[strongSwan] Having a problem creating a basic Site-to-Site config !!

Andreas Steffen andreas.steffen at strongswan.org
Thu Aug 25 06:25:55 CEST 2011


Hello Shashi,

ike=3des looks like a very simple proposal. Could it be that some
cryptographic plugins were not correctly loaded during the daemon
startup? Look for any strange entries in the logs.

In order to diagnose the situation could you ramp up the debugging
level on both sides by defining

  charondebug="cfg 2"

which will show the proposed and selected crypto suites.

Regards

Andreas

On 08/25/2011 12:58 AM, Shashi Yash wrote:
> Trying to setup ipsec site to site scenario on two red hat machines. I
> get the following error: "no acceptable proposal found" on both
> machines. Can you guys please tell me why I'm getting the following
> error.
> 
> I jave pasted the configs and logs from both machines.
> 
> RH1: ipsec.conf
> conn net-net
>        left=10.19.61.35
>        leftsubnet=192.168.100.0/24
>        leftcert=rh1_Cert.pem
>        right=10.19.61.67
>        rightsubnet=192.168.200.0/24
>        leftid="C=us, ST=il, O=ics, OU=mp, CN=RH6-1"
>        auto=start
>        ike=3des
>        esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048
> 
> 
> 
> RH2:ipsec.conf
> conn net-net
>   left=10.19.61.67
>   leftsubnet=192.168.200.0/24
>   leftcert=rh2_Cert.pem
>   right=10.19.61.35
>   rightsubnet=192.168.100.0/24
>   rightid="C=us, ST=il, O=ics, OU=mp, CN=RH6-2"
>   auto=start
>   ike=3des
>   esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048
> 
> 
> RH1 Log:
> -------------------
> 13[NET] received packet: from 10.19.61.67[500] to 10.19.61.35[500]
> 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 13[IKE] 10.19.61.67 is initiating an IKE_SA
> 13[IKE] no acceptable proposal found
> 13[ENC] generating IKE_SA_INIT response 0 [ ]
> 13[NET] sending packet: from 10.19.61.35[500] to 10.19.61.67[500]
> 14[NET] received packet: from 10.19.61.67[500] to 10.19.61.35[500]
> 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 14[IKE] 10.19.61.67 is initiating an IKE_SA
> 14[IKE] no acceptable proposal found
> 
> 
> RH2 Log:
> ---------------------
> 
> 10[IKE] initiating IKE_SA net-net[1] to 10.19.61.35
> 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 10[NET] sending packet: from 10.19.61.67[500] to 10.19.61.35[500]
> 11[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500]
> 11[ENC] payload of type SECURITY_ASSOCIATION not occurred 1 times (0)
> 11[IKE] IKE_SA_INIT response with message ID 0 processing failed
> 12[IKE] retransmit 1 of request with message ID 0
> 12[NET] sending packet: from 10.19.61.67[500] to 10.19.61.35[500]
> 13[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500]
> 13[ENC] payload of type SECURITY_ASSOCIATION not occurred 1 times (0)
> 13[IKE] IKE_SA_INIT response with message ID 0 processing failed
> 14[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500]
> 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 14[IKE] 10.19.61.35 is initiating an IKE_SA
> 14[IKE] no acceptable proposal found
> 
> Thanks in Advance
> -shashi..

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list