[strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

Karuna Sagar Krishna karunasagark at gmail.com
Tue May 11 23:50:42 CEST 2021


Hi,

I'm setting up a IPSec connection between a bunch of Ubuntu 18.04 LTS
nodes. I'm using Strongswan (Linux strongSwan U5.6.2/K5.4.0-1046-azure) on
the Ubuntu nodes. The number of nodes is dynamic i.e. there are frequent
scale out/ins. So the ipsec.conf file (see attached) is updated with
additional conn sections and `sudo ipsec update` is used to reload the
config file. However, I've noticed intermittent network connectivity issues
and the syslog shows -> "no IKE config found for 10.0.0.14...10.0.0.18,
sending NO_PROPOSAL_CHOSEN". Clearly, the ipsec status shows that the
daemon has not reloaded the config irrespective of issuing `sudo ipsec
update` multiple times.

Can you help understand why the config is not updated and how to fix
this issue?



IPSec status:
-----------------

> sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1046-azure,
x86_64):
  uptime: 45 minutes, since May 11 20:42:07 2021
  malloc: sbrk 2703360, mmap 0, used 778800, free 1924560
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Listening IP addresses:
  10.0.0.14
Connections:
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.15  IKEv2
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:
 10.0.0.14...10.0.0.14  IKEv2
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   local:
 [CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   remote:
[CN=IP-37fa1445fc.hdinsight-stable.azure-test.net] uses public key
authentication
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:    cert:
 "CN=IP-37fa1445fc.hdinsight-stable.azure-test.net"
hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net:   child:
 dynamic === dynamic TRANSPORT




*Routed
Connections:hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>{2}:
 ROUTED, TRANSPORT, reqid
2hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn1-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>{2}:
  10.0.0.14/32 <http://10.0.0.14/32> === 10.0.0.14/32
<http://10.0.0.14/32>hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>{1}:
 ROUTED, TRANSPORT, reqid
1hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>{1}:
  10.0.0.14/32 <http://10.0.0.14/32> === 10.0.0.15/32 <http://10.0.0.15/32>*
Security Associations (1 up, 0 connecting):
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]:
ESTABLISHED 26 minutes ago, 10.0.0.14[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]...10.0.0.15[CN=
IP-37fa1445fc.hdinsight-stable.azure-test.net]
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKEv2
SPIs: 1536ce9853bef399_i c00b62dfefa5f4ce_r*, public key reauthentication
in 7 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net[11]: IKE
proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c73ba254_i c0ffd04a_o
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
 AES_CBC_256/HMAC_SHA2_256_128, 44961 bytes_i (822 pkts, 0s ago), 193357
bytes_o (570 pkts, 1557s ago), rekeying in 7 hours
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net{3}:
10.0.0.14/32 === 10.0.0.15/32


Charon logs:
-----------------

May 11 21:23:20 hn1-kkafka charon: 09[NET] received packet: from
10.0.0.18[500] to 10.0.0.14[500] (536 bytes)
May 11 21:23:20 hn1-kkafka charon: 09[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 11 21:23:20 hn1-kkafka charon: 09[IKE] *no IKE config found for
10.0.0.14...10.0.0.18, sending NO_PROPOSAL_CHOSEN*
May 11 21:23:20 hn1-kkafka charon: 09[ENC] generating IKE_SA_INIT response
0 [ N(NO_PROP) ]
May 11 21:23:20 hn1-kkafka charon: 09[NET] sending packet: from
10.0.0.14[500] to 10.0.0.18[500] (36 bytes)

--karuna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210511/474cbc93/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf
Type: application/octet-stream
Size: 692 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210511/474cbc93/attachment.obj>


More information about the Users mailing list