[strongSwan] No proposal chosen / No IKE config found

tskals at gmail.com tskals at gmail.com
Fri Dec 30 09:12:00 CET 2016 

Can someone look at my debugs and config and tell me why Strongswan is sending a no proposal chosen notify message based on the configs for my strongswan and asa below? I tried changing the leftid and rightid to the private outside address of ASA, natted address, not sure what Strongswan doesn’t like, everything looks like it matches..

Configuring Strongswan with an ASA, ASA is behind firewall, NATing occurs upstream , 500, 4500 are portforwarded back to ASA


Strongawan syslog output:

Dec 30 02:46:29 lagunesrevengeII charon: 07[ENC] generating INFORMATIONAL_V1 request 469970900 [ N(NO_PROP) ]
Dec 30 02:46:29 lagunesrevengeII charon: 07[NET] sending packet: from 104.x.x.x[500] to 98.x.x.x[500] (40 bytes)
Dec 30 02:46:37 lagunesrevengeII charon: 08[NET] received packet: from 98.x.x.x[500] to 104.x.x.x[500] (112 bytes)
Dec 30 02:46:37 lagunesrevengeII charon: 08[ENC] parsed ID_PROT request 0 [ SA V ]
Dec 30 02:46:37 lagunesrevengeII charon: 08[IKE] no IKE config found for 104.x.x.x...98.x.x.x, sending NO_PROPOSAL_CHOSEN

ASA debug output

ec 30 01:38:24 [IKEv1]IP = 104.x.x.x., IKE_DECODE RECEIVED Message (msgid=954138f9) with payloads : HDR + NOTIFY (1
1) + NONE (0) total length : 40
Dec 30 01:38:24 [IKEv1]IP = 104.x.x.x, IKE_DECODE RECEIVED Message (msgid=954138f9) with payloads : HDR + NOTIFY (1
1) + NONE (0) total length : 40
Dec 30 01:38:24 [IKEv1]IP = 104.x.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Dec 30 01:38:24 [IKEv1]IP = 104.x.x.x, Information Exchange processing failed


IPsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections
conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret

conn toflakjacket
        left=104.x.x.x
        leftsubnet=10.0.0.0/24
        leftfirewall=yes
        right=98.x.x.x
        rightsubnet=192.168.7.0/24
        auto=route
        ike=aes128-sha1-modp1536
        esp=aes128-sha1


IPsec.secrets

104.x.x.x 98.x.x.x : PSK mypassword



ASA config

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.7.1 255.255.255.0


interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.250 255.255.255.0


object-group network localinteresting
 network-object 192.168.7.0 255.255.255.0
object-group network remoteinteresting
 network-object 10.0.0.0 255.255.255.0

access-list interestingtraffic extended permit ip object-group localinteresting object-group remoteinteresting

crypto ipsec ikev1 transform-set myVPN esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600

crypto map revengemap 1 match address interestingtraffic
crypto map revengemap 1 set peer 104.x.x.x
crypto map revengemap 1 set ikev1 transform-set myVPN
crypto map revengemap interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400


tunnel-group 104.x.x.x type ipsec-l2l
tunnel-group 104.x.x.x ipsec-attributes
 ikev1 pre-shared-key mypassword


Sent from Mail for Windows 10

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161230/a52d9374/attachment.html>

More information about the Users mailing list