[strongSwan] NO_PROPOSAL_CHOSEN with ikev2

Robert Wicks robwicks at gmail.com
Fri Jan 28 19:58:50 CET 2011


I then changed the server side and removed "rightsubnetwithin," instead
using
rightsourceip=10.3.0.0/16

Now, I get this on the client:

scheduling reauthentication in 9740s
maximum IKE_SA lifetime 10280s
installing new virtual IP 10.3.0.1
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built


And I see this in my server logs:

Jan 28 13:56:10 gateway.linux.bogus syslog: 01[IKE] assigning virtual IP
10.3.0.1 to peer
Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG] looking for a child
config for 192.168.2.0/24 === 0.0.0.0/0
Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG] proposing traffic
selectors for us:
Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG]  192.168.2.0/24 (derived
from 192.168.2.0/24)
Jan 28 13:56:10 gateway.linux.bogus syslog: 01[NET] sending packet: from
<Server Public IP>[4500] to <Client Gateway IP>[22226]


On Fri, Jan 28, 2011 at 8:57 AM, Robert Wicks <robwicks at gmail.com> wrote:

> I then changed the leftsourceip setting on the client side to "%config" and
> got this on my server side logs:
>
> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[NET] received packet: from
> <Client Public Gateway>[5990] to <Server Public IP>[4500]
> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[ENC] parsed INFORMATIONAL
> request 2 [ D ]
> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] received DELETE for
> IKE_SA nat-t[1]
> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] deleting IKE_SA
> nat-t[1] between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA,
> L=Atlanta, O=WQCS,
> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] IKE_SA deleted
> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[ENC] generating
> INFORMATIONAL response 2 [ ]
> Jan 28 08:54:19 gateway.linux.bogus syslog: 07[NET] received packet: from
> <Client Public Gateway>[8057] to <Server Public IP>[500]
> Jan 28 08:54:19 gateway.linux.bogus syslog: 07[ENC] parsed IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jan 28 08:54:19 gateway.linux.bogus syslog: 07[IKE] <Client Public Gateway>
> is initiating an IKE_SA
> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[IKE] remote host is behind
> NAT
> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[IKE] sending cert request
> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
> wicksquick at gmail.com"
> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[NET] sending packet: from
> <Server Public IP>[500] to <Client Public Gateway>[8057]
> Jan 28 08:54:20 gateway.linux.bogus syslog: 08[NET] received packet: from
> <Client Public Gateway>[5990] to <Server Public IP>[4500]
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[ENC] parsed IKE_AUTH request
> 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) ]
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] received cert request
> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
> wicksquick at gmail.com"
>  Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] received end entity
> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
> wicksquick at gmail.com"
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] looking for peer
> configs matching <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA,
> L=Atlanta, O=WQCS,
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] selected peer config
> 'nat-t'
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   using certificate
> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com"
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   using trusted ca
> certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
> wicksquick at gmail.com"
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] checking certificate
> status of "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
> wicksquick at gmail.com"
>  Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] certificate status is
> not available
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   reached self-signed
> root ca with a path length of 0
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] authentication of
> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com'
> with RSA signature successful
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] peer supports MOBIKE
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] authentication of
> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com'
> (myself) with RSA signature successful
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] IKE_SA nat-t[2]
> established between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA,
> L=Atlanta, O=Wicks Quick Computer Solution
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] scheduling
> reauthentication in 10001s
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] maximum IKE_SA lifetime
> 10541s
> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] sending end entity cert
> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com"
> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] peer requested virtual
> IP %any
> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] no virtual IP found,
> sending INTERNAL_ADDRESS_FAILURE
> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] configuration payload
> negotation failed, no CHILD_SA built
> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[ENC] generating IKE_AUTH
> response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR)
> N(INT_ADDR_FAIL) ]
> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[NET] sending packet: from
> <Server Public IP>[4500] to <Client Public Gateway>[5990]
>
> On Fri, Jan 28, 2011 at 8:33 AM, Robert Wicks <robwicks at gmail.com> wrote:
>
>> Different results from outside the network. This is the response I got on
>> the Ubuntu 10.10 client when I attempted to start the connection:
>>
>> root at rwicks-m11:~# ipsec up roadwarrior
>> initiating IKE_SA roadwarrior[1] to <Server Public IP>
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from 10.0.34.103[500] to <Server Public IP>[500]
>> received packet: from <Server Public IP>[500] to 10.0.34.103[500]
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
>> N(MULT_AUTH) ]
>> local host is behind NAT, sending keep alives
>> received cert request for "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ,
>> CN=WQCS CA, E=wicksquick at gmail.com"
>> sending cert request for "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ,
>> CN=WQCS CA, E=wicksquick at gmail.com"
>> authentication of 'C=US, ST=GA, L=Snellville, O=WQCS, CN=toshibakey, E=
>> wicksquick at gmail.com' (myself) with RSA signature successful
>> sending end entity cert "C=US, ST=GA, L=Snellville, O=WQCS, CN=toshibakey,
>> E=wicksquick at gmail.com"
>> establishing CHILD_SA roadwarrior
>> generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr
>> N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>> sending packet: from 10.0.34.103[4500] to <Server Public IP>[4500]
>> received packet: from <Server Public IP>[4500] to 10.0.34.103[4500]
>> parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP)
>> N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
>> received end entity cert "C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=
>> wicksquick at gmail.com"
>>   using trusted ca certificate "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ,
>> CN=WQCS CA, E=wicksquick at gmail.com"
>> checking certificate status of "C=US, ST=GA, L=Snellville, O=WQCS,
>> CN=server, E=wicksquick at gmail.com"
>> certificate status is not available
>>   reached self-signed root ca with a path length of 0
>>   using trusted certificate "C=US, ST=GA, L=Snellville, O=WQCS, CN=server,
>> E=wicksquick at gmail.com"
>> authentication of 'C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=
>> wicksquick at gmail.com' with RSA signature successful
>> IKE_SA roadwarrior[1] established between 10.0.34.103[C=US, ST=GA,
>> L=Snellville, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com]...<Server
>> Public IP>[C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=
>> wicksquick at gmail.com]
>> scheduling reauthentication in 10033s
>> maximum IKE_SA lifetime 10573s
>> received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built
>>
>>
>> Here are the server side logs:
>>
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[DMN] Starting IKEv2 charon
>> daemon (strongSwan 4.3.7)
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[NET] unable to create raw
>> socket: Address family not supported by protocol
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[NET] could not open IPv6
>> receive socket, IPv6 disabled
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'curl': failed
>> to load '/usr/lib/ipsec/plugins/libstrongswan-curl.so' - File not found
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'ldap': failed
>> to load '/usr/lib/ipsec/plugins/libstrongswan-ldap.so' - File not found
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'blowfish':
>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-blowfish.so' - File not
>> found
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'mysql': failed
>> to load '/usr/lib/ipsec/plugins/libstrongswan-mysql.so' - File not found
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'sqlite':
>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-sqlite.so' - File not
>> found
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'attr-sql':
>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-attr-sql.so' - File not
>> found
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'gcrypt':
>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-gcrypt.so' - File not
>> found
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'agent': failed
>> to load '/usr/lib/ipsec/plugins/libstrongswan-agent.so' - File not found
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'load-tester':
>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-load-tester.so' - File
>> not found
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading ca
>> certificates from '/etc/ipsec.d/cacerts'
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG]   loaded ca
>> certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>> wicksquick at gmail.com" from '/etc/ipsec.d/cacerts/ca.crt'
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading aa
>> certificates from '/etc/ipsec.d/aacerts'
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading ocsp signer
>> certificates from '/etc/ipsec.d/ocspcerts'
>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading attribute
>> certificates from '/etc/ipsec.d/acerts'
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG] loading crls from
>> '/etc/ipsec.d/crls'
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG] loading secrets from
>> '/etc/ipsec.secrets'
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG]   loaded RSA private
>> key from '/etc/ipsec.d/private/server.key'
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'smp': failed
>> to load '/usr/lib/ipsec/plugins/libstrongswan-smp.so' - File not found
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'sql': failed
>> to load '/usr/lib/ipsec/plugins/libstrongswan-sql.so' - File not found
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-md5':
>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-md5.so' - File not
>> found
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-mschapv2':
>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so' - File
>> not found
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-radius':
>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-radius.so' - File
>> not found
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'medsrv':
>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-medsrv.so' - File not
>> found
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'medcli':
>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-medcli.so' - File not
>> found
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'uci': failed
>> to load '/usr/lib/ipsec/plugins/libstrongswan-uci.so' - File not found
>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[DMN] loaded plugins: aes
>> des sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac
>> gmp stroke updown attr resolve
>> Jan 28 08:22:22 gateway.linux.bogus syslog: 05[CFG] left nor right host is
>> our side, assuming left=local
>> Jan 28 08:22:22 gateway.linux.bogus syslog: 05[CFG]   loaded certificate
>> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com" from
>> 'server.crt'
>> Jan 28 08:25:23 gateway.linux.bogus syslog: 07[NET] received packet: from
>> <Client Public Gateway>[2678] to <Server Public IP>[500]
>> Jan 28 08:25:24 gateway.linux.bogus syslog: 07[ENC] parsed IKE_SA_INIT
>> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Jan 28 08:25:24 gateway.linux.bogus syslog: 07[IKE] <Client Public
>> Gateway> is initiating an IKE_SA
>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[IKE] remote host is behind
>> NAT
>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[IKE] sending cert request
>> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>> wicksquick at gmail.com"
>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[ENC] generating IKE_SA_INIT
>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[NET] sending packet: from
>> <Server Public IP>[500] to <Client Public Gateway>[2678]
>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[NET] received packet: from
>> <Client Public Gateway>[5990] to <Server Public IP>[4500]
>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[ENC] parsed IKE_AUTH
>> request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP)
>> N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[IKE] received cert request
>> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>> wicksquick at gmail.com"
>>  Jan 28 08:25:25 gateway.linux.bogus syslog: 08[IKE] received end entity
>> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
>> wicksquick at gmail.com"
>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[CFG] looking for peer
>> configs matching <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA,
>> L=Atlanta, O=WQCS,
>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[CFG] selected peer config
>> 'nat-t'
>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   using certificate
>> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com"
>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   using trusted ca
>> certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>> wicksquick at gmail.com"
>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] checking certificate
>> status of "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
>> wicksquick at gmail.com"
>>  Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] certificate status is
>> not available
>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   reached self-signed
>> root ca with a path length of 0
>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[IKE] authentication of
>> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com'
>> with RSA signature successful
>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] peer supports MOBIKE
>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] authentication of
>> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com'
>> (myself) with RSA signature successful
>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] IKE_SA nat-t[1]
>> established between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA,
>> L=Atlanta, O=Wicks Quick Computer Solution
>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] scheduling
>> reauthentication in 10044s
>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] maximum IKE_SA
>> lifetime 10584s
>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] sending end entity
>> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com"
>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] peer requested virtual
>> IP 10.3.0.5
>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] no virtual IP found,
>> sending INTERNAL_ADDRESS_FAILURE
>> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[IKE] configuration payload
>> negotation failed, no CHILD_SA built
>> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[ENC] generating IKE_AUTH
>> response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR)
>> N(INT_ADDR_FAIL) ]
>> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[NET] sending packet: from
>> <Server Public IP>[4500] to <Client Public Gateway>[5990]
>>
>>
>> Here is the ipsec.conf from the server:
>>
>> config setup
>> nat_traversal=yes
>> strictcrlpolicy=no
>>  plutostart=no
>> conn nat-t
>> authby=rsasig
>>  keyexchange=ikev2
>> leftfirewall=yes
>> left=%defaultroute
>>  ike=3des-sha1
>> leftcert=server.crt
>> rightsubnetwithin=10.3.0.0/16
>>  leftsubnet=192.168.2.0/24
>> right=%any
>> auto=add
>>
>> Here is the ipsec.conf from the client:
>>
>> config setup
>> charondebug=all
>> nat_traversal=yes
>>
>> conn roadwarrior
>> left=%defaultroute
>> leftcert=toshiba.crt
>>  leftsourceip=10.3.0.5
>> leftauth=rsasig
>> leftfirewall=yes
>>  right=<Server Public IP>
>> rightsubnet=192.168.2.0/24
>>  keyexchange=ikev2
>> rightcert=server.crt
>> auto=add
>>
>>
>> On Fri, Jan 28, 2011 at 2:22 AM, Martin Willi <martin at strongswan.org>wrote:
>>
>>> Hi,
>>>
>>> > parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
>>> > received NO_PROPOSAL_CHOSEN notify error
>>>
>>> The responder either didn't like the proposal, or couldn't find a
>>> matching connection at all for the used IPs.
>>>
>>> > I see the following debug output from the gateway:
>>>
>>> Your gateway log does not help much, as it does not show the relevant
>>> parts. Please set the loglevels [1] to "default = 1" and "cfg = 2" and
>>> post what you get during the connection attempt.
>>>
>>> Regards
>>> Martin
>>>
>>> [1]
>>> http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>>
>>>
>>>
>>
>>
>> --
>> Rob Wicks
>> robwicks at gmail.com
>> http://robwicks.wordpress.com
>>
>
>
>
> --
> Rob Wicks
> robwicks at gmail.com
> http://robwicks.wordpress.com
>



-- 
Rob Wicks
robwicks at gmail.com
http://robwicks.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110128/d409cabb/attachment.html>


More information about the Users mailing list