[strongSwan] Problem connecting to a Cisco Unity gateway
Tobias Brunner
tobias at strongswan.org
Mon Feb 16 18:19:08 CET 2015
Hi Bas,
> What does NO_PROPOSAL_CHOSEN mean?
As Noel pointed out it could mean the responder doesn't like the
proposed algorithms. But the responder could also return this error
because it doesn't like the proposed traffic selectors (i.e. the subnets
in `left|rightsubnet`) or the mode (type=tunnel|transport).
In your case you propose to tunnel traffic from 192.168.42.178/32 to
10.180.0.0/16 (since you haven't specified `leftsubnet` its value
defaults to `left` i.e. your local address behind the NAT).
If that's not correct then you have to fix these addresses as for IKEv1
these traffic selectors have to match exactly.
The problem is, though, that due to the NAT you can't just "fix" this by
configuring `leftsubnet=83.161.66.130/32` (i.e. your public IP).
Because for this to work you'd have to NAT local traffic to the subnet
in `rightsubnet` locally on the client to your NAT's public IP.
Otherwise, the traffic sent to the remote subnet won't match the IPsec
policy (as the source address of such packets would still be your
privaet address). Similarly, packets sent from hosts in 10.180.0.0/16
would be decrypted by your client behind the NAT and then get forwarded
from 192.168.42.178 to 83.161.66.130 (unless the aforementioned NAT rule
would locally rewrite the destination address of these packets to your
private address again).
You could try to use transport mode, if the server accepts it. That way
the NAT would translate the IPs for you. Another option is to change
the traffic selector on the server (i.e. make its remote traffic
selector equal your client's private IP address), but if you use dynamic
DHCP in your client's LAN that won't work very well as you'd have to
change that traffic selector all the time.
To use tunnel mode in such situations one usually uses virtual IPs via
Mode Config or statically assigned. For more information on virtual
IPs, check out [1]. And for this to work the server obviously has to be
configured accordingly.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
More information about the Users
mailing list