[strongSwan] NO_PROPOSAL_CHOSEN with ikev2

Robert Wicks robwicks at gmail.com
Fri Jan 28 20:10:08 CET 2011


I think I'm making progress. I turned debug logging back on, and I see this
on the server:

Jan 28 14:05:41 gateway.linux.bogus syslog: 02[CFG] received proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Jan 28 14:05:41 gateway.linux.bogus syslog: 02[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Jan 28 14:05:41 gateway.linux.bogus syslog: 02[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jan 28 14:05:41 gateway.linux.bogus syslog: 02[IKE] allocating SPI failed


I think this means I failed to add a particular plugin to strongswan when I
installed it. I'm putting this on a router with space limitations, so I
cannot install every plugin. Any idea which plugin will enable this
proposal?


On Fri, Jan 28, 2011 at 1:58 PM, Robert Wicks <robwicks at gmail.com> wrote:

> I then changed the server side and removed "rightsubnetwithin," instead
> using
> rightsourceip=10.3.0.0/16
>
> Now, I get this on the client:
>
> scheduling reauthentication in 9740s
> maximum IKE_SA lifetime 10280s
> installing new virtual IP 10.3.0.1
> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
>
>
> And I see this in my server logs:
>
> Jan 28 13:56:10 gateway.linux.bogus syslog: 01[IKE] assigning virtual IP
> 10.3.0.1 to peer
> Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG] looking for a child
> config for 192.168.2.0/24 === 0.0.0.0/0
> Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG] proposing traffic
> selectors for us:
> Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG]  192.168.2.0/24(derived from
> 192.168.2.0/24)
> Jan 28 13:56:10 gateway.linux.bogus syslog: 01[NET] sending packet: from
> <Server Public IP>[4500] to <Client Gateway IP>[22226]
>
>
> On Fri, Jan 28, 2011 at 8:57 AM, Robert Wicks <robwicks at gmail.com> wrote:
>
>> I then changed the leftsourceip setting on the client side to "%config"
>> and got this on my server side logs:
>>
>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[NET] received packet: from
>> <Client Public Gateway>[5990] to <Server Public IP>[4500]
>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[ENC] parsed INFORMATIONAL
>> request 2 [ D ]
>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] received DELETE for
>> IKE_SA nat-t[1]
>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] deleting IKE_SA
>> nat-t[1] between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA,
>> L=Atlanta, O=WQCS,
>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] IKE_SA deleted
>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[ENC] generating
>> INFORMATIONAL response 2 [ ]
>> Jan 28 08:54:19 gateway.linux.bogus syslog: 07[NET] received packet: from
>> <Client Public Gateway>[8057] to <Server Public IP>[500]
>> Jan 28 08:54:19 gateway.linux.bogus syslog: 07[ENC] parsed IKE_SA_INIT
>> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Jan 28 08:54:19 gateway.linux.bogus syslog: 07[IKE] <Client Public
>> Gateway> is initiating an IKE_SA
>> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[IKE] remote host is behind
>> NAT
>> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[IKE] sending cert request
>> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>> wicksquick at gmail.com"
>> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[ENC] generating IKE_SA_INIT
>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[NET] sending packet: from
>> <Server Public IP>[500] to <Client Public Gateway>[8057]
>> Jan 28 08:54:20 gateway.linux.bogus syslog: 08[NET] received packet: from
>> <Client Public Gateway>[5990] to <Server Public IP>[4500]
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[ENC] parsed IKE_AUTH
>> request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP)
>> N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] received cert request
>> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>> wicksquick at gmail.com"
>>  Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] received end entity
>> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
>> wicksquick at gmail.com"
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] looking for peer
>> configs matching <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA,
>> L=Atlanta, O=WQCS,
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] selected peer config
>> 'nat-t'
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   using certificate
>> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com"
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   using trusted ca
>> certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>> wicksquick at gmail.com"
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] checking certificate
>> status of "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
>> wicksquick at gmail.com"
>>  Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] certificate status is
>> not available
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   reached self-signed
>> root ca with a path length of 0
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] authentication of
>> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com'
>> with RSA signature successful
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] peer supports MOBIKE
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] authentication of
>> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com'
>> (myself) with RSA signature successful
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] IKE_SA nat-t[2]
>> established between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US, ST=GA,
>> L=Atlanta, O=Wicks Quick Computer Solution
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] scheduling
>> reauthentication in 10001s
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] maximum IKE_SA
>> lifetime 10541s
>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] sending end entity
>> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com"
>> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] peer requested virtual
>> IP %any
>> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] no virtual IP found,
>> sending INTERNAL_ADDRESS_FAILURE
>> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] configuration payload
>> negotation failed, no CHILD_SA built
>> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[ENC] generating IKE_AUTH
>> response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR)
>> N(INT_ADDR_FAIL) ]
>> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[NET] sending packet: from
>> <Server Public IP>[4500] to <Client Public Gateway>[5990]
>>
>> On Fri, Jan 28, 2011 at 8:33 AM, Robert Wicks <robwicks at gmail.com> wrote:
>>
>>> Different results from outside the network. This is the response I got on
>>> the Ubuntu 10.10 client when I attempted to start the connection:
>>>
>>> root at rwicks-m11:~# ipsec up roadwarrior
>>> initiating IKE_SA roadwarrior[1] to <Server Public IP>
>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> sending packet: from 10.0.34.103[500] to <Server Public IP>[500]
>>> received packet: from <Server Public IP>[500] to 10.0.34.103[500]
>>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>>> CERTREQ N(MULT_AUTH) ]
>>> local host is behind NAT, sending keep alives
>>> received cert request for "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ,
>>> CN=WQCS CA, E=wicksquick at gmail.com"
>>> sending cert request for "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ,
>>> CN=WQCS CA, E=wicksquick at gmail.com"
>>> authentication of 'C=US, ST=GA, L=Snellville, O=WQCS, CN=toshibakey, E=
>>> wicksquick at gmail.com' (myself) with RSA signature successful
>>> sending end entity cert "C=US, ST=GA, L=Snellville, O=WQCS,
>>> CN=toshibakey, E=wicksquick at gmail.com"
>>> establishing CHILD_SA roadwarrior
>>> generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr
>>> N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>> sending packet: from 10.0.34.103[4500] to <Server Public IP>[4500]
>>> received packet: from <Server Public IP>[4500] to 10.0.34.103[4500]
>>> parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP)
>>> N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
>>> received end entity cert "C=US, ST=GA, L=Snellville, O=WQCS, CN=server,
>>> E=wicksquick at gmail.com"
>>>   using trusted ca certificate "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ,
>>> CN=WQCS CA, E=wicksquick at gmail.com"
>>> checking certificate status of "C=US, ST=GA, L=Snellville, O=WQCS,
>>> CN=server, E=wicksquick at gmail.com"
>>> certificate status is not available
>>>   reached self-signed root ca with a path length of 0
>>>   using trusted certificate "C=US, ST=GA, L=Snellville, O=WQCS,
>>> CN=server, E=wicksquick at gmail.com"
>>> authentication of 'C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=
>>> wicksquick at gmail.com' with RSA signature successful
>>> IKE_SA roadwarrior[1] established between 10.0.34.103[C=US, ST=GA,
>>> L=Snellville, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com]...<Server
>>> Public IP>[C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=
>>> wicksquick at gmail.com]
>>> scheduling reauthentication in 10033s
>>> maximum IKE_SA lifetime 10573s
>>> received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built
>>>
>>>
>>> Here are the server side logs:
>>>
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[DMN] Starting IKEv2 charon
>>> daemon (strongSwan 4.3.7)
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[NET] unable to create raw
>>> socket: Address family not supported by protocol
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[NET] could not open IPv6
>>> receive socket, IPv6 disabled
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'curl': failed
>>> to load '/usr/lib/ipsec/plugins/libstrongswan-curl.so' - File not found
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'ldap': failed
>>> to load '/usr/lib/ipsec/plugins/libstrongswan-ldap.so' - File not found
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'blowfish':
>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-blowfish.so' - File not
>>> found
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'mysql':
>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-mysql.so' - File not
>>> found
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'sqlite':
>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-sqlite.so' - File not
>>> found
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'attr-sql':
>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-attr-sql.so' - File not
>>> found
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'gcrypt':
>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-gcrypt.so' - File not
>>> found
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'agent':
>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-agent.so' - File not
>>> found
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'load-tester':
>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-load-tester.so' - File
>>> not found
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading ca
>>> certificates from '/etc/ipsec.d/cacerts'
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG]   loaded ca
>>> certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>>> wicksquick at gmail.com" from '/etc/ipsec.d/cacerts/ca.crt'
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading aa
>>> certificates from '/etc/ipsec.d/aacerts'
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading ocsp signer
>>> certificates from '/etc/ipsec.d/ocspcerts'
>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading attribute
>>> certificates from '/etc/ipsec.d/acerts'
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG] loading crls from
>>> '/etc/ipsec.d/crls'
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG] loading secrets from
>>> '/etc/ipsec.secrets'
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG]   loaded RSA private
>>> key from '/etc/ipsec.d/private/server.key'
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'smp': failed
>>> to load '/usr/lib/ipsec/plugins/libstrongswan-smp.so' - File not found
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'sql': failed
>>> to load '/usr/lib/ipsec/plugins/libstrongswan-sql.so' - File not found
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-md5':
>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-md5.so' - File not
>>> found
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin
>>> 'eap-mschapv2': failed to load
>>> '/usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so' - File not found
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-radius':
>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-radius.so' - File
>>> not found
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'medsrv':
>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-medsrv.so' - File not
>>> found
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'medcli':
>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-medcli.so' - File not
>>> found
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'uci': failed
>>> to load '/usr/lib/ipsec/plugins/libstrongswan-uci.so' - File not found
>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[DMN] loaded plugins: aes
>>> des sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac
>>> gmp stroke updown attr resolve
>>> Jan 28 08:22:22 gateway.linux.bogus syslog: 05[CFG] left nor right host
>>> is our side, assuming left=local
>>> Jan 28 08:22:22 gateway.linux.bogus syslog: 05[CFG]   loaded certificate
>>> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com" from
>>> 'server.crt'
>>> Jan 28 08:25:23 gateway.linux.bogus syslog: 07[NET] received packet: from
>>> <Client Public Gateway>[2678] to <Server Public IP>[500]
>>> Jan 28 08:25:24 gateway.linux.bogus syslog: 07[ENC] parsed IKE_SA_INIT
>>> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> Jan 28 08:25:24 gateway.linux.bogus syslog: 07[IKE] <Client Public
>>> Gateway> is initiating an IKE_SA
>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[IKE] remote host is behind
>>> NAT
>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[IKE] sending cert request
>>> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>>> wicksquick at gmail.com"
>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[ENC] generating
>>> IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
>>> N(MULT_AUTH) ]
>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[NET] sending packet: from
>>> <Server Public IP>[500] to <Client Public Gateway>[2678]
>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[NET] received packet: from
>>> <Client Public Gateway>[5990] to <Server Public IP>[4500]
>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[ENC] parsed IKE_AUTH
>>> request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP)
>>> N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[IKE] received cert request
>>> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>>> wicksquick at gmail.com"
>>>  Jan 28 08:25:25 gateway.linux.bogus syslog: 08[IKE] received end entity
>>> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
>>> wicksquick at gmail.com"
>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[CFG] looking for peer
>>> configs matching <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US,
>>> ST=GA, L=Atlanta, O=WQCS,
>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[CFG] selected peer config
>>> 'nat-t'
>>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   using certificate
>>> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com"
>>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   using trusted ca
>>> certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>>> wicksquick at gmail.com"
>>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] checking certificate
>>> status of "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
>>> wicksquick at gmail.com"
>>>  Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] certificate status
>>> is not available
>>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   reached self-signed
>>> root ca with a path length of 0
>>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[IKE] authentication of
>>> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com'
>>> with RSA signature successful
>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] peer supports MOBIKE
>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] authentication of
>>> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com'
>>> (myself) with RSA signature successful
>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] IKE_SA nat-t[1]
>>> established between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US,
>>> ST=GA, L=Atlanta, O=Wicks Quick Computer Solution
>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] scheduling
>>> reauthentication in 10044s
>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] maximum IKE_SA
>>> lifetime 10584s
>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] sending end entity
>>> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com
>>> "
>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] peer requested
>>> virtual IP 10.3.0.5
>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] no virtual IP found,
>>> sending INTERNAL_ADDRESS_FAILURE
>>> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[IKE] configuration payload
>>> negotation failed, no CHILD_SA built
>>> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[ENC] generating IKE_AUTH
>>> response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR)
>>> N(INT_ADDR_FAIL) ]
>>> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[NET] sending packet: from
>>> <Server Public IP>[4500] to <Client Public Gateway>[5990]
>>>
>>>
>>> Here is the ipsec.conf from the server:
>>>
>>> config setup
>>> nat_traversal=yes
>>> strictcrlpolicy=no
>>>  plutostart=no
>>> conn nat-t
>>> authby=rsasig
>>>  keyexchange=ikev2
>>> leftfirewall=yes
>>> left=%defaultroute
>>>  ike=3des-sha1
>>> leftcert=server.crt
>>> rightsubnetwithin=10.3.0.0/16
>>>  leftsubnet=192.168.2.0/24
>>> right=%any
>>> auto=add
>>>
>>> Here is the ipsec.conf from the client:
>>>
>>> config setup
>>> charondebug=all
>>> nat_traversal=yes
>>>
>>> conn roadwarrior
>>> left=%defaultroute
>>> leftcert=toshiba.crt
>>>  leftsourceip=10.3.0.5
>>> leftauth=rsasig
>>> leftfirewall=yes
>>>  right=<Server Public IP>
>>> rightsubnet=192.168.2.0/24
>>>  keyexchange=ikev2
>>> rightcert=server.crt
>>> auto=add
>>>
>>>
>>> On Fri, Jan 28, 2011 at 2:22 AM, Martin Willi <martin at strongswan.org>wrote:
>>>
>>>> Hi,
>>>>
>>>> > parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
>>>> > received NO_PROPOSAL_CHOSEN notify error
>>>>
>>>> The responder either didn't like the proposal, or couldn't find a
>>>> matching connection at all for the used IPs.
>>>>
>>>> > I see the following debug output from the gateway:
>>>>
>>>> Your gateway log does not help much, as it does not show the relevant
>>>> parts. Please set the loglevels [1] to "default = 1" and "cfg = 2" and
>>>> post what you get during the connection attempt.
>>>>
>>>> Regards
>>>> Martin
>>>>
>>>> [1]
>>>> http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Rob Wicks
>>> robwicks at gmail.com
>>> http://robwicks.wordpress.com
>>>
>>
>>
>>
>> --
>> Rob Wicks
>> robwicks at gmail.com
>> http://robwicks.wordpress.com
>>
>
>
>
> --
> Rob Wicks
> robwicks at gmail.com
> http://robwicks.wordpress.com
>



-- 
Rob Wicks
robwicks at gmail.com
http://robwicks.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110128/19128dac/attachment.html>


More information about the Users mailing list