'Re: [strongSwan] Issue of "no IKE config found for ..., sending NO_PROPOSAL_CHOSEN"'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] Issue of "no IKE config found for ..., sending NO_PROPOSAL_CHOSEN"
From:       Jianjun Shen Shen <jshen.yn () gmail ! com>
Date:       2019-09-11 0:56:54
Message-ID: CAK2m7M_ojCcVyEnH6MrToYZBztQuXW7U5R_npSzZLhEHoYjhuQ () mail ! gmail ! com
[Download RAW message or body]

After several days of debugging, I finally figured out it is due
to libstrongswan-standard-plugins not installed in my docker image. Thanks
for the replies in this thread!

Jianjun

On Mon, Sep 2, 2019 at 3:03 PM Jianjun Shen Shen <jshen.yn@gmail.com> wrote:

> Hello,
>
> I am using strongswan (U5.3.5/K4.4.0-87-generic) on Ubuntu (16.04.3 LTS).
>
> Running "/usr/lib/ipsec/charon --debug-cfg 4 --debug-ike 4" got the
> following log messages:
> 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux
> 4.4.0-87-generic, x86_64)
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG]   loaded IKE secret for 0.0.0.0 10.162.19.54
> 00[CFG]   secret: 73:77:6f:72:64:66:69:73:68
> 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
> pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
> socket-default stroke updown
> 00[LIB] dropped capabilities, running as uid 0, gid 0
> 00[JOB] spawning 16 worker threads
> 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500] (660
> bytes)
> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(HASH_ALG) ]
> 05[CFG] looking for an ike config for 10.162.19.55...10.162.19.54
> 05[IKE] no IKE config found for 10.162.19.55...10.162.19.54, sending
> NO_PROPOSAL_CHOSEN
> 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> 05[NET] sending packet: from 10.162.19.55[500] to 10.162.19.54[500] (36
> bytes)
> 05[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
>
> And my ipsec.conf is quite simple:
> config setup
>     uniqueids=yes
>
> conn %default
>     keyingtries=%forever
>     type=transport
>     keyexchange=ikev2
>     auto=route
>     ike=aes256gcm16-sha256-modp2048
>     esp=aes256gcm16-modp2048
>
> conn host54
>     left=0.0.0.0
>     right=10.162.19.54
>     authby=psk
>     leftprotoport=gre
>     rightprotoport=gre
>
> "ipsec statusall" shows the following:
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-87-generic,
> x86_64):
>   uptime: 3 seconds, since Sep 02 22:00:24 2019
>   malloc: sbrk 1216512, mmap 0, used 251808, free 964704
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
> socket-default stroke updown
> Listening IP addresses:
>   10.162.19.55
>   fd01:0:101:2616:20c:29ff:fe2f:26c4
>   172.17.0.1
>   192.168.0.55
> Connections:
>     host54:  0.0.0.0...10.162.19.54  IKEv2
>     host54:   local:  uses pre-shared key authentication
>     host54:   remote: [10.162.19.54] uses pre-shared key authentication
>     host54:   child:  dynamic[gre] === dynamic[gre] TRANSPORT
> Routed Connections:
>     host54 {1}:  ROUTED, TRANSPORT, reqid 1
>     host54 {1}:   10.162.19.55/32[gre] <http://10.162.19.55/32%5Bgre%5D>
> === 10.162.19.54/32[gre] <http://10.162.19.54/32%5Bgre%5D>
> Security Associations (0 up, 0 connecting):
>   none
>
> So, I could not see anything wrong. Could you please help?
>
> Regards,
> Jianjun
>
>
>
>

[Attachment #3 (text/html)]

<div dir="ltr">After several days of debugging, I finally figured out it is due to  \
libstrongswan-standard-plugins not installed in my docker image. Thanks for the \
replies in this thread!<div><br></div><div>Jianjun</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 2, 2019 at 3:03 PM \
Jianjun Shen Shen &lt;<a href="mailto:jshen.yn@gmail.com">jshen.yn@gmail.com</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr">Hello,<div><br></div><div>I am using strongswan \
(U5.3.5/K4.4.0-87-generic) on Ubuntu (16.04.3 LTS).</div><div><br></div><div>Running \
&quot;/usr/lib/ipsec/charon --debug-cfg 4 --debug-ike 4&quot; got the following log \
messages:</div><div><div>00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux \
4.4.0-87-generic, x86_64)</div><div>00[CFG] loading ca certificates from \
&#39;/etc/ipsec.d/cacerts&#39;</div><div>00[CFG] loading aa certificates from \
&#39;/etc/ipsec.d/aacerts&#39;</div><div>00[CFG] loading ocsp signer certificates \
from &#39;/etc/ipsec.d/ocspcerts&#39;</div><div>00[CFG] loading attribute \
certificates from &#39;/etc/ipsec.d/acerts&#39;</div><div>00[CFG] loading crls from \
&#39;/etc/ipsec.d/crls&#39;</div><div>00[CFG] loading secrets from \
&#39;/etc/ipsec.secrets&#39;</div><div>00[CFG]    loaded IKE secret for 0.0.0.0 \
10.162.19.54</div><div>00[CFG]    secret: \
73:77:6f:72:64:66:69:73:68</div><div>00[LIB] loaded plugins: charon test-vectors aes \
rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 \
pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve \
socket-default stroke updown</div><div>00[LIB] dropped capabilities, running as uid \
0, gid 0</div><div>00[JOB] spawning 16 worker threads</div><div>05[NET] received \
packet: from 10.162.19.54[500] to 10.162.19.55[500] (660 bytes)</div><div>05[ENC] \
parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) \
]</div><div>05[CFG] looking for an ike config for \
10.162.19.55...10.162.19.54</div><div>05[IKE] no IKE config found for \
10.162.19.55...10.162.19.54, sending NO_PROPOSAL_CHOSEN</div><div>05[ENC] generating \
IKE_SA_INIT response 0 [ N(NO_PROP) ]</div><div>05[NET] sending packet: from \
10.162.19.55[500] to 10.162.19.54[500] (36 bytes)</div><div>05[IKE] IKE_SA \
(unnamed)[1] state change: CREATED =&gt; \
DESTROYING</div></div><div><br></div><div>And my ipsec.conf is quite \
simple:</div><div><div>config setup</div><div>      \
uniqueids=yes</div><div><br></div><div>conn %default</div><div>      \
keyingtries=%forever</div><div>      type=transport</div><div>      \
keyexchange=ikev2</div><div>      auto=route</div><div>      \
ike=aes256gcm16-sha256-modp2048</div><div>      \
esp=aes256gcm16-modp2048</div><div><br></div><div>conn host54</div><div>      \
left=0.0.0.0</div><div>      right=10.162.19.54</div><div>      authby=psk</div><div> \
leftprotoport=gre</div><div>      \
rightprotoport=gre</div></div><div><br></div><div>&quot;ipsec statusall&quot; shows \
the following:</div><div><div>Status of IKE charon daemon (strongSwan 5.3.5, Linux \
4.4.0-87-generic, x86_64):<br></div><div>   uptime: 3 seconds, since Sep 02 22:00:24 \
2019</div><div>   malloc: sbrk 1216512, mmap 0, used 251808, free 964704</div><div>   \
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: \
0</div><div>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random \
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey \
pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke \
updown</div><div>Listening IP addresses:</div><div>   10.162.19.55</div><div>   \
fd01:0:101:2616:20c:29ff:fe2f:26c4</div><div>   172.17.0.1</div><div>   \
192.168.0.55</div><div>Connections:</div><div>      host54:   0.0.0.0...10.162.19.54  \
IKEv2</div><div>       host54:    local:   uses pre-shared key \
authentication</div><div>       host54:    remote: [10.162.19.54] uses pre-shared key \
authentication</div><div>       host54:    child:   dynamic[gre] === dynamic[gre] \
TRANSPORT</div><div>Routed Connections:</div><div>       host54 {1}:   ROUTED, \
TRANSPORT, reqid 1</div><div>       host54  {1}:    <a \
href="http://10.162.19.55/32%5Bgre%5D" target="_blank">10.162.19.55/32[gre]</a> === \
<a href="http://10.162.19.54/32%5Bgre%5D" \
target="_blank">10.162.19.54/32[gre]</a></div><div>Security Associations (0 up, 0 \
connecting):</div><div>   none</div></div><div><br></div><div>So, I could not see \
anything wrong. Could you please \
help?</div><div><br></div><div>Regards,</div><div>Jianjun</div><div><br></div><div><br \
></div><div><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
> 
</blockquote></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic