[strongSwan] Error "no IKE config found" when trying to connect a roadwarrior

Andreas Steffen andreas.steffen at strongswan.org
Sat Feb 23 17:07:54 CET 2013


Hi Lars,

The Shrew, iphone and GreenBow clients speak IKEv1 only. Therefore
you have to configure either

   keyexchange=ikev1

for IKEv1 only or

   keyexchange=ike

for IKEv1 and IKEv2 support.

Regards

Andreas

On 23.02.2013 16:38, Larsen wrote:
> I am still totally stuck on this. Still get the error "no IKE config
> found" with multiple clients.
> Any help would be greatly appreciated!
>
>
> Lars
>
>
> On Thu, 14 Feb 2013 13:23:43 +0100, Larsen <larsen007 at web.de> wrote:
>
>> Hi,
>>
>> I am new to IPsec and trying to get a roadwarrior connection from a
>> Windows XP box to work, but I only get the error "no IKE config found".
>>
>> I have tried many different settings and looked into even more search
>> results without luck.
>> VPN server is strongSwan 5.0.2 on an IPfire 2.13 rc2 where I have
>> configured all the certificates via GUI.
>> The user certificate is loaded in the ShrewSoft VPN client.
>> Out of nescience I simply used the default values where I didn´t
>> understand something.
>>
>> For my ipsec.conf see http://pastebin.com/3XV1S5AK
>>
>> # cat /var/ipfire/vpn/ipsec.secrets
>> include /etc/ipsec.user.secrets
>> : RSA /var/ipfire/certs/hostkey.pem
>>
>> ipsec.user.conf and ipsec.user.secrets are empty beside some comments.
>>
>>
>> On startup of the VPN server I get this warning/error and don´t know if
>> that is a problem or can be safely ignored:
>>
>> Feb 11 16:27:03 atl-ipfire charon: 08[CFG] invalid subnet: vhost:%no,
>> skipped
>> Feb 11 16:27:03 atl-ipfire charon: 08[CFG] invalid subnet: %priv, skipped
>>
>>
>> Screenshots of my ShrewSoft Client configuration:
>> http://photobucket.com/albums/a587/larsen17/capture_20130214_120503_zpscfa99a6c.png
>> http://photobucket.com/albums/a587/larsen17/capture_20130214_120510_zps2b31d8c2.png
>> http://photobucket.com/albums/a587/larsen17/capture_20130214_120513_zps24759140.png
>> http://photobucket.com/albums/a587/larsen17/capture_20130214_120514_zps020b99c2.png
>> http://photobucket.com/albums/a587/larsen17/capture_20130214_120518_zps689e7a6f.png
>> http://photobucket.com/albums/a587/larsen17/capture_20130214_120519_zpsdcbf1bb4.png
>> http://photobucket.com/albums/a587/larsen17/capture_20130214_120521_zpsb50b961a.png
>> http://photobucket.com/albums/a587/larsen17/capture_20130214_120524_zps2e568ced.png
>> http://photobucket.com/albums/a587/larsen17/capture_20130214_120526_zps2b7573b4.png
>> http://photobucket.com/albums/a587/larsen17/capture_20130214_120529_zps1468d09d.png
>>
>> Also tried it with the following instead of "auto":
>> dh: group 2
>> cipher: 3des
>> hash: sha1
>>
>>
>>
>> When I try to connect, I get the error "no IKE config" in
>> "/var/log/messages":
>>
>> Feb 14 11:03:02 atl-ipfire charon: 10[NET] received packet: from
>> xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500]
>> Feb 14 11:03:02 atl-ipfire charon: 10[NET] waiting for data on sockets
>> Feb 14 11:03:02 atl-ipfire charon: 05[MGR] checkout IKE_SA by message
>> Feb 14 11:03:02 atl-ipfire charon: 05[MGR] created IKE_SA (unnamed)[2]
>> Feb 14 11:03:03 atl-ipfire charon: 05[NET] received packet: from
>> xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (3080 bytes)
>> Feb 14 11:03:03 atl-ipfire charon: 05[IKE] no IKE config found for
>> xxx.xxx.xxx.xxx...xxx.xxx.xxx.xxx, sending NO_PROPOSAL_CHOSEN
>> Feb 14 11:03:03 atl-ipfire charon: 05[NET] sending packet: from
>> xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (40 bytes)
>> Feb 14 11:03:03 atl-ipfire charon: 06[NET] sending packet: from
>> xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500]
>> Feb 14 11:03:03 atl-ipfire charon: 05[MGR] checkin and destroy IKE_SA
>> (unnamed)[2]
>> Feb 14 11:03:03 atl-ipfire charon: 05[IKE] IKE_SA (unnamed)[2] state
>> change: CREATED => DESTROYING
>> Feb 14 11:03:03 atl-ipfire charon: 05[MGR] check-in and destroy of IKE_SA
>> successful
>>
>> I get the same error when I try to connect with an iPhone or the GreenBow
>> VPN client, so I guess there must be something wrong on the server side.
>>
>>
>> How can I fix this? What else can I test?
>>
>>
>> Lars
>>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130223/0eec7ba3/attachment.bin>


More information about the Users mailing list