[strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
MOSES KARIUKI
kariukims at gmail.com
Wed Feb 13 15:22:40 CET 2019
Dear Users,
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
I am trying to set up a VPN server on an Ubuntu 18.04 Cloud VPS. Above is
the tutorial I was following. All goes well and I can see the VPN server up
and running. The problem comes in when I try to connect from a windows
machine. And below is the error log.
The IP 102.1*9.2*9.** is the Ubuntu VPN server. The 154.153.1*4.*** is the
Windows client trying to access.
This is my config setting:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=102.1*9.2*9.**
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
Error log:
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 ipsec[877]:
Starting strongSwan 5.6.2 IPsec [starter]...
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 polkitd[938]:
started daemon version 0.105 using authority implementation `local' version
`0.105'
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 dbus-daemon[841]:
[system] Successfully activated service 'org.freedesktop.PolicyKit1'
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
Authorization Manager.
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 kernel: [
16.055775] NET: Registered protocol family 15
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84
accounts-daemon[866]: started daemon version 0.6.45
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
Accounts Service.
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
OpenBSD Secure Shell server.
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 snapd[886]:
daemon.go:379: started snapd/2.37.1.1+18.04 (series 16; classic)
ubuntu/18.04 (amd64) linux/4.15.0-39-generic.
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Got response
from server at 102.1*9.2*9.**
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
LXD - container startup/shutdown.
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Timezone UTC
already set
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84
cloud-set-all[867]: status
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84
cloud-set-all[867]: Executing password change
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 kernel: [
16.119591] Initializing XFRM netlink socket
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 00[DMN]
Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-39-generic,
x86_64)
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
Snappy daemon.
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]:
Starting Wait until snapd is fully seeded...
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 00[LIB]
loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 00[LIB]
dropped capabilities, running as uid 0, gid 0
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 00[JOB]
spawning 16 worker threads
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84
networkd-dispatcher[862]: No valid path found for iwconfig
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84
networkd-dispatcher[862]: No valid path found for iw
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 ipsec[877]: charon
(967) started after 100 ms
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
Wait until snapd is fully seeded.
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]:
Starting Apply the settings specified in cloud-config...
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
Dispatcher daemon for systemd-networkd.
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Reached
target Multi-User System.
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Reached
target Graphical Interface.
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]:
Starting Update UTMP about System Runlevel Changes...
Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
Update UTMP about System Runlevel Changes.
Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud-init[997]:
Cloud-init v. 18.4-0ubuntu1~18.04.1 running 'modules:config' at Tue, 12 Feb
2019 23:27:02 +0000. Up 16.66 seconds.
Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
Apply the settings specified in cloud-config.
Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]:
Starting Execute cloud user/final scripts...
Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud-init[1024]:
Cloud-init v. 18.4-0ubuntu1~18.04.1 running 'modules:final' at Tue, 12 Feb
2019 23:27:02 +0000. Up 17.18 seconds.
Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud-init[1024]:
Cloud-init v. 18.4-0ubuntu1~18.04.1 finished at Tue, 12 Feb 2019 23:27:02
+0000. Datasource DataSourceCloudStack. Up 17.27 seconds
Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
Execute cloud user/final scripts.
Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Reached
target Cloud-init target.
Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Startup
finished in 11.745s (kernel) + 5.584s (userspace) = 17.329s.
Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Found
password server IP 102.1*9.2*9.** in /run/systemd/netif/leases/2
Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Sending
request to password server at 102.1*9.2*9.**
Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Got response
from server at 102.1*9.2*9.**
Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: VM has
already saved a password from the password server at 102.1*9.2*9.**
Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Did not need
to change password.
Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Sending
request to ssh key server at 102.1*9.2*9.**
Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Got response
from server at 102.1*9.2*9.**
Feb 12 23:27:06 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 snapd[886]:
daemon.go:611: gracefully waiting for running hooks
Feb 12 23:27:06 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 snapd[886]:
daemon.go:613: done waiting for running hooks
Feb 12 23:27:06 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 snapd[886]: daemon
stop requested to wait for socket activation
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Created
slice User Slice of root.
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]:
Starting User Manager for UID 0...
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
Session 1 of user root.
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]:
Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]:
Listening on GnuPG network certificate management daemon.
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]:
Listening on GnuPG cryptographic agent and passphrase cache (restricted).
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]:
Listening on GnuPG cryptographic agent and passphrase cache.
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]:
Reached target Timers.
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]:
Reached target Paths.
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]:
Listening on GnuPG cryptographic agent and passphrase cache (access for web
browsers).
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]:
Reached target Sockets.
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]:
Reached target Basic System.
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started
User Manager for UID 0.
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]:
Reached target Default.
Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]:
Startup finished in 51ms.
Feb 12 23:29:53 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 kernel: [
188.126423] [UFW BLOCK] IN=ens3 OUT=
MAC=06:65:26:00:00:ac:00:1d:b5:c0:a7:c0:08:00 SRC=185.176.27.74
DST=102.129.249.173 LEN=40 TOS=0x08 PREC=0x20 TTL=237 ID=40752 PROTO=TCP
SPT=42090 DPT=41605 WINDOW=1024 RES=0x00 SYN URGP=0
Feb 12 23:30:36 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 kernel: [
231.244647] [UFW BLOCK] IN=ens3 OUT=
MAC=06:65:26:00:00:ac:00:1d:b5:c0:a7:c0:08:00 SRC=60.15.34.250
DST=102.129.249.173 LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=45268 PROTO=TCP
SPT=17626 DPT=9901 WINDOW=1024 RES=0x00 SYN URGP=0
Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[NET]
received packet: from 154.153.1*4.***[500] to 102.129.249.173[500] (632
bytes)
Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[ENC]
parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
N(NATD_D_IP) V V V V ]
Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE]
received MS NT5 ISAKMPOAKLEY v9 vendor ID
Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE]
received MS-Negotiation Discovery Capable vendor ID
Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE]
received Vid-Initial-Contact vendor ID
Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[ENC]
received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE]
154.153.1*4.*** is initiating an IKE_SA
*Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE]
remote host is behind NAT*
*Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE]
received proposals inacceptable*
*Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[ENC]
generating IKE_SA_INIT response 0 [ N(NO_PROP) ]*
Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[NET]
sending packet: from 102.129.249.173[500] to 154.153.1*4.***[500] (36 bytes)
Please assist..
Thanks,
Moses Kariuki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190213/a5ba4af4/attachment-0001.html>
More information about the Users
mailing list