn02 charon: 08[CFG] added configuration 'rw'<br>Jul 16 23:27:23 vpn02 charon: 10[CFG] received stroke: initiate 'rw'<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_VENDOR task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_INIT task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_NATD task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CERT_PRE task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_AUTH task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CERT_POST task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CONFIG task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_AUTH_LIFETIME task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_MOBIKE task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing CHILD_CREATE task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] activating new tasks<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_VENDOR task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_INIT task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_NATD task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_CERT_PRE task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_AUTH task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_CERT_POST task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_CONFIG task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] activating CHILD_CREATE task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_AUTH_LIFETIME task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] activating IKE_MOBIKE task<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] initiating IKE_SA rw[1] to 10.100.1.31<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] IKE_SA rw[1] state change: CREATED => CONNECTING<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_chunk => 22 bytes @ 0x7fe30c0028c0<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] 0: 6A 4A DE E8 FC 8C FF D9 00 00 00 00 00 00 00 00 jJ..............<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] 16: 0A 64 01 1F 01 F4 .d....<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_hash => 20 bytes @ 0x7fe30c0028e0<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] 0: BE 1C 33 77 01 44 51 EF 11 0C 28 5E 55 66 F1 65 ..3w.DQ...(^Uf.e<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] 16: 7C 85 04 6A |..j<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_chunk => 22 bytes @ 0x7fe30c0025c0<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] 0: 6A 4A DE E8 FC 8C FF D9 00 00 00 00 00 00 00 00 jJ..............<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] 16: 0A 64 01 14 01 F4 .d....<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_hash => 20 bytes @ 0x7fe30c0025e0<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] 0: 2C 77 72 D7 74 8D 69 C1 D7 5C 90 3E B7 66 79 D9 ,wr.t.i..\.>.fy.<br>Jul 16 23:27:23 vpn02 charon: 12[IKE] 16: DB 4B 9B 3D .K.=<br>Jul 16 23:27:23 vpn02 charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>Jul 16 23:27:23 vpn02 charon: 12[NET] sending packet: from 10.100.1.20[500] to 10.100.1.31[500] (964 bytes)<br>Jul 16 23:27:27 vpn02 charon: 13[IKE] retransmit 1 of request with message ID 0<br>Jul 16 23:27:27 vpn02 charon: 13[NET] sending packet: from 10.100.1.20[500] to 10.100.1.31[500] (964 bytes)<br>Jul 16 23:27:29 vpn02 charon: 14[NET] received packet: from 10.100.1.131[500] to 10.100.1.20[500] (964 bytes)<br>Jul 16 23:27:29 vpn02 charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>Jul 16 23:27:29 vpn02 charon: 14[IKE] no IKE config found for 10.100.1.20...10.100.1.131, sending NO_PROPOSAL_CHOSEN<br>Jul 16 23:27:29 vpn02 charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]<br>Jul 16 23:27:29 vpn02 charon: 14[NET] sending packet: from 10.100.1.20[500] to 10.100.1.131[500] (36 bytes)<br>Jul 16 23:27:29 vpn02 charon: 14[IKE] IKE_SA (unnamed)[2] state change: CREATED => DESTROYING<br><br></div><div>#right side<br>Jul 16 23:27:12 vpn03 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.29.2.el6.x86_64, x86_64)<br>Jul 16 23:27:12 vpn03 charon: 00[LIB] openssl FIPS mode(2) - enabled <br>Jul 16 23:27:12 vpn03 charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'<br>Jul 16 23:27:12 vpn03 charon: 00[CFG] loaded ca certificate "C=US, ST=WA, L=xxxxx, O=xxxxx, OU=xxxxx, CN=StrongSwan Intermediate CA" from '/etc/strongswan/ipsec.d/cacerts/int.crt.pem'<br>Jul 16 23:27:12 vpn03 charon: 00[CFG] loaded ca certificate "C=US, ST=WA, L=xxxxx, O=xxxxx, OU=xxxxx, CN=StrongSwan Root CA" from '/etc/strongswan/ipsec.d/cacerts/rootCa.crt.pem'<br>Jul 16 23:27:12 vpn03 charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'<br>Jul 16 23:27:12 vpn03 charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'<br>Jul 16 23:27:12 vpn03 charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'<br>Jul 16 23:27:12 vpn03 charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'<br>Jul 16 23:27:12 vpn03 charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'<br>Jul 16 23:27:12 vpn03 charon: 00[CFG] loaded IKE secret for %any<br>Jul 16 23:27:12 vpn03 charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp<br>Jul 16 23:27:12 vpn03 charon: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)<br>Jul 16 23:27:12 vpn03 charon: 00[JOB] spawning 16 worker threads<br>Jul 16 23:27:12 vpn03 charon: 08[CFG] received stroke: add connection 'rw'<br>Jul 16 23:27:12 vpn03 charon: 08[CFG] added configuration 'rw'<br>Jul 16 23:27:29 vpn03 charon: 10[CFG] received stroke: initiate 'rw'<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_VENDOR task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_INIT task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_NATD task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CERT_PRE task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_AUTH task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CERT_POST task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CONFIG task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_AUTH_LIFETIME task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_MOBIKE task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing CHILD_CREATE task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] activating new tasks<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_VENDOR task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_INIT task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_NATD task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_CERT_PRE task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_AUTH task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_CERT_POST task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_CONFIG task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] activating CHILD_CREATE task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_AUTH_LIFETIME task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] activating IKE_MOBIKE task<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] initiating IKE_SA rw[1] to 10.100.1.20<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] IKE_SA rw[1] state change: CREATED => CONNECTING<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_chunk => 22 bytes @ 0x7f586c0028c0<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] 0: 8E E1 E7 6D 58 37 7C 61 00 00 00 00 00 00 00 00 ...mX7|a........<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] 16: 0A 64 01 14 01 F4 .d....<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_hash => 20 bytes @ 0x7f586c0028e0<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] 0: D5 57 BE 5C 11 13 5D A8 60 7D 72 BF FC 4E A3 CF .W.\..].`}r..N..<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] 16: 9C 06 49 FD ..I.<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_chunk => 22 bytes @ 0x7f586c0025c0<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] 0: 8E E1 E7 6D 58 37 7C 61 00 00 00 00 00 00 00 00 ...mX7|a........<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] 16: 0A 64 01 83 01 F4 .d....<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_hash => 20 bytes @ 0x7f586c0025e0<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] 0: 29 E2 9B CE 30 89 84 08 B6 13 EF D5 75 EA 11 74 )...0.......u..t<br>Jul 16 23:27:29 vpn03 charon: 12[IKE] 16: C7 9F E7 7B ...{<br>Jul 16 23:27:29 vpn03 charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>Jul 16 23:27:29 vpn03 charon: 12[NET] sending packet: from 10.100.1.131[500] to 10.100.1.20[500] (964 bytes)<br>Jul 16 23:27:29 vpn03 charon: 13[NET] received packet: from 10.100.1.20[500] to 10.100.1.131[500] (36 bytes)<br>Jul 16 23:27:29 vpn03 charon: 13[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]<br>Jul 16 23:27:29 vpn03 charon: 13[IKE] received NO_PROPOSAL_CHOSEN notify error<br>Jul 16 23:27:29 vpn03 charon: 13[IKE] IKE_SA rw[1] state change: CONNECTING => DESTROYING<br><br></div><div>#strongswan.conf<br>charon {<br> load_modular = yes<br> plugins {<br> include strongswan.d/charon/*.conf<br> }<br>}<br><br>include strongswan.d/*.conf<br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 16, 2015 at 3:10 PM, Randy Wyatt <span dir="ltr"><<a href="mailto:rwwyatt01@gmail.com" target="_blank">rwwyatt01@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Have you tried limiting the proposals supported?<div>ike=aes128-sha1-modp1024</div><div>esp=aes128-sha1</div><div><br></div><div>If you don't specify the proposal, everything is sent. Can you increase the debugging on ike so we can look a little more at the proposal and configured?</div><div><br></div><div>Regards,</div><div>Randy</div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Thu, Jul 16, 2015 at 2:08 PM, Aaron <span dir="ltr"><<a href="mailto:hawaiiaaron@gmail.com" target="_blank">hawaiiaaron@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr"><div>Hi, I have strongswan setup in a host to host configuration using a shared secret for testing, but am not able to get it to establish a tunnel. The left side attempts to retransmit packets till it gives up and on the right side I receive this error. Any help appreciated. Thanks!<br><br>Jul 16 21:01:19 vpn02 charon: 12[NET] received packet: from 10.100.1.20[500] to 10.100.1.131[500] (36 bytes)<br>Jul 16 21:01:19 vpn02 charon: 12[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]<br>Jul 16 21:01:19 vpn02 charon: 12[IKE] received NO_PROPOSAL_CHOSEN notify error<br><br></div><div>#ipsec.conf file<br></div>#right side and leftside are identical<br><div>config setup<br> charondebug=all<br><br>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> keyingtries=1<br> keyexchange=ikev2<br> authby=psk<br><br>conn rw<br> left=10.100.1.20<br> leftid=10.100.1.20<br> leftfirewall=no<br> right=10.100.1.131<br> rightid=10.100.1.131<br> auto=start<br> authby=psk<br><br></div><div># ipsec.secrets file<br>: PSK "mypsksecret"<br><br></div></div>
<br></div></div>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br><br clear="all"><div><br></div><br><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><table style="background-color:rgb(242,245,247)" border="0" cellpadding="4" cellspacing="0" width="93%" align="center"><tbody><tr><td style="width:169px;line-height:155%" valign="top"><font style="font-size:11px;margin-top:4px" valign="top" face="Verdana, Arial" color="#000000"><b></b></font></td><td valign="top"><span style="color:rgb(0,51,102);font-size:18px;font-weight:bold"><font color="#1155cc"><br></font></span></td></tr></tbody></table></div></div></div></div></div></div></div>
</div></div>
</blockquote></div><br></div>
</blockquote></div><br><br clear="all"><div><br></div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><table style="background-color:rgb(242,245,247)" border="0" cellpadding="4" cellspacing="0" width="93%" align="center"><tbody></tbody></table></div></div></div></div></div></div></div>
</div></div></div></div>
</blockquote></div><br></div>