[strongSwan] No proposal chosen / No IKE config found

Andreas Steffen andreas.steffen at strongswan.org
Fri Dec 30 10:14:56 CET 2016 

Hi,

could you increase the debug level in ipsec.conf:

config setup
   charondebug="cfg 2"

and rerun the scenario?

Regards

Andreas

On 30.12.2016 09:12, tskals at gmail.com wrote:
> Can someone look at my debugs and config and tell me why Strongswan is
> sending a no proposal chosen notify message based on the configs for my
> strongswan and asa below? I tried changing the leftid and rightid to the
> private outside address of ASA, natted address, not sure what Strongswan
> doesn’t like, everything looks like it matches..
> 
>  
> 
> Configuring Strongswan with an ASA, ASA is behind firewall, NATing
> occurs upstream , 500, 4500 are portforwarded back to ASA
> 
>  
> 
>  
> 
> Strongawan syslog output:
> 
>  
> 
> Dec 30 02:46:29 lagunesrevengeII charon: 07[ENC] generating
> INFORMATIONAL_V1 request 469970900 [ N(NO_PROP) ]
> 
> Dec 30 02:46:29 lagunesrevengeII charon: 07[NET] sending packet: from
> 104.x.x.x[500] to 98.x.x.x[500] (40 bytes)
> 
> Dec 30 02:46:37 lagunesrevengeII charon: 08[NET] received packet: from
> 98.x.x.x[500] to 104.x.x.x[500] (112 bytes)
> 
> Dec 30 02:46:37 lagunesrevengeII charon: 08[ENC] parsed ID_PROT request
> 0 [ SA V ]
> 
> Dec 30 02:46:37 lagunesrevengeII charon: 08[IKE] no IKE config found for
> 104.x.x.x...98.x.x.x, sending NO_PROPOSAL_CHOSEN
> 
>  
> 
> ASA debug output
> 
>  
> 
> ec 30 01:38:24 [IKEv1]IP = 104.x.x.x., IKE_DECODE RECEIVED Message
> (msgid=954138f9) with payloads : HDR + NOTIFY (1
> 
> 1) + NONE (0) total length : 40
> 
> Dec 30 01:38:24 [IKEv1]IP = 104.x.x.x, IKE_DECODE RECEIVED Message
> (msgid=954138f9) with payloads : HDR + NOTIFY (1
> 
> 1) + NONE (0) total length : 40
> 
> Dec 30 01:38:24 [IKEv1]IP = 104.x.x.x, Received an un-encrypted
> NO_PROPOSAL_CHOSEN notify message, dropping
> 
> Dec 30 01:38:24 [IKEv1]IP = 104.x.x.x, Information Exchange processing
> failed
> 
>  
> 
>  
> 
> IPsec.conf
> 
>  
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
>  
> 
> # basic configuration
> 
>  
> 
> config setup
> 
>         # strictcrlpolicy=yes
> 
>         # uniqueids = no
> 
>  
> 
> # Add connections here.
> 
>  
> 
> # Sample VPN connections
> 
> conn %default
> 
>         ikelifetime=1440m
> 
>         keylife=60m
> 
>         rekeymargin=3m
> 
>         keyingtries=1
> 
>         keyexchange=ikev1
> 
>         authby=secret
> 
>  
> 
> conn toflakjacket
> 
>         left=104.x.x.x
> 
>         leftsubnet=10.0.0.0/24
> 
>         leftfirewall=yes
> 
>         right=98.x.x.x
> 
>         rightsubnet=192.168.7.0/24
> 
>         auto=route
> 
>         ike=aes128-sha1-modp1536
> 
>         esp=aes128-sha1
> 
>  
> 
>  
> 
> IPsec.secrets
> 
>  
> 
> 104.x.x.x 98.x.x.x : PSK mypassword
> 
>  
> 
>  
> 
>  
> 
> ASA config
> 
>  
> 
> interface Vlan1
> 
> nameif inside
> 
> security-level 100
> 
> ip address 192.168.7.1 255.255.255.0
> 
>  
> 
>  
> 
> interface Vlan2
> 
> nameif outside
> 
> security-level 0
> 
> ip address 192.168.1.250 255.255.255.0
> 
>  
> 
>  
> 
> object-group network localinteresting
> 
> network-object 192.168.7.0 255.255.255.0
> 
> object-group network remoteinteresting
> 
> network-object 10.0.0.0 255.255.255.0
> 
>  
> 
> access-list interestingtraffic extended permit ip object-group
> localinteresting object-group remoteinteresting
> 
>  
> 
> crypto ipsec ikev1 transform-set myVPN esp-aes esp-sha-hmac
> 
> crypto ipsec security-association lifetime seconds 3600
> 
>  
> 
> crypto map revengemap 1 match address interestingtraffic
> 
> crypto map revengemap 1 set peer 104.x.x.x
> 
> crypto map revengemap 1 set ikev1 transform-set myVPN
> 
> crypto map revengemap interface outside
> 
>  
> 
> crypto ikev1 enable outside
> 
> crypto ikev1 policy 1
> 
> authentication pre-share
> 
> encryption aes
> 
> hash sha
> 
> group 5
> 
> lifetime 86400
> 
>  
> 
>  
> 
> tunnel-group 104.x.x.x type ipsec-l2l
> 
> tunnel-group 104.x.x.x ipsec-attributes
> 
> ikev1 pre-shared-key mypassword

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161230/631db40c/attachment.bin>

More information about the Users mailing list