[strongSwan] SOLVED: Re: NO_PROPOSAL_CHOSEN with ikev2

Robert Wicks robwicks at gmail.com
Fri Jan 28 21:10:52 CET 2011


Success! Looks like the "kernel-netlink" plugin was required. Now that I
understand what better to look for, I'm going to trim it down to the minimal
number of packages required. Thanks for the pointers in the right direction

On Fri, Jan 28, 2011 at 2:10 PM, Robert Wicks <robwicks at gmail.com> wrote:

> I think I'm making progress. I turned debug logging back on, and I see this
> on the server:
>
> Jan 28 14:05:41 gateway.linux.bogus syslog: 02[CFG] received proposals:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Jan 28 14:05:41 gateway.linux.bogus syslog: 02[CFG] configured proposals:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Jan 28 14:05:41 gateway.linux.bogus syslog: 02[CFG] selected proposal:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> Jan 28 14:05:41 gateway.linux.bogus syslog: 02[IKE] allocating SPI failed
>
>
> I think this means I failed to add a particular plugin to strongswan when I
> installed it. I'm putting this on a router with space limitations, so I
> cannot install every plugin. Any idea which plugin will enable this
> proposal?
>
>
> On Fri, Jan 28, 2011 at 1:58 PM, Robert Wicks <robwicks at gmail.com> wrote:
>
>> I then changed the server side and removed "rightsubnetwithin," instead
>> using
>> rightsourceip=10.3.0.0/16
>>
>> Now, I get this on the client:
>>
>> scheduling reauthentication in 9740s
>> maximum IKE_SA lifetime 10280s
>> installing new virtual IP 10.3.0.1
>> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
>>
>>
>> And I see this in my server logs:
>>
>> Jan 28 13:56:10 gateway.linux.bogus syslog: 01[IKE] assigning virtual IP
>> 10.3.0.1 to peer
>> Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG] looking for a child
>> config for 192.168.2.0/24 === 0.0.0.0/0
>> Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG] proposing traffic
>> selectors for us:
>> Jan 28 13:56:10 gateway.linux.bogus syslog: 01[CFG]  192.168.2.0/24(derived from
>> 192.168.2.0/24)
>> Jan 28 13:56:10 gateway.linux.bogus syslog: 01[NET] sending packet: from
>> <Server Public IP>[4500] to <Client Gateway IP>[22226]
>>
>>
>> On Fri, Jan 28, 2011 at 8:57 AM, Robert Wicks <robwicks at gmail.com> wrote:
>>
>>> I then changed the leftsourceip setting on the client side to "%config"
>>> and got this on my server side logs:
>>>
>>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[NET] received packet: from
>>> <Client Public Gateway>[5990] to <Server Public IP>[4500]
>>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[ENC] parsed INFORMATIONAL
>>> request 2 [ D ]
>>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] received DELETE for
>>> IKE_SA nat-t[1]
>>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] deleting IKE_SA
>>> nat-t[1] between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US,
>>> ST=GA, L=Atlanta, O=WQCS,
>>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[IKE] IKE_SA deleted
>>> Jan 28 08:53:56 gateway.linux.bogus syslog: 05[ENC] generating
>>> INFORMATIONAL response 2 [ ]
>>> Jan 28 08:54:19 gateway.linux.bogus syslog: 07[NET] received packet: from
>>> <Client Public Gateway>[8057] to <Server Public IP>[500]
>>> Jan 28 08:54:19 gateway.linux.bogus syslog: 07[ENC] parsed IKE_SA_INIT
>>> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> Jan 28 08:54:19 gateway.linux.bogus syslog: 07[IKE] <Client Public
>>> Gateway> is initiating an IKE_SA
>>> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[IKE] remote host is behind
>>> NAT
>>> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[IKE] sending cert request
>>> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>>> wicksquick at gmail.com"
>>> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[ENC] generating
>>> IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
>>> N(MULT_AUTH) ]
>>> Jan 28 08:54:20 gateway.linux.bogus syslog: 07[NET] sending packet: from
>>> <Server Public IP>[500] to <Client Public Gateway>[8057]
>>> Jan 28 08:54:20 gateway.linux.bogus syslog: 08[NET] received packet: from
>>> <Client Public Gateway>[5990] to <Server Public IP>[4500]
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[ENC] parsed IKE_AUTH
>>> request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP)
>>> N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] received cert request
>>> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>>> wicksquick at gmail.com"
>>>  Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] received end entity
>>> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
>>> wicksquick at gmail.com"
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] looking for peer
>>> configs matching <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US,
>>> ST=GA, L=Atlanta, O=WQCS,
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] selected peer config
>>> 'nat-t'
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   using certificate
>>> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com"
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   using trusted ca
>>> certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>>> wicksquick at gmail.com"
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] checking certificate
>>> status of "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
>>> wicksquick at gmail.com"
>>>  Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG] certificate status
>>> is not available
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[CFG]   reached self-signed
>>> root ca with a path length of 0
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] authentication of
>>> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com'
>>> with RSA signature successful
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] peer supports MOBIKE
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] authentication of
>>> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com'
>>> (myself) with RSA signature successful
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] IKE_SA nat-t[2]
>>> established between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US,
>>> ST=GA, L=Atlanta, O=Wicks Quick Computer Solution
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] scheduling
>>> reauthentication in 10001s
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] maximum IKE_SA
>>> lifetime 10541s
>>> Jan 28 08:54:21 gateway.linux.bogus syslog: 08[IKE] sending end entity
>>> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com
>>> "
>>> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] peer requested
>>> virtual IP %any
>>> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] no virtual IP found,
>>> sending INTERNAL_ADDRESS_FAILURE
>>> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[IKE] configuration payload
>>> negotation failed, no CHILD_SA built
>>> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[ENC] generating IKE_AUTH
>>> response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR)
>>> N(INT_ADDR_FAIL) ]
>>> Jan 28 08:54:22 gateway.linux.bogus syslog: 08[NET] sending packet: from
>>> <Server Public IP>[4500] to <Client Public Gateway>[5990]
>>>
>>> On Fri, Jan 28, 2011 at 8:33 AM, Robert Wicks <robwicks at gmail.com>wrote:
>>>
>>>> Different results from outside the network. This is the response I got
>>>> on the Ubuntu 10.10 client when I attempted to start the connection:
>>>>
>>>> root at rwicks-m11:~# ipsec up roadwarrior
>>>> initiating IKE_SA roadwarrior[1] to <Server Public IP>
>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>>> sending packet: from 10.0.34.103[500] to <Server Public IP>[500]
>>>> received packet: from <Server Public IP>[500] to 10.0.34.103[500]
>>>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>>>> CERTREQ N(MULT_AUTH) ]
>>>> local host is behind NAT, sending keep alives
>>>> received cert request for "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ,
>>>> CN=WQCS CA, E=wicksquick at gmail.com"
>>>> sending cert request for "C=US, ST=GA, L=Snellville, O=WQCS, OU=HQ,
>>>> CN=WQCS CA, E=wicksquick at gmail.com"
>>>> authentication of 'C=US, ST=GA, L=Snellville, O=WQCS, CN=toshibakey, E=
>>>> wicksquick at gmail.com' (myself) with RSA signature successful
>>>> sending end entity cert "C=US, ST=GA, L=Snellville, O=WQCS,
>>>> CN=toshibakey, E=wicksquick at gmail.com"
>>>> establishing CHILD_SA roadwarrior
>>>> generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr
>>>> N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>>> sending packet: from 10.0.34.103[4500] to <Server Public IP>[4500]
>>>> received packet: from <Server Public IP>[4500] to 10.0.34.103[4500]
>>>> parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP)
>>>> N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
>>>> received end entity cert "C=US, ST=GA, L=Snellville, O=WQCS, CN=server,
>>>> E=wicksquick at gmail.com"
>>>>   using trusted ca certificate "C=US, ST=GA, L=Snellville, O=WQCS,
>>>> OU=HQ, CN=WQCS CA, E=wicksquick at gmail.com"
>>>> checking certificate status of "C=US, ST=GA, L=Snellville, O=WQCS,
>>>> CN=server, E=wicksquick at gmail.com"
>>>> certificate status is not available
>>>>   reached self-signed root ca with a path length of 0
>>>>   using trusted certificate "C=US, ST=GA, L=Snellville, O=WQCS,
>>>> CN=server, E=wicksquick at gmail.com"
>>>> authentication of 'C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=
>>>> wicksquick at gmail.com' with RSA signature successful
>>>> IKE_SA roadwarrior[1] established between 10.0.34.103[C=US, ST=GA,
>>>> L=Snellville, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com]...<Server
>>>> Public IP>[C=US, ST=GA, L=Snellville, O=WQCS, CN=server, E=
>>>> wicksquick at gmail.com]
>>>> scheduling reauthentication in 10033s
>>>> maximum IKE_SA lifetime 10573s
>>>> received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built
>>>>
>>>>
>>>> Here are the server side logs:
>>>>
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[DMN] Starting IKEv2
>>>> charon daemon (strongSwan 4.3.7)
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[NET] unable to create raw
>>>> socket: Address family not supported by protocol
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[NET] could not open IPv6
>>>> receive socket, IPv6 disabled
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'curl':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-curl.so' - File not
>>>> found
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'ldap':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-ldap.so' - File not
>>>> found
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'blowfish':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-blowfish.so' - File not
>>>> found
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'mysql':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-mysql.so' - File not
>>>> found
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'sqlite':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-sqlite.so' - File not
>>>> found
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'attr-sql':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-attr-sql.so' - File not
>>>> found
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'gcrypt':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-gcrypt.so' - File not
>>>> found
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin 'agent':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-agent.so' - File not
>>>> found
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[LIB] plugin
>>>> 'load-tester': failed to load
>>>> '/usr/lib/ipsec/plugins/libstrongswan-load-tester.so' - File not found
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading ca
>>>> certificates from '/etc/ipsec.d/cacerts'
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG]   loaded ca
>>>> certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>>>> wicksquick at gmail.com" from '/etc/ipsec.d/cacerts/ca.crt'
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading aa
>>>> certificates from '/etc/ipsec.d/aacerts'
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading ocsp signer
>>>> certificates from '/etc/ipsec.d/ocspcerts'
>>>> Jan 28 08:22:20 gateway.linux.bogus syslog: 00[CFG] loading attribute
>>>> certificates from '/etc/ipsec.d/acerts'
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG] loading crls from
>>>> '/etc/ipsec.d/crls'
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG] loading secrets from
>>>> '/etc/ipsec.secrets'
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[CFG]   loaded RSA private
>>>> key from '/etc/ipsec.d/private/server.key'
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'smp': failed
>>>> to load '/usr/lib/ipsec/plugins/libstrongswan-smp.so' - File not found
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'sql': failed
>>>> to load '/usr/lib/ipsec/plugins/libstrongswan-sql.so' - File not found
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-md5':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-md5.so' - File not
>>>> found
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin
>>>> 'eap-mschapv2': failed to load
>>>> '/usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so' - File not found
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'eap-radius':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-eap-radius.so' - File
>>>> not found
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'medsrv':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-medsrv.so' - File not
>>>> found
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'medcli':
>>>> failed to load '/usr/lib/ipsec/plugins/libstrongswan-medcli.so' - File not
>>>> found
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[LIB] plugin 'uci': failed
>>>> to load '/usr/lib/ipsec/plugins/libstrongswan-uci.so' - File not found
>>>> Jan 28 08:22:21 gateway.linux.bogus syslog: 00[DMN] loaded plugins: aes
>>>> des sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac
>>>> gmp stroke updown attr resolve
>>>> Jan 28 08:22:22 gateway.linux.bogus syslog: 05[CFG] left nor right host
>>>> is our side, assuming left=local
>>>> Jan 28 08:22:22 gateway.linux.bogus syslog: 05[CFG]   loaded certificate
>>>> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com"
>>>> from 'server.crt'
>>>> Jan 28 08:25:23 gateway.linux.bogus syslog: 07[NET] received packet:
>>>> from <Client Public Gateway>[2678] to <Server Public IP>[500]
>>>> Jan 28 08:25:24 gateway.linux.bogus syslog: 07[ENC] parsed IKE_SA_INIT
>>>> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>>> Jan 28 08:25:24 gateway.linux.bogus syslog: 07[IKE] <Client Public
>>>> Gateway> is initiating an IKE_SA
>>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[IKE] remote host is
>>>> behind NAT
>>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[IKE] sending cert request
>>>> for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>>>> wicksquick at gmail.com"
>>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[ENC] generating
>>>> IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
>>>> N(MULT_AUTH) ]
>>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 07[NET] sending packet: from
>>>> <Server Public IP>[500] to <Client Public Gateway>[2678]
>>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[NET] received packet:
>>>> from <Client Public Gateway>[5990] to <Server Public IP>[4500]
>>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[ENC] parsed IKE_AUTH
>>>> request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP)
>>>> N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[IKE] received cert
>>>> request for "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>>>> wicksquick at gmail.com"
>>>>  Jan 28 08:25:25 gateway.linux.bogus syslog: 08[IKE] received end entity
>>>> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
>>>> wicksquick at gmail.com"
>>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[CFG] looking for peer
>>>> configs matching <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>>>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US,
>>>> ST=GA, L=Atlanta, O=WQCS,
>>>> Jan 28 08:25:25 gateway.linux.bogus syslog: 08[CFG] selected peer config
>>>> 'nat-t'
>>>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   using certificate
>>>> "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com
>>>> "
>>>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   using trusted ca
>>>> certificate "C=US, ST=GA, L=Atlanta, O=WQCS, OU=HQ, CN=WQCS CA, E=
>>>> wicksquick at gmail.com"
>>>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] checking certificate
>>>> status of "C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=
>>>> wicksquick at gmail.com"
>>>>  Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG] certificate status
>>>> is not available
>>>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[CFG]   reached
>>>> self-signed root ca with a path length of 0
>>>> Jan 28 08:25:26 gateway.linux.bogus syslog: 08[IKE] authentication of
>>>> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=toshibakey, E=wicksquick at gmail.com'
>>>> with RSA signature successful
>>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] peer supports
>>>> MOBIKE
>>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] authentication of
>>>> 'C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com'
>>>> (myself) with RSA signature successful
>>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] IKE_SA nat-t[1]
>>>> established between <Server Public IP>[C=US, ST=GA, L=Atlanta, O=WQCS,
>>>> CN=server, E=wicksquick at gmail.com]...<Client Public Gateway>[C=US,
>>>> ST=GA, L=Atlanta, O=Wicks Quick Computer Solution
>>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] scheduling
>>>> reauthentication in 10044s
>>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] maximum IKE_SA
>>>> lifetime 10584s
>>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] sending end entity
>>>> cert "C=US, ST=GA, L=Atlanta, O=WQCS, CN=server, E=wicksquick at gmail.com
>>>> "
>>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] peer requested
>>>> virtual IP 10.3.0.5
>>>> Jan 28 08:25:27 gateway.linux.bogus syslog: 08[IKE] no virtual IP found,
>>>> sending INTERNAL_ADDRESS_FAILURE
>>>> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[IKE] configuration
>>>> payload negotation failed, no CHILD_SA built
>>>> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[ENC] generating IKE_AUTH
>>>> response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR)
>>>> N(INT_ADDR_FAIL) ]
>>>> Jan 28 08:25:28 gateway.linux.bogus syslog: 08[NET] sending packet: from
>>>> <Server Public IP>[4500] to <Client Public Gateway>[5990]
>>>>
>>>>
>>>> Here is the ipsec.conf from the server:
>>>>
>>>> config setup
>>>> nat_traversal=yes
>>>> strictcrlpolicy=no
>>>>  plutostart=no
>>>> conn nat-t
>>>> authby=rsasig
>>>>  keyexchange=ikev2
>>>> leftfirewall=yes
>>>> left=%defaultroute
>>>>  ike=3des-sha1
>>>> leftcert=server.crt
>>>> rightsubnetwithin=10.3.0.0/16
>>>>  leftsubnet=192.168.2.0/24
>>>> right=%any
>>>> auto=add
>>>>
>>>> Here is the ipsec.conf from the client:
>>>>
>>>> config setup
>>>> charondebug=all
>>>> nat_traversal=yes
>>>>
>>>> conn roadwarrior
>>>> left=%defaultroute
>>>> leftcert=toshiba.crt
>>>>  leftsourceip=10.3.0.5
>>>> leftauth=rsasig
>>>> leftfirewall=yes
>>>>  right=<Server Public IP>
>>>> rightsubnet=192.168.2.0/24
>>>>  keyexchange=ikev2
>>>> rightcert=server.crt
>>>> auto=add
>>>>
>>>>
>>>> On Fri, Jan 28, 2011 at 2:22 AM, Martin Willi <martin at strongswan.org>wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> > parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
>>>>> > received NO_PROPOSAL_CHOSEN notify error
>>>>>
>>>>> The responder either didn't like the proposal, or couldn't find a
>>>>> matching connection at all for the used IPs.
>>>>>
>>>>> > I see the following debug output from the gateway:
>>>>>
>>>>> Your gateway log does not help much, as it does not show the relevant
>>>>> parts. Please set the loglevels [1] to "default = 1" and "cfg = 2" and
>>>>> post what you get during the connection attempt.
>>>>>
>>>>> Regards
>>>>> Martin
>>>>>
>>>>> [1]
>>>>> http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Rob Wicks
>>>> robwicks at gmail.com
>>>> http://robwicks.wordpress.com
>>>>
>>>
>>>
>>>
>>> --
>>> Rob Wicks
>>> robwicks at gmail.com
>>> http://robwicks.wordpress.com
>>>
>>
>>
>>
>> --
>> Rob Wicks
>> robwicks at gmail.com
>> http://robwicks.wordpress.com
>>
>
>
>
> --
> Rob Wicks
> robwicks at gmail.com
> http://robwicks.wordpress.com
>



-- 
Rob Wicks
robwicks at gmail.com
http://robwicks.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110128/af534127/attachment.html>


More information about the Users mailing list