[strongSwan] Issue of "no IKE config found for ..., sending NO_PROPOSAL_CHOSEN"

Jianjun Shen Shen jshen.yn at gmail.com
Wed Sep 4 19:52:32 CEST 2019 

Hi Tobias,

Thanks for the reply.
But what could be the reasons that the configuration is not loaded? In my
case, "ipsec statusall" could dump the configuration, but you mean it is
not loaded by charon?
How should I debug this further?
One thing I should mention is that I am running strongswan in a container
(actually K8s Pod). I enabled privileged mode and also disabled AppArmor
(before that I saw some AppArmor errors). Anything else I should pay
attention to?

Jianjun

Hi Jianjun,
> According to the log, the configuration is not loaded when the peer is
> trying to connect:
> >
> * 00[JOB] spawning 16 worker threads *>
> * 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500] *>
> * (660 bytes) *>
> * 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) *>
> * N(NATD_D_IP) N(HASH_ALG) ] *>
> * 05[CFG] looking for an ike config for 10.162.19.55...10.162.19.54 *>
> * 05[IKE] no IKE config found for 10.162.19.55...10.162.19.54, sending *>
> * NO_PROPOSAL_CHOSEN * There should be something like:
> >
> * 05[CFG] received stroke: add connection 'host54' *>
> * 05[CFG] added configuration 'host54' *>
> * 07[CFG] received stroke: route 'host54' * Until that happens the peer
> won't be able to connect. Also, your host
> should initiate the connection afterwards if GRE traffic with matching
> IPs hits the installed trap policy. Note that `left=0.0.0.0` is
> replaced in the trap policy with the local IP address:
> >
> * Routed Connections: *>
> *     host54 {1}:  ROUTED, TRANSPORT, reqid 1 *>
> *     host54 {1}:   10.162.19.55/32[gre] <http://10.162.19.55/32[gre]> ===
> 10.162.19.54/32[gre] <http://10.162.19.54/32[gre]> * Regards,
> Tobias



> On 9/2/19 5:03 PM, Jianjun Shen Shen wrote:
>
>> Hello,
>>
>> I am using strongswan (U5.3.5/K4.4.0-87-generic) on Ubuntu (16.04.3 LTS).
>>
>> Running "/usr/lib/ipsec/charon --debug-cfg 4 --debug-ike 4" got the
>> following log messages:
>> 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux
>> 4.4.0-87-generic, x86_64)
>> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>> 00[CFG] loading crls from '/etc/ipsec.d/crls'
>> 00[CFG] loading secrets from '/etc/ipsec.secrets'
>> 00[CFG]   loaded IKE secret for 0.0.0.0 10.162.19.54
>> 00[CFG]   secret: 73:77:6f:72:64:66:69:73:68
>> 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
>> pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
>> socket-default stroke updown
>> 00[LIB] dropped capabilities, running as uid 0, gid 0
>> 00[JOB] spawning 16 worker threads
>> 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500] (660
>> bytes)
>> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> N(HASH_ALG) ]
>> 05[CFG] looking for an ike config for 10.162.19.55...10.162.19.54
>> 05[IKE] no IKE config found for 10.162.19.55...10.162.19.54, sending
>> NO_PROPOSAL_CHOSEN
>> 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
>> 05[NET] sending packet: from 10.162.19.55[500] to 10.162.19.54[500] (36
>> bytes)
>> 05[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
>>
>> And my ipsec.conf is quite simple:
>> config setup
>>     uniqueids=yes
>>
>> conn %default
>>     keyingtries=%forever
>>     type=transport
>>     keyexchange=ikev2
>>     auto=route
>>     ike=aes256gcm16-sha256-modp2048
>>     esp=aes256gcm16-modp2048
>>
>> conn host54
>>     left=0.0.0.0
>>     right=10.162.19.54
>>     authby=psk
>>     leftprotoport=gre
>>     rightprotoport=gre
>>
>> "ipsec statusall" shows the following:
>> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-87-generic,
>> x86_64):
>>   uptime: 3 seconds, since Sep 02 22:00:24 2019
>>   malloc: sbrk 1216512, mmap 0, used 251808, free 964704
>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
>> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
>> dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
>> socket-default stroke updown
>> Listening IP addresses:
>>   10.162.19.55
>>   fd01:0:101:2616:20c:29ff:fe2f:26c4
>>   172.17.0.1
>>   192.168.0.55
>> Connections:
>>     host54:  0.0.0.0...10.162.19.54  IKEv2
>>     host54:   local:  uses pre-shared key authentication
>>     host54:   remote: [10.162.19.54] uses pre-shared key authentication
>>     host54:   child:  dynamic[gre] === dynamic[gre] TRANSPORT
>> Routed Connections:
>>     host54 {1}:  ROUTED, TRANSPORT, reqid 1
>>     host54 {1}:   10.162.19.55/32[gre] <http://10.162.19.55/32%5Bgre%5D>
>> === 10.162.19.54/32[gre] <http://10.162.19.54/32%5Bgre%5D>
>> Security Associations (0 up, 0 connecting):
>>   none
>>
>> So, I could not see anything wrong. Could you please help?
>>
>> Regards,
>> Jianjun
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190904/b6f9aa8c/attachment.html>

More information about the Users mailing list