[strongSwan] Issue of "no IKE config found for ..., sending NO_PROPOSAL_CHOSEN"
Jianjun Shen Shen
jshen.yn at gmail.com
Tue Sep 3 22:52:40 CEST 2019
Hi Jafar,
Thanks for the reply!
I tried "left=%any", but still got the same error message. BTW, I tried
"left=10.162.19.55" too and the same.
Regards,
Jianjun
On Tue, Sep 3, 2019 at 9:02 AM Jafar Al-Gharaibeh <jafar at atcorp.com> wrote:
> Jianjun,
>
> I see at least one issue, "left" config is wrong, instead of
>
> left=0.0.0.0
>
> you want
>
> left=%any
>
> Regards,
>
> Jafar
>
>
>
> On 9/2/19 5:03 PM, Jianjun Shen Shen wrote:
>
> Hello,
>
> I am using strongswan (U5.3.5/K4.4.0-87-generic) on Ubuntu (16.04.3 LTS).
>
> Running "/usr/lib/ipsec/charon --debug-cfg 4 --debug-ike 4" got the
> following log messages:
> 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux
> 4.4.0-87-generic, x86_64)
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG] loaded IKE secret for 0.0.0.0 10.162.19.54
> 00[CFG] secret: 73:77:6f:72:64:66:69:73:68
> 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
> pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
> socket-default stroke updown
> 00[LIB] dropped capabilities, running as uid 0, gid 0
> 00[JOB] spawning 16 worker threads
> 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500] (660
> bytes)
> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(HASH_ALG) ]
> 05[CFG] looking for an ike config for 10.162.19.55...10.162.19.54
> 05[IKE] no IKE config found for 10.162.19.55...10.162.19.54, sending
> NO_PROPOSAL_CHOSEN
> 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> 05[NET] sending packet: from 10.162.19.55[500] to 10.162.19.54[500] (36
> bytes)
> 05[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
>
> And my ipsec.conf is quite simple:
> config setup
> uniqueids=yes
>
> conn %default
> keyingtries=%forever
> type=transport
> keyexchange=ikev2
> auto=route
> ike=aes256gcm16-sha256-modp2048
> esp=aes256gcm16-modp2048
>
> conn host54
> left=0.0.0.0
> right=10.162.19.54
> authby=psk
> leftprotoport=gre
> rightprotoport=gre
>
> "ipsec statusall" shows the following:
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-87-generic,
> x86_64):
> uptime: 3 seconds, since Sep 02 22:00:24 2019
> malloc: sbrk 1216512, mmap 0, used 251808, free 964704
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
> socket-default stroke updown
> Listening IP addresses:
> 10.162.19.55
> fd01:0:101:2616:20c:29ff:fe2f:26c4
> 172.17.0.1
> 192.168.0.55
> Connections:
> host54: 0.0.0.0...10.162.19.54 IKEv2
> host54: local: uses pre-shared key authentication
> host54: remote: [10.162.19.54] uses pre-shared key authentication
> host54: child: dynamic[gre] === dynamic[gre] TRANSPORT
> Routed Connections:
> host54 {1}: ROUTED, TRANSPORT, reqid 1
> host54 {1}: 10.162.19.55/32[gre] <http://10.162.19.55/32%5Bgre%5D>
> === 10.162.19.54/32[gre] <http://10.162.19.54/32%5Bgre%5D>
> Security Associations (0 up, 0 connecting):
> none
>
> So, I could not see anything wrong. Could you please help?
>
> Regards,
> Jianjun
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190903/901bd713/attachment-0001.html>
More information about the Users
mailing list