[Swan] No PARENT proposal selected

Bob Miller bob at computerisms.ca
Fri Oct 9 17:09:20 UTC 2015 

Hi Paul,

>> I am using the new format for the NSS DB sql:/etc/ipsec.d as specified
>> on the wiki, and I have compared my ipsec.conf to the ikev2 one on the
>> wiki as well.
>>
>> Any other suggestions where I might look for the problem?
>
> Run with plutodebug=all and see what's going on?

Seems libreswan doesn't load the fw certificate, but it's a little bit 
odd because ipsec auto --listall shows all the certs like I expect.  I 
will retrace my steps to see what I missed.

Oct  9 10:02:02 fw-kz pluto[30128]: | Added new connection rw-ikev2 with 
policy 
RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+IKEV2_ALLOW+IKEV2_PROPOSE+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW
Oct  9 10:02:02 fw-kz pluto[30128]: | loaded certificate 'fw-kz.kza.yk.ca'
Oct  9 10:02:02 fw-kz pluto[30128]: | certificate is valid
Oct  9 10:02:02 fw-kz pluto[30128]: | get_pluto_gn_from_nss_cert: 
allocated pluto_gn 0x563ea31fad00
Oct  9 10:02:02 fw-kz pluto[30128]: | get_pluto_gn_from_nss_cert: 
allocated pluto_gn 0x563ea322c5b0
Oct  9 10:02:02 fw-kz pluto[30128]: | get_pluto_gn_from_nss_cert: 
allocated pluto_gn 0x563ea3227ba0
Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct  9 10:02:02 fw-kz pluto[30128]: | unreference key: 0x563ea31ff1d0 
C=CA, ST=Yukon, O=Kobayashi & Zedda Architects, OU=Network Admin, 
CN=fw-kz.kza.yk.ca, E=bob at computerisms.ca cnt 1--
Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct  9 10:02:02 fw-kz pluto[30128]: | unreference key: 0x563ea322c250 
@fw-kz.kza.yk.ca cnt 1--
Oct  9 10:02:02 fw-kz pluto[30128]: | counting wild cards for 
@fw-kz.kza.yk.ca is 0
Oct  9 10:02:02 fw-kz pluto[30128]: | certificate not loaded for this end
Oct  9 10:02:02 fw-kz pluto[30128]: | counting wild cards for %fromcert is 0


>
> Paul

More information about the Swan mailing list