[strongSwan] no IKE config found, sending NO_PROPOSAL_CHOSEN

Felipe Polanco felipeapolanco at gmail.com
Sun Aug 30 06:29:51 CEST 2020 

Hi,

Try removing
        local_addrs = %any
        remote_addrs = %any

On Sat, Aug 29, 2020 at 4:33 AM Houman <houmie at gmail.com> wrote:

> Hello everyone,
>
> I'm trying to migrate from the legacy ipsec.conf to the new swanctl.conf
> I'm following this page
> https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf
>
> I have compiled the latest StrongSwan 5.9.
>
> After converting everything carefully, I'm getting this error shown, when
> connecting.
> no IKE config found, sending NO_PROPOSAL_CHOSEN
>
> My original working Ipsec.conf is:
>
> config setup
>   strictcrlpolicy=yes
>   uniqueids=never
> conn ${SERVERNAME}
>   auto=add
>   compress=no
>   type=tunnel
>   keyexchange=ikev2
>   fragmentation=yes
>   forceencaps=yes
>
> ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-ecp521-ecp256-modp4096-modp2048!
>   esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
>   dpdaction=clear
>   dpddelay=180s
>   dpdtimeout=3600s
>   rekey=no
>   left=%any
>   leftid=@${VPNHOST}
>   leftcert=cert.pem
>   leftsendcert=always
>   leftsubnet=0.0.0.0/0, ::/0
>   right=%any
>   rightid=%any
>   rightauth=eap-radius
>   eap_identity=%any
>   rightdns=${DNS1},${DNS2}
>   rightsourceip=${VPNIPPOOL},${VPNIP6POOL}
>   leftfirewall=no
>
> The new /etc/swanctl/swanctl.conf that I created based on the above is:
>
> connections {
>     ${SERVERNAME} {
>         version = 2
>         local_addrs = %any
>         remote_addrs = %any
>         proposals =
> aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-ecp521-ecp256-modp4096-modp2048
>         encap = yes
>         mobike = yes
>         dpd_delay = 180s
>         fragmentation = yes
>         send_cert = always
>         unique = never
>         pools = MyPool
>         local {
>             certs = cert.pem
>             id = @${VPNHOST}
>         }
>         remote {
>             id = %any
>             eap_id = %any
>             revocation = strict
>             auth = eap-radius
>         children {
>             child_name {
>                 esp_proposals =
> aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1
>                 local_ts = dynamic
>                 mode = tunnel
>                 dpd_action = clear
>                 ipcomp = no
>                 start_action = none
>             }
>         }
>     }
> }
> pools {
>     MyPool {
>         addrs = ${VPNIPPOOL},${VPNIP6POOL}
>         dns = ${DNS1},${DNS2}
>     }
> }
> include conf.d/*.conf
>
> What could be the reason that it doesn't work?
> Many Thanks,
> Houman
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200830/9c91c4f6/attachment.html>

More information about the Users mailing list