[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Issue of "no IKE config found for ..., sending NO_PROPOSAL_CHOSEN"
From: Jianjun Shen Shen <jshen.yn () gmail ! com>
Date: 2019-09-11 0:56:54
Message-ID: CAK2m7M_ojCcVyEnH6MrToYZBztQuXW7U5R_npSzZLhEHoYjhuQ () mail ! gmail ! com
[Download RAW message or body]
After several days of debugging, I finally figured out it is due
to libstrongswan-standard-plugins not installed in my docker image. Thanks
for the replies in this thread!
Jianjun
On Mon, Sep 2, 2019 at 3:03 PM Jianjun Shen Shen <jshen.yn@gmail.com> wrote:
> Hello,
>
> I am using strongswan (U5.3.5/K4.4.0-87-generic) on Ubuntu (16.04.3 LTS).
>
> Running "/usr/lib/ipsec/charon --debug-cfg 4 --debug-ike 4" got the
> following log messages:
> 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux
> 4.4.0-87-generic, x86_64)
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG] loaded IKE secret for 0.0.0.0 10.162.19.54
> 00[CFG] secret: 73:77:6f:72:64:66:69:73:68
> 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
> pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
> socket-default stroke updown
> 00[LIB] dropped capabilities, running as uid 0, gid 0
> 00[JOB] spawning 16 worker threads
> 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500] (660
> bytes)
> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(HASH_ALG) ]
> 05[CFG] looking for an ike config for 10.162.19.55...10.162.19.54
> 05[IKE] no IKE config found for 10.162.19.55...10.162.19.54, sending
> NO_PROPOSAL_CHOSEN
> 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> 05[NET] sending packet: from 10.162.19.55[500] to 10.162.19.54[500] (36
> bytes)
> 05[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
>
> And my ipsec.conf is quite simple:
> config setup
> uniqueids=yes
>
> conn %default
> keyingtries=%forever
> type=transport
> keyexchange=ikev2
> auto=route
> ike=aes256gcm16-sha256-modp2048
> esp=aes256gcm16-modp2048
>
> conn host54
> left=0.0.0.0
> right=10.162.19.54
> authby=psk
> leftprotoport=gre
> rightprotoport=gre
>
> "ipsec statusall" shows the following:
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-87-generic,
> x86_64):
> uptime: 3 seconds, since Sep 02 22:00:24 2019
> malloc: sbrk 1216512, mmap 0, used 251808, free 964704
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
> socket-default stroke updown
> Listening IP addresses:
> 10.162.19.55
> fd01:0:101:2616:20c:29ff:fe2f:26c4
> 172.17.0.1
> 192.168.0.55
> Connections:
> host54: 0.0.0.0...10.162.19.54 IKEv2
> host54: local: uses pre-shared key authentication
> host54: remote: [10.162.19.54] uses pre-shared key authentication
> host54: child: dynamic[gre] === dynamic[gre] TRANSPORT
> Routed Connections:
> host54 {1}: ROUTED, TRANSPORT, reqid 1
> host54 {1}: 10.162.19.55/32[gre] <http://10.162.19.55/32%5Bgre%5D>
> === 10.162.19.54/32[gre] <http://10.162.19.54/32%5Bgre%5D>
> Security Associations (0 up, 0 connecting):
> none
>
> So, I could not see anything wrong. Could you please help?
>
> Regards,
> Jianjun
>
>
>
>
[Attachment #3 (text/html)]
<div dir="ltr">After several days of debugging, I finally figured out it is due to \
libstrongswan-standard-plugins not installed in my docker image. Thanks for the \
replies in this thread!<div><br></div><div>Jianjun</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 2, 2019 at 3:03 PM \
Jianjun Shen Shen <<a href="mailto:jshen.yn@gmail.com">jshen.yn@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr">Hello,<div><br></div><div>I am using strongswan \
(U5.3.5/K4.4.0-87-generic) on Ubuntu (16.04.3 LTS).</div><div><br></div><div>Running \
"/usr/lib/ipsec/charon --debug-cfg 4 --debug-ike 4" got the following log \
messages:</div><div><div>00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux \
4.4.0-87-generic, x86_64)</div><div>00[CFG] loading ca certificates from \
'/etc/ipsec.d/cacerts'</div><div>00[CFG] loading aa certificates from \
'/etc/ipsec.d/aacerts'</div><div>00[CFG] loading ocsp signer certificates \
from '/etc/ipsec.d/ocspcerts'</div><div>00[CFG] loading attribute \
certificates from '/etc/ipsec.d/acerts'</div><div>00[CFG] loading crls from \
'/etc/ipsec.d/crls'</div><div>00[CFG] loading secrets from \
'/etc/ipsec.secrets'</div><div>00[CFG] loaded IKE secret for 0.0.0.0 \
10.162.19.54</div><div>00[CFG] secret: \
73:77:6f:72:64:66:69:73:68</div><div>00[LIB] loaded plugins: charon test-vectors aes \
rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 \
pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve \
socket-default stroke updown</div><div>00[LIB] dropped capabilities, running as uid \
0, gid 0</div><div>00[JOB] spawning 16 worker threads</div><div>05[NET] received \
packet: from 10.162.19.54[500] to 10.162.19.55[500] (660 bytes)</div><div>05[ENC] \
parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) \
]</div><div>05[CFG] looking for an ike config for \
10.162.19.55...10.162.19.54</div><div>05[IKE] no IKE config found for \
10.162.19.55...10.162.19.54, sending NO_PROPOSAL_CHOSEN</div><div>05[ENC] generating \
IKE_SA_INIT response 0 [ N(NO_PROP) ]</div><div>05[NET] sending packet: from \
10.162.19.55[500] to 10.162.19.54[500] (36 bytes)</div><div>05[IKE] IKE_SA \
(unnamed)[1] state change: CREATED => \
DESTROYING</div></div><div><br></div><div>And my ipsec.conf is quite \
simple:</div><div><div>config setup</div><div> \
uniqueids=yes</div><div><br></div><div>conn %default</div><div> \
keyingtries=%forever</div><div> type=transport</div><div> \
keyexchange=ikev2</div><div> auto=route</div><div> \
ike=aes256gcm16-sha256-modp2048</div><div> \
esp=aes256gcm16-modp2048</div><div><br></div><div>conn host54</div><div> \
left=0.0.0.0</div><div> right=10.162.19.54</div><div> authby=psk</div><div> \
leftprotoport=gre</div><div> \
rightprotoport=gre</div></div><div><br></div><div>"ipsec statusall" shows \
the following:</div><div><div>Status of IKE charon daemon (strongSwan 5.3.5, Linux \
4.4.0-87-generic, x86_64):<br></div><div> uptime: 3 seconds, since Sep 02 22:00:24 \
2019</div><div> malloc: sbrk 1216512, mmap 0, used 251808, free 964704</div><div> \
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: \
0</div><div> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random \
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey \
pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke \
updown</div><div>Listening IP addresses:</div><div> 10.162.19.55</div><div> \
fd01:0:101:2616:20c:29ff:fe2f:26c4</div><div> 172.17.0.1</div><div> \
192.168.0.55</div><div>Connections:</div><div> host54: 0.0.0.0...10.162.19.54 \
IKEv2</div><div> host54: local: uses pre-shared key \
authentication</div><div> host54: remote: [10.162.19.54] uses pre-shared key \
authentication</div><div> host54: child: dynamic[gre] === dynamic[gre] \
TRANSPORT</div><div>Routed Connections:</div><div> host54 {1}: ROUTED, \
TRANSPORT, reqid 1</div><div> host54 {1}: <a \
href="http://10.162.19.55/32%5Bgre%5D" target="_blank">10.162.19.55/32[gre]</a> === \
<a href="http://10.162.19.54/32%5Bgre%5D" \
target="_blank">10.162.19.54/32[gre]</a></div><div>Security Associations (0 up, 0 \
connecting):</div><div> none</div></div><div><br></div><div>So, I could not see \
anything wrong. Could you please \
help?</div><div><br></div><div>Regards,</div><div>Jianjun</div><div><br></div><div><br \
></div><div><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
>
</blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic