[strongSwan] NO_PROPOSAL_CHOSEN error when IKEv1 and IKEv2 has closely resemble but not exact suites

Simon Chan simon.chan3 at yahoo.ca
Wed Feb 8 01:41:24 CET 2012 


Hi all,

I am running StrongSwan 4.6.1 in Debian 6.0.3.

There is one IKEv1 conn and one IKEv2 conn. The IKEv1 cipher suites:
  ike=aes128-md5!
  esp=aes128-md5!
  pfs=yes


The IKEv2 cipher suites are almost identical except IKE has dh-group:
  ike=aes128-md5-modp1536!
  esp=aes128-md5!


The IKEv1 conn works but the IKEv2 conn gets "received NO_PROPOSAL_CHOSEN notify error".

syslog:
charon: 05[CFG] selecting proposal:
charon: 05[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
charon: 05[CFG] configured proposals: IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5
charon: 05[LIB] size of DH secret exponent: 1535 bits 
charon: 05[IKE] received proposals inacceptable
charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]


At one point I changed the hash in IKEv1 suite to sha1 to isolate where that "configured proposal" come from: 

  ike=aes128-sha1-modp1536!
  esp=aes128-sha1!

The IKEv2 conn is still using aes128-md5-modp1536! Still won't connect. The syslog changed to:
charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
charon: 05[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
charon: 05[IKE] remote host is behind NAT
charon: 05[IKE] received proposals inacceptable
charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]


>>>>>>>>>>>>>>>>>>>>>>>

Is it possible that charon is searching for matches from pluto's connections?  Why should charon have knowledge of
pluto's connections?


>>>>>>>>>>>>>>>>>>>>>>>>>

In another attempt to debug the problem, we arranged the order of the tunnels in ipsec.conf so that IKEv2 conn is ahead of the IKEv1 conn. Then connection is established. And the IKEv1 which is now second in /etc/ipsec.conf still works.

Appreciate if the experts can shed some light on this issue and give some ideas how to get the connections to
come up reliably. 

We reproduced this problem on 2 difference similarly configured systems, one with StrongSwan 4.6.1, and another with 4.4.1. The full ipsec.conf file follows.

Thanks
Simon

  config setup
        charonstart=yes
        plutodebug=all
        charondebug="mgr 2, ike 2, chd 2, knl 2, net 2, lib 2, cfg 2"
        interfaces="%none"
        nat_traversal=yes

conn ikev1
        left=192.168.3.195
        right=192.168.3.193
        rekey=no
        leftsubnet=192.168.9.0/24
        rightsubnet=10.20.1.0/24
        leftfirewall=yes
        ike=aes128-md5!
        ikelifetime=7200s
        keyexchange=ikev1
        mobike=no
        keyingtries=%forever
        esp=aes128-md5!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        pfs=yes
        compress=no
        authby=secret
        auto=add

conn ikev2
        left=192.168.3.195
        right=192.168.3.193
        rightid=@differentfromright
        rekey=no
        leftsubnet=192.168.9.0/24
        rightsubnet=10.20.3.0/24
        leftfirewall=yes
        ike=aes128-md5-modp1536!
        ikelifetime=7200s
        keyexchange=ikev2
        mobike=yes
        keyingtries=%forever
        esp=aes128-md5!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        pfs=yes
        compress=no
        authby=secret
        auto=add










________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120207/a0c22f2b/attachment.html>

More information about the Users mailing list