[strongSwan] NO_PROPOSAL_CHOSEN with ikev2

Robert Wicks robwicks at gmail.com
Fri Jan 28 14:57:09 CET 2011 

I then changed the leftsourceip setting on the client side to "%config" and
got this on my server side logs:

Jan 28 08:53:56 gateway.linux.bogus syslog: 05[NET] received packet: from
<Client Public Gateway>[5990] to <Server Public IP>[4500]
Jan 28 08:53:56 gateway.linux.bogus syslog: 05[ENC] parsed INFORMATIONAL
request 2 [ D ]
Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] received DELETE for
IKE_SA nat-t[1]
Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] deleting IKE_SA nat-t[1]
between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=
wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA, L=Atlanta,
O=WQCS,
Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] IKE_SA deleted
Jan 28 08:53:56 gateway.linux.bogus syslog: 05[ENC] generating INFORMATIONAL
response 2 [ ]
Jan 28 08:54:19 gateway.linux.bogus syslog: 07[NET] received packet: from
<Client Public Gateway>[8057] to <Server Public IP>[500]
Jan 28 08:54:19 gateway.linux.bogus syslog: 07[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 28 08:54:19 gateway.linux.bogus syslog: 07[IKE] <Client Public Gateway>
is initiating an IKE_SA
Jan 28 08:54:20 gateway.linux.bogus syslog: 07[IKE] remote host is behind
NAT
Jan 28 08:54:20 gateway.linux.bogus syslog: 07[IKE] sending cert request for
"C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=wicksquick at gmail.com"
Jan 28 08:54:20 gateway.linux.bogus syslog: 07[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan 28 08:54:20 gateway.linux.bogus syslog: 07[NET] sending packet: from
<Server Public IP>[500] to <Client Public Gateway>[8057]
Jan 28 08:54:20 gateway.linux.bogus syslog: 08[NET] received packet: from
<Client Public Gateway>[5990] to <Server Public IP>[4500]
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[ENC] parsed IKE_AUTH request
1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] received cert request
for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
wicksquick at gmail.com"
 Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] received end entity
cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com
"
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] looking for peer configs
matching <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=
wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA, L=Atlanta,
O=WQCS,
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] selected peer config
'nat-t'
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   using certificate
"C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com"
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   using trusted ca
certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
wicksquick at gmail.com"
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] checking certificate
status of "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
wicksquick at gmail.com"
 Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] certificate status is
not available
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   reached self-signed
root ca with a path length of 0
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] authentication of 'C=US,
ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com' with RSA
signature successful
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] peer supports MOBIKE
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] authentication of 'C=US,
ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com' (myself) with
RSA signature successful
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] IKE_SA nat-t[2]
established between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA,
L=Atlanta, O=Wicks Quick Computer Solution
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] scheduling
reauthentication in 10001s
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] maximum IKE_SA lifetime
10541s
Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] sending end entity cert
"C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com"
Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] peer requested virtual
IP %any
Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] no virtual IP found,
sending INTERNAL_ADDRESS_FAILURE
Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] configuration payload
negotation failed, no CHILD_SA built
Jan 28 08:54:22 gateway.linux.bogus syslog: 08[ENC] generating IKE_AUTH
response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(INT_ADDR_FAIL) ]
Jan 28 08:54:22 gateway.linux.bogus syslog: 08[NET] sending packet: from
<Server Public IP>[4500] to <Client Public Gateway>[5990]

On Fri, Jan 28, 2011 at 8:33 AM, Robert Wicks <robwicks at gmail.com> wrote:

> Different results from outside the network. This is the response I got on
> the Ubuntu 10.10 client when I attempted to start the connection:
>
> root at rwicks-m11:~# ipsec up roadwarrior
> initiating IKE_SA roadwarrior[1] to <Server Public IP>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 10.0.34.103[500] to <Server Public IP>[500]
> received packet: from <Server Public IP>[500] to 10.0.34.103[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
> N(MULT_AUTH) ]
> local host is behind NAT, sending keep alives
> received cert request for "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ,
> CN=WQCS CA, E=wicksquick at gmail.com"
> sending cert request for "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ, CN=WQCS
> CA, E=wicksquick at gmail.com"
> authentication of 'C=US, ST=GA, L=Snellville, O=WQCS, CN=toshibakey, E=
> wicksquick at gmail.com' (myself) with RSA signature successful
> sending end entity cert "C=US, ST=GA, L=Snellville, O=WQCS, CN=toshibakey,
> E=wicksquick at gmail.com"
> establishing CHILD_SA roadwarrior
> generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 10.0.34.103[4500] to <Server Public IP>[4500]
> received packet: from <Server Public IP>[4500] to 10.0.34.103[4500]
> parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
> received end entity cert "C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=
> wicksquick at gmail.com"
>   using trusted ca certificate "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ,
> CN=WQCS CA, E=wicksquick at gmail.com"
> checking certificate status of "C=US, ST=GA, L=Snellville, O=WQCS,
> CN=server, E=wicksquick at gmail.com"
> certificate status is not available
>   reached self-signed root ca with a path length of 0
>   using trusted certificate "C=US, ST=GA, L=Snellville, O=WQCS, CN=server,
> E=wicksquick at gmail.com"
> authentication of 'C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=
> wicksquick at gmail.com' with RSA signature successful
> IKE_SA roadwarrior[1] established between 10.0.34.103[C=US, ST=GA,
> L=Snellville, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com]...<Server
> Public IP>[C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=
> wicksquick at gmail.com]
> scheduling reauthentication in 10033s
> maximum IKE_SA lifetime 10573s
> received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built
>
>
> Here are the server side logs:
>
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[DMN] Starting IKEv2 charon
> daemon (strongSwan 4.3.7)
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[NET] unable to create raw
> socket: Address family not supported by protocol
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[NET] could not open IPv6
> receive socket, IPv6 disabled
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'curl': failed
> to load '/usr/lib/ipsec/plugins/libstrongswan-curl.so' - File not found
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'ldap': failed
> to load '/usr/lib/ipsec/plugins/libstrongswan-ldap.so' - File not found
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'blowfish':
> failed to load '/usr/lib/ipsec/plugins/libstrongswan-blowfish.so' - File not
> found
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'mysql': failed
> to load '/usr/lib/ipsec/plugins/libstrongswan-mysql.so' - File not found
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'sqlite': failed
> to load '/usr/lib/ipsec/plugins/libstrongswan-sqlite.so' - File not found
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'attr-sql':
> failed to load '/usr/lib/ipsec/plugins/libstrongswan-attr-sql.so' - File not
> found
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'gcrypt': failed
> to load '/usr/lib/ipsec/plugins/libstrongswan-gcrypt.so' - File not found
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'agent': failed
> to load '/usr/lib/ipsec/plugins/libstrongswan-agent.so' - File not found
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'load-tester':
> failed to load '/usr/lib/ipsec/plugins/libstrongswan-load-tester.so' - File
> not found
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading ca certificates
> from '/etc/ipsec.d/cacerts'
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG]   loaded ca certificate
> "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=wicksquick at gmail.com"
> from '/etc/ipsec.d/cacerts/ca.crt'
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading aa certificates
> from '/etc/ipsec.d/aacerts'
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG]   loaded RSA private
> key from '/etc/ipsec.d/private/server.key'
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'smp': failed to
> load '/usr/lib/ipsec/plugins/libstrongswan-smp.so' - File not found
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'sql': failed to
> load '/usr/lib/ipsec/plugins/libstrongswan-sql.so' - File not found
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-md5':
> failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-md5.so' - File not
> found
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-mschapv2':
> failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so' - File
> not found
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-radius':
> failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-radius.so' - File
> not found
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'medsrv': failed
> to load '/usr/lib/ipsec/plugins/libstrongswan-medsrv.so' - File not found
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'medcli': failed
> to load '/usr/lib/ipsec/plugins/libstrongswan-medcli.so' - File not found
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'uci': failed to
> load '/usr/lib/ipsec/plugins/libstrongswan-uci.so' - File not found
> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[DMN] loaded plugins: aes des
> sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac gmp
> stroke updown attr resolve
> Jan 28 08:22:22 gateway.linux.bogus syslog: 05[CFG] left nor right host is
> our side, assuming left=local
> Jan 28 08:22:22 gateway.linux.bogus syslog: 05[CFG]   loaded certificate
> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com" from
> 'server.crt'
> Jan 28 08:25:23 gateway.linux.bogus syslog: 07[NET] received packet: from
> <Client Public Gateway>[2678] to <Server Public IP>[500]
> Jan 28 08:25:24 gateway.linux.bogus syslog: 07[ENC] parsed IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jan 28 08:25:24 gateway.linux.bogus syslog: 07[IKE] <Client Public Gateway>
> is initiating an IKE_SA
> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[IKE] remote host is behind
> NAT
> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[IKE] sending cert request
> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
> wicksquick at gmail.com"
> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[NET] sending packet: from
> <Server Public IP>[500] to <Client Public Gateway>[2678]
> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[NET] received packet: from
> <Client Public Gateway>[5990] to <Server Public IP>[4500]
> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[ENC] parsed IKE_AUTH request
> 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) ]
> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[IKE] received cert request
> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
> wicksquick at gmail.com"
>  Jan 28 08:25:25 gateway.linux.bogus syslog: 08[IKE] received end entity
> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
> wicksquick at gmail.com"
> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[CFG] looking for peer
> configs matching <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA,
> L=Atlanta, O=WQCS,
> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[CFG] selected peer config
> 'nat-t'
> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   using certificate
> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com"
> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   using trusted ca
> certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
> wicksquick at gmail.com"
> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] checking certificate
> status of "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
> wicksquick at gmail.com"
>  Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] certificate status is
> not available
> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   reached self-signed
> root ca with a path length of 0
> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[IKE] authentication of
> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com'
> with RSA signature successful
> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] peer supports MOBIKE
> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] authentication of
> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com'
> (myself) with RSA signature successful
> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] IKE_SA nat-t[1]
> established between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA,
> L=Atlanta, O=Wicks Quick Computer Solution
> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] scheduling
> reauthentication in 10044s
> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] maximum IKE_SA lifetime
> 10584s
> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] sending end entity cert
> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com"
> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] peer requested virtual
> IP 10.3.0.5
> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] no virtual IP found,
> sending INTERNAL_ADDRESS_FAILURE
> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[IKE] configuration payload
> negotation failed, no CHILD_SA built
> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[ENC] generating IKE_AUTH
> response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR)
> N(INT_ADDR_FAIL) ]
> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[NET] sending packet: from
> <Server Public IP>[4500] to <Client Public Gateway>[5990]
>
>
> Here is the ipsec.conf from the server:
>
> config setup
> nat_traversal=yes
> strictcrlpolicy=no
>  plutostart=no
> conn nat-t
> authby=rsasig
>  keyexchange=ikev2
> leftfirewall=yes
> left=%defaultroute
>  ike=3des-sha1
> leftcert=server.crt
> rightsubnetwithin=10.3.0.0/16
>  leftsubnet=192.168.2.0/24
> right=%any
> auto=add
>
> Here is the ipsec.conf from the client:
>
> config setup
> charondebug=all
> nat_traversal=yes
>
> conn roadwarrior
> left=%defaultroute
> leftcert=toshiba.crt
>  leftsourceip=10.3.0.5
> leftauth=rsasig
> leftfirewall=yes
>  right=<Server Public IP>
> rightsubnet=192.168.2.0/24
>  keyexchange=ikev2
> rightcert=server.crt
> auto=add
>
>
> On Fri, Jan 28, 2011 at 2:22 AM, Martin Willi <martin at strongswan.org>wrote:
>
>> Hi,
>>
>> > parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
>> > received NO_PROPOSAL_CHOSEN notify error
>>
>> The responder either didn't like the proposal, or couldn't find a
>> matching connection at all for the used IPs.
>>
>> > I see the following debug output from the gateway:
>>
>> Your gateway log does not help much, as it does not show the relevant
>> parts. Please set the loglevels [1] to "default = 1" and "cfg = 2" and
>> post what you get during the connection attempt.
>>
>> Regards
>> Martin
>>
>> [1]
>> http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>
>>
>>
>
>
> --
> Rob Wicks
> robwicks at gmail.com
> http://robwicks.wordpress.com
>



-- 
Rob Wicks
robwicks at gmail.com
http://robwicks.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110128/3b6ddd55/attachment.html>

More information about the Users mailing list