[strongSwan] Problem connecting to a Cisco Unity gateway

Bas van Dijk v.dijk.bas at gmail.com
Fri Feb 13 16:48:21 CET 2015


I solved the "no netkey IPsec stack detected" errors. It turned out
that the NixOS strongSwan configuration used a modprobe which couldn't
find the right kernel modules. I fixed that and now it starts up
without that error. See the log at: http://pastebin.com/ufutkmdC

However, my original problem remains. With the following ipsec.conf:

conn data-display
  aggressive=no
  auto=add
  fragmentation=yes
  ike=des-sha1-modp1024
  ikelifetime=24h
  keyexchange=ikev1
  left=%any
  leftauth=psk
  leftfirewall=yes
  leftid=83.161.66.130
  lifetime=1h
  right=213.163.70.4
  rightauth=psk
  rightsubnet=10.180.0.0/16

I get the following error:

$ sudo ipsec up data-display
initiating Main Mode IKE_SA data-display[1] to 213.163.70.4
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (220 bytes)
received packet: from 213.163.70.4[500] to 192.168.42.178[500] (128 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (244 bytes)
received packet: from 213.163.70.4[500] to 192.168.42.178[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: 4a:1c:a1:c6:1d:26:60:b5:3f:0b:02:29:da:eb:0e:5a
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (84 bytes)
received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA data-display[1] established between
192.168.42.178[83.161.66.130]...213.163.70.4[213.163.70.4]
scheduling reauthentication in 85668s
maximum IKE_SA lifetime 86208s
generating QUICK_MODE request 384749459 [ HASH SA No ID ID ]
sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (228 bytes)
received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 1953095225 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'data-display' failed

What does NO_PROPOSAL_CHOSEN mean?

Thanks,

Bas

On 10 February 2015 at 16:48, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
> Hello,
>
> Apologies in advance for the rather long message but I'm new to
> strongSwan and want to include as much information as I think is
> relevant to my problem.
>
> I'm having some problems using strongSwan-5.2.2 to establish a
> connection to a host on the subnet 10.180.0.0/16 which is behind the
> gateway 213.163.70.4. The IP address of my machine is 192.168.42.162
> and I'm using NAT to access the internet. My public IP address is:
> 83.161.66.130. I don't control the 213.163.70.4 gateway and I have
> been told it uses the following settings:
>
> Target address: 213.163.70.4
> Source address: 83.161.66.130
> IKE SA: Phase 1
> Encryption: AES-128 with SHA-1
> Diffie-hellman: Group 2
> SA lifetime: 86400 seconds
> IKE negotistion mode: Main (non aggressive)
> Pre-shared key: XXXX (censored)
> IPsec proposal: Phase 2
> Encryption: AES-128 with SHA-1
> IPsec type: ESP
> IPsec tunnel lifetime: 3600 seconds
>
> I set my ipsec.secrets (censored) to:
> 213.163.70.4 %any : PSK 0xXXXX
>
> ipsec.conf:
> conn data-display
>   aggressive=no
>   authby=secret
>   auto=add
>   esp=aes128-sha1
>   fragmentation=yes
>   ike=des-sha1-modp1024
>   ikelifetime=24h
>   keyexchange=ikev1
>   left=%any
>   leftfirewall=yes
>   leftid=83.161.66.130
>   lifetime=1h
>   right=213.163.70.4
>   rightsubnet=10.180.0.0/16
>
> I noticed from the strongSwan logs that the gateway is a Cisco Unity
> device so I configured strongSwan with --enable-unity. I'm not sure
> that is required.
>
> When I start stongSwan using "sudo systemctl start strongswan" I get
> the following log (I'm using logging level 2):
>
> http://pastebin.com/pC1WYegL
>
> I'm a bit confused why I get the "no netkey IPsec stack detected"
> warning since all required[1] kernel options are enabled (either build
> in or as modules). In particular:
>
> cat /proc/config.gz | gunzip | grep CONFIG_NET_KEY=
> CONFIG_NET_KEY=m
>
> Since it's a warning I ignore it for a moment and try to start up the
> "data-display" connection using "sudo ipsec up data-display". I get
> the following output:
>
> initiating Main Mode IKE_SA data-display[1] to 213.163.70.4
> generating ID_PROT request 0 [ SA V V V V V ]
> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (220 bytes)
> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (128 bytes)
> parsed ID_PROT response 0 [ SA V V ]
> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> received FRAGMENTATION vendor ID
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (244 bytes)
> received packet: from 213.163.70.4[500] to 192.168.42.162[500] (304 bytes)
> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
> received Cisco Unity vendor ID
> received XAuth vendor ID
> received unknown vendor ID: c5:dd:ab:2d:d0:7e:27:16:a3:59:1d:ba:91:49:75:8d
> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
> local host is behind NAT, sending keep alives
> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (84 bytes)
> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
> parsed ID_PROT response 0 [ ID HASH V ]
> received DPD vendor ID
> IKE_SA data-display[1] established between
> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
> scheduling reauthentication in 85593s
> maximum IKE_SA lifetime 86133s
> generating QUICK_MODE request 3299461263 [ HASH SA No ID ID ]
> sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (204 bytes)
> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
> parsed INFORMATIONAL_V1 request 1571124148 [ HASH N(NO_PROP) ]
> received NO_PROPOSAL_CHOSEN error notify
> received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes)
> parsed INFORMATIONAL_V1 request 3331205321 [ HASH D ]
> received DELETE for IKE_SA data-display[1]
> deleting IKE_SA data-display[1] between
> 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4]
> establishing connection 'data-display' failed
>
> The following is posted to syslog:
>
> http://pastebin.com/1Vj1rXaq
>
> So I can see that an IKE_SA is established between me and the gateway.
> However, after that something goes wrong.
>
> Can somebody explain what is going wrong and point me in the right direction?
>
> Also note that I'm using NixOS running in VirtualBox. My virtual NIC
> is bridged to my physical NIC.
>
> Let me know if any more information is desired.
>
> Cheers,
>
> Bas
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules


More information about the Users mailing list