[strongSwan] Issue of "no IKE config found for ..., sending NO_PROPOSAL_CHOSEN"

Jianjun Shen Shen jshen.yn at gmail.com
Tue Sep 3 00:03:39 CEST 2019 

Hello,

I am using strongswan (U5.3.5/K4.4.0-87-generic) on Ubuntu (16.04.3 LTS).

Running "/usr/lib/ipsec/charon --debug-cfg 4 --debug-ike 4" got the
following log messages:
00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux
4.4.0-87-generic, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for 0.0.0.0 10.162.19.54
00[CFG]   secret: 73:77:6f:72:64:66:69:73:68
00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
socket-default stroke updown
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500] (660
bytes)
05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) ]
05[CFG] looking for an ike config for 10.162.19.55...10.162.19.54
05[IKE] no IKE config found for 10.162.19.55...10.162.19.54, sending
NO_PROPOSAL_CHOSEN
05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
05[NET] sending packet: from 10.162.19.55[500] to 10.162.19.54[500] (36
bytes)
05[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING

And my ipsec.conf is quite simple:
config setup
    uniqueids=yes

conn %default
    keyingtries=%forever
    type=transport
    keyexchange=ikev2
    auto=route
    ike=aes256gcm16-sha256-modp2048
    esp=aes256gcm16-modp2048

conn host54
    left=0.0.0.0
    right=10.162.19.54
    authby=psk
    leftprotoport=gre
    rightprotoport=gre

"ipsec statusall" shows the following:
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-87-generic,
x86_64):
  uptime: 3 seconds, since Sep 02 22:00:24 2019
  malloc: sbrk 1216512, mmap 0, used 251808, free 964704
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
socket-default stroke updown
Listening IP addresses:
  10.162.19.55
  fd01:0:101:2616:20c:29ff:fe2f:26c4
  172.17.0.1
  192.168.0.55
Connections:
    host54:  0.0.0.0...10.162.19.54  IKEv2
    host54:   local:  uses pre-shared key authentication
    host54:   remote: [10.162.19.54] uses pre-shared key authentication
    host54:   child:  dynamic[gre] === dynamic[gre] TRANSPORT
Routed Connections:
    host54 {1}:  ROUTED, TRANSPORT, reqid 1
    host54 {1}:   10.162.19.55/32[gre] === 10.162.19.54/32[gre]
Security Associations (0 up, 0 connecting):
  none

So, I could not see anything wrong. Could you please help?

Regards,
Jianjun
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190902/34d4a115/attachment.html>

More information about the Users mailing list