[strongSwan] strongswan host to host setup problem

Aaron hawaiiaaron at gmail.com
Fri Jul 17 01:44:46 CEST 2015 

Thanks. I've added the two lines to the ipsec.conf file and increased
debugging.  It appears to be the same error.

Here is the log from the left side and right side as well as the
strongswan.conf file.
You'll see in the logs that some certs are loaded but I am not using them
in my ipsec.conf.  I just want to use PSK's at this time.

#left side log
Jul 16 23:27:17 vpn02 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.2.0, Linux 2.6.32-431.29.2.el6.x86_64, x86_64)
Jul 16 23:27:17 vpn02 charon: 00[LIB] openssl FIPS mode(2) - enabled
Jul 16 23:27:17 vpn02 charon: 00[CFG] loading ca certificates from
'/etc/strongswan/ipsec.d/cacerts'
Jul 16 23:27:17 vpn02 charon: 00[CFG]   loaded ca certificate "C=US, ST=WA,
L=xxxx, O=xxxx, OU=xxxx, CN=StrongSwan Intermediate CA" from
'/etc/strongswan/ipsec.d/cacerts/int.pem'
Jul 16 23:27:17 vpn02 charon: 00[CFG]   loaded ca certificate "C=US, ST=WA,
L=xxxx, O=xxxx, OU=xxxx, CN=StrongSwan Root CA" from
'/etc/strongswan/ipsec.d/cacerts/rootCa.crt.pem'
Jul 16 23:27:17 vpn02 charon: 00[CFG] loading aa certificates from
'/etc/strongswan/ipsec.d/aacerts'
Jul 16 23:27:17 vpn02 charon: 00[CFG] loading ocsp signer certificates from
'/etc/strongswan/ipsec.d/ocspcerts'
Jul 16 23:27:17 vpn02 charon: 00[CFG] loading attribute certificates from
'/etc/strongswan/ipsec.d/acerts'
Jul 16 23:27:17 vpn02 charon: 00[CFG] loading crls from
'/etc/strongswan/ipsec.d/crls'
Jul 16 23:27:17 vpn02 charon: 00[CFG] loading secrets from
'/etc/strongswan/ipsec.secrets'
Jul 16 23:27:17 vpn02 charon: 00[CFG]   loaded IKE secret for %any
Jul 16 23:27:17 vpn02 charon: 00[LIB] loaded plugins: charon curl aes des
rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey
pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac
hmac attr kernel-netlink resolve socket-default farp stroke vici updown
eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
Jul 16 23:27:17 vpn02 charon: 00[LIB] unable to load 3 plugin features (3
due to unmet dependencies)
Jul 16 23:27:17 vpn02 charon: 00[JOB] spawning 16 worker threads
Jul 16 23:27:17 vpn02 charon: 08[CFG] received stroke: add connection 'rw'
Jul 16 23:27:17 vpn02 charon: 08[CFG] added configuration 'rw'
Jul 16 23:27:23 vpn02 charon: 10[CFG] received stroke: initiate 'rw'
Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_VENDOR task
Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_INIT task
Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_NATD task
Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CERT_PRE task
Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_AUTH task
Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CERT_POST task
Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_CONFIG task
Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_AUTH_LIFETIME task
Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing IKE_MOBIKE task
Jul 16 23:27:23 vpn02 charon: 12[IKE] queueing CHILD_CREATE task
Jul 16 23:27:23 vpn02 charon: 12[IKE] activating new tasks
Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_VENDOR task
Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_INIT task
Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_NATD task
Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_CERT_PRE task
Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_AUTH task
Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_CERT_POST task
Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_CONFIG task
Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating CHILD_CREATE task
Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_AUTH_LIFETIME task
Jul 16 23:27:23 vpn02 charon: 12[IKE]   activating IKE_MOBIKE task
Jul 16 23:27:23 vpn02 charon: 12[IKE] initiating IKE_SA rw[1] to 10.100.1.31
Jul 16 23:27:23 vpn02 charon: 12[IKE] IKE_SA rw[1] state change: CREATED =>
CONNECTING
Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_chunk => 22 bytes @
0x7fe30c0028c0
Jul 16 23:27:23 vpn02 charon: 12[IKE]    0: 6A 4A DE E8 FC 8C FF D9 00 00
00 00 00 00 00 00  jJ..............
Jul 16 23:27:23 vpn02 charon: 12[IKE]   16: 0A 64 01 1F 01
F4                                .d....
Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_hash => 20 bytes @ 0x7fe30c0028e0
Jul 16 23:27:23 vpn02 charon: 12[IKE]    0: BE 1C 33 77 01 44 51 EF 11 0C
28 5E 55 66 F1 65  ..3w.DQ...(^Uf.e
Jul 16 23:27:23 vpn02 charon: 12[IKE]   16: 7C 85 04
6A                                      |..j
Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_chunk => 22 bytes @
0x7fe30c0025c0
Jul 16 23:27:23 vpn02 charon: 12[IKE]    0: 6A 4A DE E8 FC 8C FF D9 00 00
00 00 00 00 00 00  jJ..............
Jul 16 23:27:23 vpn02 charon: 12[IKE]   16: 0A 64 01 14 01
F4                                .d....
Jul 16 23:27:23 vpn02 charon: 12[IKE] natd_hash => 20 bytes @ 0x7fe30c0025e0
Jul 16 23:27:23 vpn02 charon: 12[IKE]    0: 2C 77 72 D7 74 8D 69 C1 D7 5C
90 3E B7 66 79 D9  ,wr.t.i..\.>.fy.
Jul 16 23:27:23 vpn02 charon: 12[IKE]   16: DB 4B 9B
3D                                      .K.=
Jul 16 23:27:23 vpn02 charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 16 23:27:23 vpn02 charon: 12[NET] sending packet: from 10.100.1.20[500]
to 10.100.1.31[500] (964 bytes)
Jul 16 23:27:27 vpn02 charon: 13[IKE] retransmit 1 of request with message
ID 0
Jul 16 23:27:27 vpn02 charon: 13[NET] sending packet: from 10.100.1.20[500]
to 10.100.1.31[500] (964 bytes)
Jul 16 23:27:29 vpn02 charon: 14[NET] received packet: from
10.100.1.131[500] to 10.100.1.20[500] (964 bytes)
Jul 16 23:27:29 vpn02 charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 16 23:27:29 vpn02 charon: 14[IKE] no IKE config found for
10.100.1.20...10.100.1.131, sending NO_PROPOSAL_CHOSEN
Jul 16 23:27:29 vpn02 charon: 14[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
Jul 16 23:27:29 vpn02 charon: 14[NET] sending packet: from 10.100.1.20[500]
to 10.100.1.131[500] (36 bytes)
Jul 16 23:27:29 vpn02 charon: 14[IKE] IKE_SA (unnamed)[2] state change:
CREATED => DESTROYING

#right side
Jul 16 23:27:12 vpn03 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.2.0, Linux 2.6.32-431.29.2.el6.x86_64, x86_64)
Jul 16 23:27:12 vpn03 charon: 00[LIB] openssl FIPS mode(2) - enabled
Jul 16 23:27:12 vpn03 charon: 00[CFG] loading ca certificates from
'/etc/strongswan/ipsec.d/cacerts'
Jul 16 23:27:12 vpn03 charon: 00[CFG]   loaded ca certificate "C=US, ST=WA,
L=xxxxx, O=xxxxx, OU=xxxxx, CN=StrongSwan Intermediate CA" from
'/etc/strongswan/ipsec.d/cacerts/int.crt.pem'
Jul 16 23:27:12 vpn03 charon: 00[CFG]   loaded ca certificate "C=US, ST=WA,
L=xxxxx, O=xxxxx, OU=xxxxx, CN=StrongSwan Root CA" from
'/etc/strongswan/ipsec.d/cacerts/rootCa.crt.pem'
Jul 16 23:27:12 vpn03 charon: 00[CFG] loading aa certificates from
'/etc/strongswan/ipsec.d/aacerts'
Jul 16 23:27:12 vpn03 charon: 00[CFG] loading ocsp signer certificates from
'/etc/strongswan/ipsec.d/ocspcerts'
Jul 16 23:27:12 vpn03 charon: 00[CFG] loading attribute certificates from
'/etc/strongswan/ipsec.d/acerts'
Jul 16 23:27:12 vpn03 charon: 00[CFG] loading crls from
'/etc/strongswan/ipsec.d/crls'
Jul 16 23:27:12 vpn03 charon: 00[CFG] loading secrets from
'/etc/strongswan/ipsec.secrets'
Jul 16 23:27:12 vpn03 charon: 00[CFG]   loaded IKE secret for %any
Jul 16 23:27:12 vpn03 charon: 00[LIB] loaded plugins: charon curl aes des
rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey
pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac
hmac attr kernel-netlink resolve socket-default farp stroke vici updown
eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
Jul 16 23:27:12 vpn03 charon: 00[LIB] unable to load 3 plugin features (3
due to unmet dependencies)
Jul 16 23:27:12 vpn03 charon: 00[JOB] spawning 16 worker threads
Jul 16 23:27:12 vpn03 charon: 08[CFG] received stroke: add connection 'rw'
Jul 16 23:27:12 vpn03 charon: 08[CFG] added configuration 'rw'
Jul 16 23:27:29 vpn03 charon: 10[CFG] received stroke: initiate 'rw'
Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_VENDOR task
Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_INIT task
Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_NATD task
Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CERT_PRE task
Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_AUTH task
Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CERT_POST task
Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_CONFIG task
Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_AUTH_LIFETIME task
Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing IKE_MOBIKE task
Jul 16 23:27:29 vpn03 charon: 12[IKE] queueing CHILD_CREATE task
Jul 16 23:27:29 vpn03 charon: 12[IKE] activating new tasks
Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_VENDOR task
Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_INIT task
Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_NATD task
Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_CERT_PRE task
Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_AUTH task
Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_CERT_POST task
Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_CONFIG task
Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating CHILD_CREATE task
Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_AUTH_LIFETIME task
Jul 16 23:27:29 vpn03 charon: 12[IKE]   activating IKE_MOBIKE task
Jul 16 23:27:29 vpn03 charon: 12[IKE] initiating IKE_SA rw[1] to 10.100.1.20
Jul 16 23:27:29 vpn03 charon: 12[IKE] IKE_SA rw[1] state change: CREATED =>
CONNECTING
Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_chunk => 22 bytes @
0x7f586c0028c0
Jul 16 23:27:29 vpn03 charon: 12[IKE]    0: 8E E1 E7 6D 58 37 7C 61 00 00
00 00 00 00 00 00  ...mX7|a........
Jul 16 23:27:29 vpn03 charon: 12[IKE]   16: 0A 64 01 14 01
F4                                .d....
Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_hash => 20 bytes @ 0x7f586c0028e0
Jul 16 23:27:29 vpn03 charon: 12[IKE]    0: D5 57 BE 5C 11 13 5D A8 60 7D
72 BF FC 4E A3 CF  .W.\..].`}r..N..
Jul 16 23:27:29 vpn03 charon: 12[IKE]   16: 9C 06 49
FD                                      ..I.
Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_chunk => 22 bytes @
0x7f586c0025c0
Jul 16 23:27:29 vpn03 charon: 12[IKE]    0: 8E E1 E7 6D 58 37 7C 61 00 00
00 00 00 00 00 00  ...mX7|a........
Jul 16 23:27:29 vpn03 charon: 12[IKE]   16: 0A 64 01 83 01
F4                                .d....
Jul 16 23:27:29 vpn03 charon: 12[IKE] natd_hash => 20 bytes @ 0x7f586c0025e0
Jul 16 23:27:29 vpn03 charon: 12[IKE]    0: 29 E2 9B CE 30 89 84 08 B6 13
EF D5 75 EA 11 74  )...0.......u..t
Jul 16 23:27:29 vpn03 charon: 12[IKE]   16: C7 9F E7
7B                                      ...{
Jul 16 23:27:29 vpn03 charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 16 23:27:29 vpn03 charon: 12[NET] sending packet: from
10.100.1.131[500] to 10.100.1.20[500] (964 bytes)
Jul 16 23:27:29 vpn03 charon: 13[NET] received packet: from
10.100.1.20[500] to 10.100.1.131[500] (36 bytes)
Jul 16 23:27:29 vpn03 charon: 13[ENC] parsed IKE_SA_INIT response 0 [
N(NO_PROP) ]
Jul 16 23:27:29 vpn03 charon: 13[IKE] received NO_PROPOSAL_CHOSEN notify
error
Jul 16 23:27:29 vpn03 charon: 13[IKE] IKE_SA rw[1] state change: CONNECTING
=> DESTROYING

#strongswan.conf
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf


On Thu, Jul 16, 2015 at 3:10 PM, Randy Wyatt <rwwyatt01 at gmail.com> wrote:

> Have you tried limiting the proposals supported?
> ike=aes128-sha1-modp1024
> esp=aes128-sha1
>
> If you don't specify the proposal, everything is sent.  Can you increase
> the debugging on ike  so we can look a little more at the proposal and
> configured?
>
> Regards,
> Randy
>
>
> On Thu, Jul 16, 2015 at 2:08 PM, Aaron <hawaiiaaron at gmail.com> wrote:
>
>> Hi, I have strongswan setup in a host to host configuration using a
>> shared secret for testing, but am not able to get it to establish a
>> tunnel.  The left side attempts to retransmit packets till it gives up and
>> on the right side I receive this error.  Any help appreciated.  Thanks!
>>
>> Jul 16 21:01:19 vpn02 charon: 12[NET] received packet: from
>> 10.100.1.20[500] to 10.100.1.131[500] (36 bytes)
>> Jul 16 21:01:19 vpn02 charon: 12[ENC] parsed IKE_SA_INIT response 0 [
>> N(NO_PROP) ]
>> Jul 16 21:01:19 vpn02 charon: 12[IKE] received NO_PROPOSAL_CHOSEN notify
>> error
>>
>> #ipsec.conf file
>> #right side and leftside are identical
>> config setup
>>         charondebug=all
>>
>> conn %default
>>         ikelifetime=60m
>>         keylife=20m
>>         rekeymargin=3m
>>         keyingtries=1
>>         keyexchange=ikev2
>>         authby=psk
>>
>> conn rw
>>         left=10.100.1.20
>>         leftid=10.100.1.20
>>         leftfirewall=no
>>         right=10.100.1.131
>>         rightid=10.100.1.131
>>         auto=start
>>         authby=psk
>>
>> # ipsec.secrets file
>> : PSK "mypsksecret"
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150716/9540e0ad/attachment-0001.html>

More information about the Users mailing list