[strongSwan] NO_PROPOSAL_CHOSEN error when IKEv1 and IKEv2 has closely resemble but not exact suites

Tobias Brunner tobias at strongswan.org
Wed Feb 8 11:35:33 CET 2012


Hi Simon,

> Is it possible that charon is searching for matches from pluto's
> connections?  Why should charon have knowledge of
> pluto's connections?

Yes, that's exactly what's happening here.  By default, charon loads all
connections whether they have keyexchange set to ikev2 or not.  But it
uses IKEv1 connections only as responder (the reason for this was
probably to simplify configuration on gateways, as only one config would
be necessary).  If you don't want this you could apply the attached patch.

> In another attempt to debug the problem, we arranged the order of the
> tunnels in ipsec.conf so that IKEv2 conn is ahead of the IKEv1 conn.
> Then connection is established. And the IKEv1 which is now second in
> /etc/ipsec.conf still works.

Yep, that works too, as charon simply uses the first matching connection.

Regards,
Tobias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Charon-ignores-IKEv1-connections-received-via-stroke.patch
Type: text/x-patch
Size: 1068 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120208/cab75657/attachment.bin>


More information about the Users mailing list