[strongSwan] Issue of "no IKE config found for ..., sending NO_PROPOSAL_CHOSEN"
Jianjun Shen Shen
jshen.yn at gmail.com
Fri Sep 6 20:09:00 CEST 2019
Resent (seems my last reply went to the wrong branch of the thread).
Hi Tobias,
Thanks for the reply.
But what could be the reasons that the configuration is not loaded? In my
case, "ipsec statusall" could dump the configuration, but you mean it is
not loaded by charon?
How should I debug this further?
One thing I should mention is that I am running strongswan in a container
(actually K8s Pod). I enabled privileged mode and also disabled AppArmor
(before that I saw some AppArmor errors). Anything else I should pay
attention to?
BTW, I tried the same test with a Ubuntu 18.04 image and still got the same
issue.
Regards,
Jianjun
On Wed, Sep 4, 2019 at 7:58 AM Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Jianjun,
>
> According to the log, the configuration is not loaded when the peer is
> trying to connect:
>
> > 00[JOB] spawning 16 worker threads
> > 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500]
> > (660 bytes)
> > 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(HASH_ALG) ]
> > 05[CFG] looking for an ike config for 10.162.19.55...10.162.19.54
> > 05[IKE] no IKE config found for 10.162.19.55...10.162.19.54, sending
> > NO_PROPOSAL_CHOSEN
>
> There should be something like:
>
> > 05[CFG] received stroke: add connection 'host54'
> > 05[CFG] added configuration 'host54'
> > 07[CFG] received stroke: route 'host54'
>
> Until that happens the peer won't be able to connect. Also, your host
> should initiate the connection afterwards if GRE traffic with matching
> IPs hits the installed trap policy. Note that `left=0.0.0.0` is
> replaced in the trap policy with the local IP address:
>
> > Routed Connections:
> > host54 {1}: ROUTED, TRANSPORT, reqid 1
> > host54 {1}: 10.162.19.55/32[gre] <http://10.162.19.55/32%5Bgre%5D>
> === 10.162.19.54/32[gre] <http://10.162.19.54/32%5Bgre%5D>
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190906/49be074d/attachment.html>
More information about the Users
mailing list