[strongSwan] Charon stops processing after receiving “no proposal chosen" notification
Joern Mewes
joern.mewes at gmx.net
Tue Apr 23 16:00:58 CEST 2013
Hi,
We are trying to migrate some of our VPN systems from strongswan 4.6.4 to
5.0.3. Unfortunately we have to stick IKEv1 so we are trying to use the
IKEv1 functionality of charon.
During our testing we see that charon behaves differently in case it gets
a "no-proposal chosen" notification from the peer. What we see from the
both logs and traces is that
- charon stops processing and will never try to setup the tunnel even if
there is traffic of it
root at vpn-49:~/tst[mailto:root at vpn-49:~/tst]# ipsec up ipsecgw
initiating Main Mode IKE_SA ipsecgw[2] to 192.168.30.120
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.31.49[500] to 192.168.30.120[500] (160 bytes)
received packet: from 192.168.30.120[500] to 192.168.31.49[500] (102 bytes)
parsed INFORMATIONAL_V1 request 2885946859 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'ipsecgw' failed
root at vpn-49:~/tst[mailto:root at vpn-49:~/tst]#
- pluto tries to reestablish the tunnel as long there is traffic to be
forwarded
"ipsecgw" #1: initiating Main Mode
packet from 192.168.30.120:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
packet from 192.168.30.120:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
packet from 192.168.30.120:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Do you have an explaintation why charon stops initiating the tunnel? Is it
on purpose?
Is there any way to re-configure charon to achieve the same behavior as it
was in pluto meaning trying to re-establish the tunnel as long as it can
be completed successfully?
Please find both (5.0.3) ipsec.conf and strongswan.conf below.
Thanks for your help und have a nice day.
Best regards,
Joern
# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=no
ca rootca0
cacert=ca-test.pem
# Add connections here.
conn %default
keyingtries=%forever
ikelifetime=86400
mobike=no
keylife=7200
# keyingtries=1
leftcert=/etc/ipsec.d/certs/vpn-crt.pem
rekeymargin=180s
keyexchange=ikev1
# ike=aes128-sha1-modp1024
ike=aes256-sha1-modp1024!
esp=aes128-sha
auto=add
authby=pubkey
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
conn ipsecgw
left=192.168.31.49
leftsubnet=0.0.0.0/0
leftupdown=/root/vpn/bin/leftupdown.sh
leftid=@vpn-49.tst.org
right=192.168.30.120
rightsubnet=0.0.0.0/0
rightid=@srx3ks.test.org
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
# ...
# load plugins manually to disable revcheck
load = charon aes des sha1 sha2 md5 random nonce x509 constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp hmac gcm attr kernel-netlink resolve socket-raw socket-default stroke updown
install_routes = no
retransmit_timeout = 10
retransmit_tries = 3
retry_initiate_interval = 30
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# loggers to files also accept the append option to open files in
# append mode at startup (default is yes)
append = no
# the default loglevel for all daemon subsystems (defaults to 1).
default = 1
# flush each line to disk
ike_name = yes
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem, overriding the
# default loglevel.
ike = 2
knl = 3
# prepend connection name, simplifies grepping
ike_name = yes
}
}
}
pluto {
load = aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem hmac gmp xauth attr kernel-netlink resolve
}
# disable plugin warnings
starter {
load_warning = no
}
More information about the Users
mailing list