[strongSwan] NO_PROPOSAL_CHOSEN error notify
bjoern wahl
bjoern.wahl at hospital-borken.de
Mon Nov 11 09:57:19 CET 2013
Hello!
Just after solving the problem with my Certs for WIN7 ( thanks to Martin
for the good hint) i hit the next Problem.
I would like to migrate old VPNs to my new VPN-GW.
>From Linux Openswan U2.4.4/K2.6.16.60-0.83.2-smp (netkey) to Linux
strongSwan U5.1.1/K3.0.93-0.8-default.
With my first try i got a problem, the logs telling me:
========================================================================
13[IKE] IKE_SA p123[1] established between
11.11.11.11[11.11.11.11]...22.22.22.22[22.22.22.22]
13[ENC] generating QUICK_MODE request 1243619134 [ HASH SA No ID ID ]
13[NET] sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (284
bytes)
14[NET] received packet: from 22.22.22.22[500] to 11.11.11.11[500] (92
bytes)
14[ENC] parsed INFORMATIONAL_V1 request 2876618417 [ HASH N(NO_PROP) ]
14[IKE] received NO_PROPOSAL_CHOSEN error notify
========================================================================
On my old GW everything till working fine:
========================================================================
003 "p123" #13615: NAT-Traversal: Result using 3: no NAT detected
002 "p123" #13615: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "p123" #13615: STATE_MAIN_I3: sent MI3, expecting MR3
002 "p123" #13615: Main mode peer ID is ID_IPV4_ADDR: '22.22.22.22'
002 "p123" #13615: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "p123" #13615: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
002 "p123" #13616: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#13615}
117 "p123" #13616: STATE_QUICK_I1: initiate
003 "p123" #13616: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
002 "p123" #13616: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
004 "p123" #13616: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xeaaec3ed <0x3f7a355f xfrm=AES_256-HMAC_SHA1
NATD=212.159.204.76:500 DPD=none}
========================================================================
I just tought it might be because the cipher is not included in my new
Strongswan and so did look that up i did not find aes_256 in
my new Strongswan, is that the problem ?
How to add that cipher ?
========================================================================
List of X.509 End Entity Certificates:
altNames: ....
List of X.509 CA Certificates:
s....
List of registered IKE algorithms:
encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des]
RC2_CBC[rc2]
integrity: HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] AES_XCBC_96[xcbc]
HMAC_MD5_128[hmac] HMAC_SHA1_160[hmac]
AES_CMAC_96[cmac] HMAC_SHA2_256_128[hmac]
HMAC_SHA2_384_192[hmac] HMAC_SHA2_512_256[hmac]
HMAC_SHA1_128[hmac] HMAC_SHA2_256_256[hmac]
HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_512[hmac]
aead:
hasher: HASH_MD4[md4] HASH_MD5[md5] HASH_SHA1[sha1]
HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2]
HASH_SHA512[sha2]
prf: PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac]
PRF_AES128_XCBC[xcbc] PRF_HMAC_SHA2_256[hmac]
PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac]
PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf]
PRF_KEYED_SHA1[sha1]
dh-group: MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp]
MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]
MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp]
MODP_2048_256[gmp] MODP_CUSTOM[gmp]
random-gen: RNG_STRONG[random] RNG_TRUE[random]
nonce-gen: [nonce]
List of loaded Plugins:
charon:
CUSTOM:libcharon
NONCE_GEN
CUSTOM:libcharon-receiver
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
CUSTOM:libcharon-receiver
HASHER:HASH_SHA1
RNG:RNG_STRONG
CUSTOM:socket
aes:
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
des:
CRYPTER:3DES_CBC-24
CRYPTER:DES_
CBC-8
CRYPTER:DES_ECB-8
rc2:
CRYPTER:RC2_CBC-0
sha HASHER:HASH_SHA384
HASHER:HASH_SHA512
md4:
HASHER:HASH_MD4
md5:
HASHER:HASH_MD5
random:
RNG:RNG_STRONG
RNG:RNG_TRUE
nonce:
NONCE_GEN
RNG:RNG_WEAK
x509:
CERT_ENCODE:X509
HASHER:HASH_SHA1
CERT_DECODE:X509
HASHER:HASH_SHA1
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
CERT_ENCODE:X509_AC
CERT_DECODE:X509_AC
CERT_ENCODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_ENCODE:X509_OCSP_REQUEST
HASHER:HASH_SHA1
RNG:RNG_WEAK
CERT_DECODE:X509_OCSP_RESPONSE
CERT_ENCODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
revocation:
CUSTOM:revocation
CERT_ENCODE:X509_OCSP_REQUEST (soft)
CERT_DECODE:X509_OCSP_RESPONSE (soft)
CERT_DECODE:X509_CRL (soft)
CERT_DECODE:X509 (soft)
FETCHER:(null) (soft)
constraints:
CUSTOM:constraints
CERT_DECODE:X509 (soft)
pubkey:
CERT_ENCODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
pkcs1:
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
pkcs7:
CONTAINER_DECODE:PKCS7
CONTAINER_ENCODE:PKCS7_DATA
CONTAINER_ENCODE:PKCS7_SIGNED_DATA
CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA
pkcs8:
PRIVKEY:ANY
PRIVKEY:RSA
PRIVKEY:ECDSA
pkcs12:
CONTAINER_DECODE:PKCS12
CONTAINER_DECODE:PKCS7
CERT_DECODE:X509 (soft)
PRIVKEY:ANY (soft)
HASHER:HASH_SHA1 (soft)
CRYPTER:3DES_CBC-24 (soft)
CRYPTER:RC2_CBC-0 (soft)
pgp:
PRIVKEY:ANY
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
CERT_DECODE:PGP
dnskey:
PUBKEY:ANY
PUBKEY:RSA
sshkey:
PUBKEY:ANY
pem:
PRIVKEY:ANY
PRIVKEY:ANY
HASHER:HASH_MD5 (soft)
PRIVKEY:RSA
PRIVKEY:RSA
HASHER:HASH_MD5 (soft)
PRIVKEY:ECDSA
PRIVKEY:ECDSA
HASHER:HASH_MD5 (soft)
PRIVKEY:DSA (not loaded)
PRIVKEY:DSA
HASHER:HASH_MD5 (soft)
PUBKEY:ANY
PUBKEY:ANY
PUBKEY:RSA
PUBKEY:RSA
PUBKEY:ECDSA (not loaded)
PUBKEY:ECDSA
PUBKEY:DSA (not loaded)
PUBKEY:DSA
CERT_DECODE:ANY
CERT_DECODE:X509 (soft)
CERT_DECODE:PGP (soft)
CERT_DECODE:X509
CERT_DECODE:X509
CERT_DECODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_DECODE:X509_OCSP_REQUEST (not loaded)
CERT_DECODE:X509_OCSP_REQUEST
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_AC
CERT_DECODE:X509_AC
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:PGP
CERT_DECODE:PGP
CONTAINER_DECODE:PKCS12
CONTAINER_DECODE:PKCS12
fips-prf:
PRF:PRF_FIPS_SHA1_160
PRF:PRF_KEYED_SHA1
gmp:
DH:MODP_2048
RNG:RNG_STRONG
DH:MODP_2048_224
RNG:RNG_STRONG
DH:MODP_2048_256
RNG:RNG_STRONG
DH:MODP_1536
RNG:RNG_STRONG
DH:MODP_3072
RNG:RNG_STRONG
DH:MODP_4096
RNG:RNG_STRONG
DH:MODP_6144
RNG:RNG_STRONG
DH:MODP_8192
RNG:RNG_STRONG
DH:MODP_1024
RNG:RNG_STRONG
DH:MODP_1024_160
RNG:RNG_STRONG
DH:MODP_768
RNG:RNG_STRONG
DH:MODP_CUSTOM
RNG:RNG_STRONG
PRIVKEY:RSA
PRIVKEY_GEN:RSA
RNG:RNG_TRUE
PUBKEY:RSA
PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
HASHER:HASH_SHA1
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
HASHER:HASH_SHA224
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
HASHER:HASH_SHA256
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PUBKEY_VERIFY:RS
A_EMSA_PKCS1_NULL
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
RNG:RNG_WEAK
xcbc:
PRF:PRF_AES128_XCBC
CRYPTER:AES_CBC-16
PRF:PRF_CAMELLIA128_XCBC (not loaded)
CRYPTER:CAMELLIA_CBC-16
SIGNER:CAMELLIA_XCBC_96 (not loaded)
CRYPTER:CAMELLIA_CBC-16
SIGNER:AES_XCBC_96
CRYPTER:AES_CBC-16
cmac:
PRF:PRF_AES128_CMAC
CRYPTER:AES_CBC-16
SIGNER:AES_CMAC_96
CRYPTER:AES_CBC-16
hmac:
PRF:PRF_HMAC_SHA1
HASHER:HASH_SHA1
PRF:PRF_HMAC_MD5
HASHER:HASH_MD5
PRF:PRF_HMAC_SHA2_256
HASHER:HASH_SHA256
PRF:PRF_HMAC_SHA2_384
HASHER:HASH_SHA384
PRF:PRF_HMAC_SHA2_512
HASHER:HASH_SHA512
SIGNER:HMAC_SHA1_96
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_128
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_160
HASHER:HASH_SHA1
SIGNER:HMAC_MD5_96
HASHER:HASH_MD5
SIGNER:HMAC_MD5_128
HASHER:HASH_MD5
SIGNER:HMAC_SHA2_256_128
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_256_256
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_384_192
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_384_384
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_512_256
HASHER:HASH_SHA512
SIGNER:HMAC_SHA2_512_512
HASHER:HASH_SHA512
attr:
CUSTOM:attr
kernel-netlink:
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
resolve:
CUSTOM:resolve
socket-default:
CUSTOM:socket
CUSTOM:kernel-ipsec (soft)
stroke:
CUSTOM:stroke
PRIVKEY:RSA (soft)
PRIVKEY:ECDSA (soft)
PRIVKEY:DSA (soft)
CERT_DECODE:ANY (soft)
CERT_DECODE:X509 (soft)
CERT_DECODE:X509_CRL (soft)
CERT_DECODE:X509_AC (soft)
CERT_DECODE:TRUSTED_PUBKEY (soft)
updown:
CUSTOM:updown
eap-identity:
EAP_SERVER:ID
EAP_CLIENT:ID
eap-mschapv2:
EAP_SERVER:MSCHAPV2
CRYPTER:DES_ECB-8
HASHER:HASH_MD4
HASHER:HASH_SHA1
RNG:RNG_WEAK
EAP_CLIENT:MSCHAPV2
CRYPTER:DES_ECB-8
HASHER:HASH_MD4
HASHER:HASH_SHA1
RNG:RNG_WEAK
eap-radius:
EAP_SERVER:RAD
CUSTOM:eap-radius
XAUTH_SERVER:radius
CUSTOM:eap-radius
CUSTOM:eap-radius
HASHER:HASH_MD5
SIGNER:HMAC_MD5_128
RNG:RNG_WEAK
eap-tls:
EAP_SERVER:TLS
HASHER:HASH_MD5
HASHER:HASH_SHA1
RNG:RNG_WEAK
EAP_CLIENT:TLS
HASHER:HASH_MD5
HASHER:HASH_SHA1
RNG:RNG_WEAK
RNG:RNG_STRONG
xauth-generic:
XAUTH_SERVER:generic
XAUTH_CLIENT:generic
========================================================================
----------------------------------------------------------------------------------------------------
Klinikverbund Westmünsterland gGmbH
Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken
Registergericht Coesfeld, HRB Nr. 8983
Ust.-Id.Nr.: DE 222740345
Hauptgeschäftsführer: Hermann Nientiedt
Geschäftsführer: Christoph Bröcker, Ludger Hellmann
Diese E-Mail enthält vertrauliche oder rechtlich geschützte
Informationen. Wenn Sie nicht der beabsichtige Empfänger sind,
informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail.
Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.
Dem Klinikverbund Westmünsterland sind fünf Krankenhäuser mit 1.332
Planbetten und mehrere Einrichtungen der Altenhilfe angeschlossen. Mehr
als 50 Fachbereiche orientieren sich an neusten medizinischen Standards
und erfüllen die hohen Anforderungen einer qualifizierten und
zertifizierten Versorgung. Rund 50.000 Patienten werden jährlich in den
Krankenhäusern stationÃ
¤r behandelt. Mit über 3.800 Mitarbeitern gehört
der Verbund zu den größten Arbeitgebern der Region.
More information about the Users
mailing list