[strongSwan] NO_PROP Error

Ali Masoudi masoudi1983 at gmail.com
Sun Jun 23 07:47:11 CEST 2013 

Hi users

As a simple test on virtual ethernet with ipsec, I use this scenario:

system 1:
ip address of ETH3 === 192.168.20.110/24
ip address of ETH3:0 === 192.168.20.34/24
subnet="192.168.18.0/24"

system2:
ip address of ETH3 === 192.168.20.176
subnet="192.168.58.0/24"

I ran ipsec in both systems, but NO_PROP error occurred. when I executed
"ipsec up test8" on 192.168.20.176, tunnels were established.
with a simple look in logs, this is clear that "system 2" received request
from 192.168.20.110 instead of 192.168.20.34. this results in NO_PROP error.

If I change IP of virtual ethernet so that range of it differs from ip of
ethernet, it resolves the problem. I don't know what causes the problem. I
looked at the ARP table but it seemed right.

does anybody have any idea about it?

Best regards
Ali

strongswan 5.0.1, kernel version == 2.6.34.1

############### ipsec.conf on 192.168.20.110:

config setup
        uniqueids="no"
        strictcrlpolicy="no"

conn %default
        keyingtries="%forever"
        leftsendcert="always"

conn test9
        authby="psk"
        auto="start"
        type="tunnel"
        compress="no"
        rekeymargin="540s"
        left="192.168.20.34"
        leftid="999"
        leftsubnet="192.168.18.0/24"
        right="192.168.20.176"
        rightid="9999"
        rightsubnet="192.168.58.0/24"
        ike="aes256-md5-modp4096!"
        esp="aes256-md5-modp1024!"
        ikelifetime="3600"
        keylife="3600"
        keyexchange="ikev2"
        dpdaction = "restart"
        dpddelay = "30s"
        dpdtimeout = "165s"

############# ipsec.secrets on 192.168.20.110:

999 9999 : PSK "my_secret"

############# ipsec.conf on 192.168.20.176:

config setup
        uniqueids="no"
        strictcrlpolicy="no"

conn %default
        keyingtries="%forever"
        leftsendcert="always"

conn test8
        authby="psk"
        auto="add"
        type="tunnel"
        compress="no"
        rekeymargin="540s"
        left="192.168.20.176"
        leftid="9999"
        leftsubnet="192.168.58.0/24"
        right="192.168.20.34"
        rightid="999"
        rightsubnet="192.168.18.0/24"
        ike="aes256-md5-modp4096!"
        esp="aes256-md5-modp1024!"
        ikelifetime="3600"
        keylife="3600"
        keyexchange="ikev2"
        dpdaction = "restart"
        dpddelay = "30s"
        dpdtimeout = "900s"

############# ipsec.secrets on 192.168.20.176:

9999 999 : PSK "my_secret"

log on 192.168.20.110:

Jun 22 12:18:12 04[NET] <test9|14> received packet: from
192.168.20.176[500] to 192.168.20.34[500]
Jun 22 12:18:12 04[ENC] <test9|14> parsing body of message, first payload
is NOTIFY
Jun 22 12:18:12 04[ENC] <test9|14> starting parsing a NOTIFY payload
Jun 22 12:18:12 04[ENC] <test9|14> parsing NOTIFY payload, 8 bytes left
.
.
.
Jun 22 12:18:12 04[ENC] <test9|14> parsing NOTIFY payload finished
Jun 22 12:18:12 04[ENC] <test9|14> verifying payload of type NOTIFY
Jun 22 12:18:12 04[ENC] <test9|14> NOTIFY payload verified. Adding to
payload list
Jun 22 12:18:12 04[ENC] <test9|14> process payload of type NOTIFY
Jun 22 12:18:12 04[ENC] <test9|14> verifying message structure
Jun 22 12:18:12 04[ENC] <test9|14> found payload of type NOTIFY
Jun 22 12:18:12 04[ENC] <test9|14> parsed IKE_SA_INIT response 0 [
N(NO_PROP) ]
Jun 22 12:18:12 04[IKE] <test9|14> received NO_PROPOSAL_CHOSEN notify error
Jun 22 12:18:12 04[MGR] <test9|14> checkin and destroy IKE_SA test9[14]
Jun 22 12:18:12 04[IKE] <test9|14> IKE_SA test9[14] state change:
CONNECTING => DESTROYING
Jun 22 12:18:12 04[MGR] check-in and destroy of IKE_SA successful


log on 192.168.20.176:

Jun 23 09:01:07 10[ENC] <13> parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Jun 23 09:01:07 10[CFG] <13> looking for an ike config for
192.168.20.176...192.168.20.110
Jun 23 09:01:07 10[CFG] <13> ike config match: 0 (192.168.20.176
192.168.20.110)
Jun 23 09:01:07 10[CFG] <13> ike config match: 0 (192.168.20.176
192.168.20.110)
Jun 23 09:01:07 10[CFG] <13> ike config match: 0 (192.168.20.176
192.168.20.110)
Jun 23 09:01:07 10[CFG] <13> ike config match: 0 (192.168.20.176
192.168.20.110)
Jun 23 09:01:07 10[IKE] <13> no IKE config found for 192.168.20.176...
192.168.20.110, sending NO_PROPOSAL_CHOSEN
Jun 23 09:01:07 10[ENC] <13> added payload of type NOTIFY to message
Jun 23 09:01:07 10[ENC] <13> added payload of type NOTIFY to message
Jun 23 09:01:07 10[ENC] <13> generating IKE_SA_INIT response 0 [ N(NO_PROP)
]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130623/e8ed62f8/attachment.html>

More information about the Users mailing list