[strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
IL Ka
kazakevichilya at gmail.com
Mon Feb 18 03:02:32 CET 2019
You have redundant exclamation marks ("!") in your IKE and ESP sections:
"modp1024!" and "3des-sha!".
Remove them and try again.
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Без
вирусов. www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
On Mon, Feb 18, 2019 at 1:00 AM MOSES KARIUKI <kariukims at gmail.com> wrote:
> Dear Team,
>
> Thanks Team for your ever valuable help. I am still not able in and the
> error seems to have changed now. See below :
>
> .210.45 DST=102.129.249.173 LEN=40 TOS=0x08 PREC=0x40 TTL=238 ID=38921
> PROTO=TCP SPT=44785 DPT=4389 WINDOW=1024 RES=0x00 SYN URGP=0
> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET]
> received packet: from 154.76.***.1*1[500] to 102.1*9.2*9.** [500] (632
> bytes)
> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC]
> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
> N(NATD_D_IP) V V V V ]
> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[CFG]
> looking for an ike config for 102.1*9.2*9.** ...154.76.***.1*1
> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE] no
> IKE config found for 102.1*9.2*9.** ... 154.76.***.1*1 , sending
> NO_PROPOSAL_CHOSEN
> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC]
> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET]
> sending packet: from 102.1*9.2*9.** [500] to 154.76.***.1*1 [500] (36
> bytes)
> Feb 15 20:13:12 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a kernel: [
> 1898.916216] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.76.122.161
> DST=102.129.249.173 LEN=52 TOS=0x10 PREC=0x20 TTL=115 ID=24830 DF PROTO=TCP
> SPT=57716 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
>
> My config set up is as follows :
>
> conn ikev2-vpn
> auto=add
> compress=no
> type=tunnel
> keyexchange=ikev2
> fragmentation=yes
> forceencaps=yes
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid=102.1*9.2*9.**
> leftcert=server-cert.pem
> leftsendcert=always
> leftsubnet=0.0.0.0/0
> right=%any
> rightid=%any
> rightauth=eap-mschapv2
> rightsourceip=10.10.10.0/24
> rightdns=8.8.8.8,8.8.4.4
> rightsendcert=never
> eap_identity=%identity
>
> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>
> esp=aes256-sha256,aes256-sha1,3des-sha1!,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>
> Please assist.
>
> Thanks,
> Moses K
>
> On Sat, Feb 16, 2019 at 12:31 AM MOSES KARIUKI <kariukims at gmail.com>
> wrote:
>
>> Hello team,
>>
>> Any assistance on this?
>> Thanks
>>
>> On Fri, Feb 15, 2019 at 11:26 PM MOSES KARIUKI <kariukims at gmail.com>
>> wrote:
>>
>>> Thanks Team for your ever valuable help. I can't log in and the error
>>> seems to have changed now. See below :
>>>
>>> .210.45 DST=102.129.249.173 LEN=40 TOS=0x08 PREC=0x40 TTL=238 ID=38921
>>> PROTO=TCP SPT=44785 DPT=4389 WINDOW=1024 RES=0x00 SYN URGP=0
>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET]
>>> received packet: from 154.76.***.1*1[500] to 102.1*9.2*9.** [500] (632
>>> bytes)
>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC]
>>> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
>>> N(NATD_D_IP) V V V V ]
>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[CFG]
>>> looking for an ike config for 102.1*9.2*9.** ...154.76.***.1*1
>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE]
>>> no IKE config found for 102.1*9.2*9.** ... 154.76.***.1*1 , sending
>>> NO_PROPOSAL_CHOSEN
>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC]
>>> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET]
>>> sending packet: from 102.1*9.2*9.** [500] to 154.76.***.1*1 [500] (36
>>> bytes)
>>> Feb 15 20:13:12 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a kernel: [
>>> 1898.916216] [UFW BLOCK] IN=ens3 OUT=
>>> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.76.122.161
>>> DST=102.129.249.173 LEN=52 TOS=0x10 PREC=0x20 TTL=115 ID=24830 DF PROTO=TCP
>>> SPT=57716 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
>>>
>>> My config set up is as follows :
>>>
>>> conn ikev2-vpn
>>> auto=add
>>> compress=no
>>> type=tunnel
>>> keyexchange=ikev2
>>> fragmentation=yes
>>> forceencaps=yes
>>> dpdaction=clear
>>> dpddelay=300s
>>> rekey=no
>>> left=%any
>>> leftid=102.1*9.2*9.**
>>> leftcert=server-cert.pem
>>> leftsendcert=always
>>> leftsubnet=0.0.0.0/0
>>> right=%any
>>> rightid=%any
>>> rightauth=eap-mschapv2
>>> rightsourceip=10.10.10.0/24
>>> rightdns=8.8.8.8,8.8.4.4
>>> rightsendcert=never
>>> eap_identity=%identity
>>>
>>> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>>>
>>> esp=aes256-sha256,aes256-sha1,3des-sha1!,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>>>
>>> Please
>>>
>>> On Fri, Feb 15, 2019 at 10:01 PM Kostya Vasilyev <kman at fastmail.com>
>>> wrote:
>>>
>>>> Moses,
>>>>
>>>> Try this in your *.conf file:
>>>>
>>>> conn whatever
>>>> ....
>>>> ....
>>>>
>>>> ike=aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>>>>
>>>> esp=aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>>>>
>>>> Technically for this particular client you only need the first one
>>>> - aes256-sha256-modp2048
>>>>
>>>> --
>>>> Kostya Vasilyev
>>>> kman at fastmail.com
>>>>
>>>>
>>>> On Fri, Feb 15, 2019, at 9:46 PM, MOSES KARIUKI wrote:
>>>>
>>>> Thanks IL Ka,
>>>>
>>>> Which group should I add. I am a bit of a noob here. I have checked the
>>>> Strongswan documentation but I cant trace a list of these commands.
>>>>
>>>> Thanks,
>>>>
>>>>
>>>> On Fri, Feb 15, 2019 at 10:17 AM IL Ka <kazakevichilya at gmail.com>
>>>> wrote:
>>>>
>>>> I see DH problem as Tobias said.
>>>> look:
>>>>
>>>> Client:
>>>>
>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
>>>> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
>>>>
>>>> StrongSwan:
>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>>
>>>> Client wants MODP_2048 while Swan has only MODP_1024 enabled.
>>>>
>>>> As result, "no acceptable DIFFIE_HELLMAN_GROUP found"
>>>>
>>>> See ipsec.conf for "ike" setting. Especially about "modpgroup".
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>>>> Без вирусов. www.avg.com
>>>> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>>>>
>>>> <#m_-278043999855987034_m_179821330790635158_m_4732533215647108036_m_-8112058198006237188_m_8551562222874236904_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>>>
>>>> On Fri, Feb 15, 2019 at 8:42 AM MOSES KARIUKI <kariukims at gmail.com>
>>>> wrote:
>>>>
>>>> Dear Team,
>>>> Please see below:
>>>>
>>>> *ipsec statusall*
>>>> Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic,
>>>> x86_64):
>>>> uptime: 17 hours, since Feb 14 11:52:17 2019
>>>> malloc: sbrk 1757184, mmap 0, used 534320, free 1222864
>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>>>> scheduled: 0
>>>> loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random
>>>> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
>>>> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
>>>> kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2
>>>> xauth-generic counters
>>>> Virtual IP pools (size/online/offline):
>>>> 10.10.10.0/24: 254/0/0
>>>> Listening IP addresses:
>>>> 102.1*9.2*9.**
>>>> Connections:
>>>> ikev2-vpn: %any...%any IKEv2, dpddelay=300s
>>>> ikev2-vpn: local: [102.1*9.2*9.**] uses public key authentication
>>>> ikev2-vpn: cert: "CN=102.1*9.2*9.**"
>>>> ikev2-vpn: remote: [fromcert] uses EAP_MSCHAPV2 authentication
>>>> with EAP identity '%any'
>>>> ikev2-vpn: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
>>>> Security Associations (0 up, 0 connecting):
>>>> none
>>>>
>>>>
>>>> *systemctl status strongswan*
>>>> ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using
>>>> ipsec.conf
>>>> Loaded: loaded (/lib/systemd/system/strongswan.service; enabled;
>>>> vendor preset: enabled)
>>>> Active: active (running) since Thu 2019-02-14 11:52:17 UTC; 17h ago
>>>> Main PID: 2204 (starter)
>>>> Tasks: 18 (limit: 2275)
>>>> CGroup: /system.slice/strongswan.service
>>>> ├─2204 /usr/lib/ipsec/starter --daemon charon --nofork
>>>> └─2232 /usr/lib/ipsec/charon --debug-ike 1 --debug-knl 1
>>>> --debug-cfg 2
>>>>
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>> 09[CFG] received proposals:
>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_C
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>> 09[CFG] configured proposals:
>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>> 09[IKE] remote host is behind NAT
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>> 09[IKE] received proposals inacceptable
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>> 09[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>> 09[NET] sending packet: from 102.1*9.2*9.**[500] to 154.153.1*0.***[500]
>>>> (36 bytes)
>>>> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>> 10[CFG] proposing traffic selectors for us:
>>>> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>> 10[CFG] 0.0.0.0/0
>>>> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>> 10[CFG] proposing traffic selectors for other:
>>>> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>> 10[CFG] dynamic
>>>>
>>>> The error log:
>>>>
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[NET]
>>>> received packet: from 154.153.1*0.***[500] to 102.1*9.2*9.**[500] (632
>>>> bytes)
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[ENC]
>>>> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
>>>> N(NATD_D_IP) V V V V ]
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux
>>>> 4.15.0-45-generic, x86_64)
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[CFG] loaded ca certificate "CN=VPN root CA" from
>>>> '/etc/ipsec.d/cacerts/ca-cert.pem'
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server-key.pem'
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[CFG] loaded EAP secret for remoteprivate
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random
>>>> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
>>>> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
>>>> kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2
>>>> xauth-generic counters
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[LIB] dropped capabilities, running as uid 0, gid 0
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 00[JOB] spawning 16 worker threads
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] received stroke: add connection 'ikev2-vpn'
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] conn ikev2-vpn
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] left=%any
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] leftsubnet=0.0.0.0/0
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] leftid=102.1*9.2*9.**
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] leftcert=server-cert.pem
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] right=%any
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] rightsourceip=10.10.10.0/24
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] rightdns=8.8.8.8,8.8.4.4
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] rightauth=eap-mschapv2
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] rightid=%fromcert
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] eap_identity=%identity
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] esp=aes256-sha256,aes256-sha1,3des-sha1!
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] dpddelay=300
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] dpdtimeout=150
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] dpdaction=1
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] sha256_96=no
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] mediation=no
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] keyexchange=ikev2
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] adding virtual IP address pool 10.10.10.0/24
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] loaded certificate "CN=102.1*9.2*9.**" from 'server-cert.pem'
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 05[CFG] added configuration 'ikev2-vpn'
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 08[NET] received packet: from 216.218.206.86[8310] to 102.1*9.2*9.**[500]
>>>> (64 bytes)
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 08[ENC] parsed ID_PROT request 0 [ SA ]
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
>>>> looking for an ike config for 102.1*9.2*9.**...154.153.1*0.***
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 08[CFG] looking for an ike config for 102.1*9.2*9.**...216.218.206.86
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 08[IKE] no IKE config found for 102.1*9.2*9.**...216.218.206.86, sending
>>>> NO_PROPOSAL_CHOSEN
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 08[ENC] generating INFORMATIONAL_V1 request 2332246493 [ N(NO_PROP) ]
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 08[NET] sending packet: from 102.1*9.2*9.**[500] to 216.218.206.86[8310]
>>>> (40 bytes)
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[NET] received packet: from 154.153.1*0.***[500] to 102.1*9.2*9.**[500]
>>>> (632 bytes)
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
>>>> N(NATD_D_IP) V V V V ]
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] looking for an ike config for 102.1*9.2*9.**...154.153.1*0.***
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] candidate: %any...%any, prio 28
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] found matching ike config: %any...%any with prio 28
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[IKE] received MS-Negotiation Discovery Capable vendor ID
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[IKE] received Vid-Initial-Contact vendor ID
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[ENC] received unknown vendor ID:
>>>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[IKE] 154.153.1*0.*** is initiating an IKE_SA
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] selecting proposal:
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] selecting proposal:
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] selecting proposal:
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] selecting proposal:
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] no acceptable ENCRYPTION_ALGORITHM found
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] selecting proposal:
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] no acceptable ENCRYPTION_ALGORITHM found
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] selecting proposal:
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] no acceptable ENCRYPTION_ALGORITHM found
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] selecting proposal:
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] no acceptable ENCRYPTION_ALGORITHM found
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] received proposals:
>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
>>>> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>> 09[CFG] candidate: %any...%any, prio 28
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>> 09[CFG] configured proposals:
>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
>>>> found matching ike config: %any...%any with prio 28
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE]
>>>> received MS NT5 ISAKMPOAKLEY v9 vendor ID
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE]
>>>> received MS-Negotiation Discovery Capable vendor ID
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE]
>>>> received Vid-Initial-Contact vendor ID
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[ENC]
>>>> received unknown vendor ID:
>>>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[IKE]
>>>> 154.153.1*0.*** is initiating an IKE_SA
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 09[CFG]
>>>> selecting proposal:
>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>> 09[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
>>>>
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190218/5682661d/attachment-0001.html>
More information about the Users
mailing list