[strongSwan] no IKE config found, sending NO_PROPOSAL_CHOSEN

Houman houmie at gmail.com
Sat Aug 29 10:32:52 CEST 2020 

Hello everyone,

I'm trying to migrate from the legacy ipsec.conf to the new swanctl.conf
I'm following this page
https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf

I have compiled the latest StrongSwan 5.9.

After converting everything carefully, I'm getting this error shown, when
connecting.
no IKE config found, sending NO_PROPOSAL_CHOSEN

My original working Ipsec.conf is:

config setup
  strictcrlpolicy=yes
  uniqueids=never
conn ${SERVERNAME}
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048!
  esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
  dpdaction=clear
  dpddelay=180s
  dpdtimeout=3600s
  rekey=no
  left=%any
  leftid=@${VPNHOST}
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0, ::/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=${DNS1},${DNS2}
  rightsourceip=${VPNIPPOOL},${VPNIP6POOL}
  leftfirewall=no

The new /etc/swanctl/swanctl.conf that I created based on the above is:

connections {
    ${SERVERNAME} {
        version = 2
        local_addrs = %any
        remote_addrs = %any
        proposals =
aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048
        encap = yes
        mobike = yes
        dpd_delay = 180s
        fragmentation = yes
        send_cert = always
        unique = never
        pools = MyPool
        local {
            certs = cert.pem
            id = @${VPNHOST}
        }
        remote {
            id = %any
            eap_id = %any
            revocation = strict
            auth = eap-radius
        children {
            child_name {
                esp_proposals =
aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1
                local_ts = dynamic
                mode = tunnel
                dpd_action = clear
                ipcomp = no
                start_action = none
            }
        }
    }
}
pools {
    MyPool {
        addrs = ${VPNIPPOOL},${VPNIP6POOL}
        dns = ${DNS1},${DNS2}
    }
}
include conf.d/*.conf

What could be the reason that it doesn't work?
Many Thanks,
Houman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200829/24986d5d/attachment.html>

More information about the Users mailing list