[strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
MOSES KARIUKI
kariukims at gmail.com
Fri Feb 15 06:42:15 CET 2019
Dear Team,
Please see below:
*ipsec statusall*
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic,
x86_64):
uptime: 17 hours, since Feb 14 11:52:17 2019
malloc: sbrk 1757184, mmap 0, used 534320, free 1222864
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Virtual IP pools (size/online/offline):
10.10.10.0/24: 254/0/0
Listening IP addresses:
102.1*9.2*9.**
Connections:
ikev2-vpn: %any...%any IKEv2, dpddelay=300s
ikev2-vpn: local: [102.1*9.2*9.**] uses public key authentication
ikev2-vpn: cert: "CN=102.1*9.2*9.**"
ikev2-vpn: remote: [fromcert] uses EAP_MSCHAPV2 authentication with
EAP identity '%any'
ikev2-vpn: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
none
*systemctl status strongswan*
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor
preset: enabled)
Active: active (running) since Thu 2019-02-14 11:52:17 UTC; 17h ago
Main PID: 2204 (starter)
Tasks: 18 (limit: 2275)
CGroup: /system.slice/strongswan.service
├─2204 /usr/lib/ipsec/starter --daemon charon --nofork
└─2232 /usr/lib/ipsec/charon --debug-ike 1 --debug-knl 1
--debug-cfg 2
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
09[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_C
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
09[CFG] configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
09[IKE] remote host is behind NAT
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
09[IKE] received proposals inacceptable
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
09[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
09[NET] sending packet: from 102.1*9.2*9.**[500] to 154.153.1*0.***[500]
(36 bytes)
Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
10[CFG] proposing traffic selectors for us:
Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
10[CFG] 0.0.0.0/0
Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
10[CFG] proposing traffic selectors for other:
Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
10[CFG] dynamic
The error log:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[NET]
received packet: from 154.153.1*0.***[500] to 102.1*9.2*9.**[500] (632
bytes)
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[ENC]
parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
N(NATD_D_IP) V V V V ]
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux
4.15.0-45-generic, x86_64)
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[CFG] loaded ca certificate "CN=VPN root CA" from
'/etc/ipsec.d/cacerts/ca-cert.pem'
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server-key.pem'
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[CFG] loaded EAP secret for remoteprivate
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2
xauth-generic counters
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
00[JOB] spawning 16 worker threads
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] received stroke: add connection 'ikev2-vpn'
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] conn ikev2-vpn
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] left=%any
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] leftsubnet=0.0.0.0/0
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] leftid=102.1*9.2*9.**
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] leftcert=server-cert.pem
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] right=%any
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] rightsourceip=10.10.10.0/24
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] rightdns=8.8.8.8,8.8.4.4
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] rightauth=eap-mschapv2
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] rightid=%fromcert
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] eap_identity=%identity
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] esp=aes256-sha256,aes256-sha1,3des-sha1!
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] dpddelay=300
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] dpdtimeout=150
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] dpdaction=1
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] sha256_96=no
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] mediation=no
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] keyexchange=ikev2
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] adding virtual IP address pool 10.10.10.0/24
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] loaded certificate "CN=102.1*9.2*9.**" from 'server-cert.pem'
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
05[CFG] added configuration 'ikev2-vpn'
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
08[NET] received packet: from 216.218.206.86[8310] to 102.1*9.2*9.**[500]
(64 bytes)
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
08[ENC] parsed ID_PROT request 0 [ SA ]
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
looking for an ike config for 102.1*9.2*9.**...154.153.1*0.***
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
08[CFG] looking for an ike config for 102.1*9.2*9.**...216.218.206.86
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
08[IKE] no IKE config found for 102.1*9.2*9.**...216.218.206.86, sending
NO_PROPOSAL_CHOSEN
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
08[ENC] generating INFORMATIONAL_V1 request 2332246493 [ N(NO_PROP) ]
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
08[NET] sending packet: from 102.1*9.2*9.**[500] to 216.218.206.86[8310]
(40 bytes)
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[NET] received packet: from 154.153.1*0.***[500] to 102.1*9.2*9.**[500]
(632 bytes)
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
N(NATD_D_IP) V V V V ]
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] looking for an ike config for 102.1*9.2*9.**...154.153.1*0.***
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] candidate: %any...%any, prio 28
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] found matching ike config: %any...%any with prio 28
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[IKE] received MS-Negotiation Discovery Capable vendor ID
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[IKE] received Vid-Initial-Contact vendor ID
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[IKE] 154.153.1*0.*** is initiating an IKE_SA
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] no acceptable ENCRYPTION_ALGORITHM found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] no acceptable ENCRYPTION_ALGORITHM found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] no acceptable ENCRYPTION_ALGORITHM found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] no acceptable ENCRYPTION_ALGORITHM found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
candidate: %any...%any, prio 28
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
09[CFG] configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
found matching ike config: %any...%any with prio 28
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE]
received MS NT5 ISAKMPOAKLEY v9 vendor ID
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE]
received MS-Negotiation Discovery Capable vendor ID
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE]
received Vid-Initial-Contact vendor ID
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[ENC]
received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE]
154.153.1*0.*** is initiating an IKE_SA
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
no acceptable DIFFIE_HELLMAN_GROUP found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
no acceptable PSEUDO_RANDOM_FUNCTION found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
no acceptable PSEUDO_RANDOM_FUNCTION found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
no acceptable ENCRYPTION_ALGORITHM found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
no acceptable ENCRYPTION_ALGORITHM found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
no acceptable ENCRYPTION_ALGORITHM found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
no acceptable ENCRYPTION_ALGORITHM found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
no acceptable ENCRYPTION_ALGORITHM found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
selecting proposal:
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
no acceptable ENCRYPTION_ALGORITHM found
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE]
remote host is behind NAT
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE]
received proposals inacceptable
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[ENC]
generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[NET]
sending packet: from 102.1*9.2*9.**[500] to 154.153.1*0.***[500] (36 bytes)
Feb 15 05:11:50 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a kernel:
[68232.190082] [UFW BLOCK] IN=ens3 OUT=
MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.153.1*0.***
DST=102.1*9.2*9.** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=15775 DF PROTO=TCP
SPT=54821 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
....
On Thu, Feb 14, 2019 at 5:37 PM MOSES KARIUKI <kariukims at gmail.com> wrote:
> Thanks Tobias for the feedback. Let me try from another machine and revert
> back to you.
>
> Thanks a lot,
> Moses K
>
> On Thu, Feb 14, 2019 at 5:30 PM Tobias Brunner <tobias at strongswan.org>
> wrote:
>
>> Hi Moses,
>>
>> > But now it gives the error that it didn't
>> > connect as the remote host did not resolve . :(
>>
>> That doesn't sound like it's in any way related to your previous issue.
>> And until you fix that (DNS, firewall or whatever else the problem is)
>> the config updates or the log won't help as the client won't send any
>> packets to the server.
>>
>> Also, log level 9 makes no sense as 4 is the maximum and is too much
>> either. Set it to 2 (even 1 would be enough to debug the proposal
>> issue, though).
>>
>> Regards,
>> Tobias
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190215/88a5686f/attachment-0001.html>
More information about the Users
mailing list