[Swan] Libreswan 4.3 | Failing with dropping unexpected IKE_SA_INIT message containing NO_PROPOSAL_CHOSEN notification

Blue Aquan blueaquan at zuwissen.com
Wed Mar 24 19:25:20 UTC 2021 

Hi Forum users, experts and developer team. I am new to Libreswan and
trying to setup a remote VPN on a CentOS 8 machine running Libreswan
Version 4.3, the client machine at the moment is also a CentOS 8 with
the same version of Libreswan.Additional note: The VPN server has site-
to-site VPNs established successfully to 4 other locations. This remote
VPN has been attempted without disturbing the existing setup. 
Documentation followed : I have followed almost entirely 
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 to
setup this environment. The "ike" and "esp" statements were just added
while trying to figure out various options, but with and without it,
the results are the same.

Server side
conn
MOBILE        left=europa.abc.com        leftsubnet=192.168.1.0/24    
    leftcert=europa.abc.com        leftid=%fromcert        leftrsasigke
y=%cert        leftsendcert=always        right=%any        rightaddres
spool=10.10.128.10-
10.10.128.20        rightca=%same        rightrsasigkey=%cert        mo
decfgdns="208.67.222.222,208.67.220.220"        auto=add        ike=aes
256-sha2_512+sha2_256-dh21        esp=aes256-
sha2_512+sha1+sha2_256;dh21        dpddelay=60        dpdtimeout=300   
     dpdaction=clear        ikev2=insist        fragmentation=yes      
  type=tunnel

ipsec status
000 "MOBILE":
192.168.1.0/24===192.168.1.1<europa.abc.com>[CN=europa.abc.com,
O=Europa,MS+S=C]...%any[+MC+S=C]; unrouted; eroute owner: #0000
"MOBILE":     oriented; my_ip=unset; their_ip=unset;
mycert=europa.abc.com; my_updown=ipsec _updown;000 "MOBILE":   xauth
us:none, xauth them:none,  my_username=[any]; their_username=[any]000
"MOBILE":   our auth:rsasig, their auth:rsasig000 "MOBILE":   modecfg
info: us:server, them:client, modecfg policy:push,
dns:208.67.222.222,208.67.220.220, domains:unset, cat:unset;000
"MOBILE":   sec_label:unset;000 "MOBILE":   CAs: 'CN=Europa CA,
O=Europa'...'CN=Europa CA, O=Europa'000 "MOBILE":   ike_life: 28800s;
ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz:
100%; keyingtries: 0;000 "MOBILE":   retransmit-interval: 500ms;
retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;000
"MOBILE":   initial-contact:no; cisco-unity:no; fake-strongswan:no;
send-vendorid:no; send-no-esp-tfc:no;000 "MOBILE":   policy:
IKEv2+RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5
;000 "MOBILE":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;000
"MOBILE":   conn_prio: 24,0; interface: eno1; metric: 0; mtu: unset;
sa_prio:auto; sa_tfc:none;000 "MOBILE":   nflog-group: unset; mark:
unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-
offload:auto;000 "MOBILE":   our idtype: ID_DER_ASN1_DN; our
id=CN=europa.abc.com, O=Europa; their idtype: %none; their id=(none)000
"MOBILE":   dpd: action:clear; delay:60; timeout:300; nat-t:
encaps:auto; nat_keepalive:yes; ikev1_natt:both000 "MOBILE":   newest
ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $4;000 "MOBILE":   IKE
algorithms: AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-DH21000
"MOBILE":   ESP algorithms: AES_CBC_256-
HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-DH21

Client side
conn
EUROPA        left=%defaultroute        leftcert=ceres.xyz.com        l
eftid=%fromcert        leftrsasigkey=%cert        leftsubnet=10.10.128.
0/24        leftmodecfgclient=yes        right=europa.abc.com        ri
ghtsubnet=192.168.1.0/24        rightid=@europa.abc.com        rightrsa
sigkey=%cert        ike=aes256-sha2_512+sha2_256-
dh21        esp=aes256-
sha2_512+sha1+sha2_256;dh21        ikev2=insist        rekey=yes       
 fragmentation=yes        mobike=yes        auto=add
ipsec status
000 "EUROPA": 10.10.128.0/24===10.10.128.10[CN=ceres.xyz.com,
O=Europa,+MC+S=C]---
10.10.128.1...1.2.3.4<europa.abc.com>[@europa.abc.com]===192.168.1.0/24
; unrouted; eroute owner: #0000 "EUROPA":     oriented; my_ip=unset;
their_ip=unset; mycert=ceres.xyz.com; my_updown=ipsec _updown;000
"EUROPA":   xauth us:none, xauth them:none,  my_username=[any];
their_username=[any]000 "EUROPA":   our auth:rsasig, their
auth:rsasig000 "EUROPA":   modecfg info: us:client, them:none, modecfg
policy:push, dns:unset, domains:unset, cat:unset;000
"EUROPA":   sec_label:unset;000 "EUROPA":   CAs: 'CN=Europa CA,
O=Europa'...'%any'000 "EUROPA":   ike_life: 28800s; ipsec_life: 28800s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0;000 "EUROPA":   retransmit-interval: 500ms; retransmit-timeout: 60s;
iketcp:no; iketcp-port:4500;000 "EUROPA":   initial-contact:no; cisco-
unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;000
"EUROPA":   policy:
IKEv2+RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+RSAS
IG_v1_5;000 "EUROPA":   v2-auth-hash-policy:
SHA2_256+SHA2_384+SHA2_512;000 "EUROPA":   conn_prio: 24,24; interface:
wlp2s0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;000
"EUROPA":   nflog-group: unset; mark: unset; vti-iface:unset; vti-
routing:no; vti-shared:no; nic-offload:auto;000 "EUROPA":   our idtype:
ID_DER_ASN1_DN; our id=CN=ceres.xyz.com, O=Europa; their idtype:
ID_FQDN; their id=@europa.abc.com000 "EUROPA":   dpd: action:hold;
delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes;
ikev1_natt:both000 "EUROPA":   newest ISAKMP SA: #0; newest IPsec SA:
#0; conn serial: $1;000 "EUROPA":   IKE algorithms: AES_CBC_256-
HMAC_SHA2_512+HMAC_SHA2_256-DH21000 "EUROPA":   ESP algorithms:
AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-DH21

/var/log/pluto.log
Mar 24 23:43:05.426935: "EUROPA": loaded private key matching left
certificate 'ceres.xyz.com'Mar 24 23:43:05.427225: "EUROPA": added
IKEv2 connectionMar 24 23:43:05.427319: listening for IKE messages


-------------------------On the client
# ipsec auto --add EUROPA002 "EUROPA": terminating SAs using this
connection002 "EUROPA": added IKEv2 connection

# ipsec auto --up EUROPA181 "EUROPA" #1: initiating IKEv2 connection181
"EUROPA" #1: sent IKE_SA_INIT request003 "EUROPA" #1: dropping
unexpected IKE_SA_INIT message containing NO_PROPOSAL_CHOSEN
notification; message payloads: N; missing payloads: SA,KE,Ni010
"EUROPA" #1: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for
response003 "EUROPA" #1: dropping unexpected IKE_SA_INIT message
containing NO_PROPOSAL_CHOSEN notification; message payloads: N;
missing payloads: SA,KE,Ni010 "EUROPA" #1: STATE_PARENT_I1:
retransmission; will wait 1 seconds for response003 "EUROPA" #1:
dropping unexpected IKE_SA_INIT message containing NO_PROPOSAL_CHOSEN
notification; message payloads: N; missing payloads: SA,KE,Ni

On the Server logs
Mar 25 00:13:38.299168: packet from 5.6.7.8:51286:
ISAKMP_v2_IKE_SA_INIT message received on 1.2.3.4:500 but no suitable
connection found with IKEv2 policyMar 25 00:13:38.299192: packet from
5.6.7.8:51286: responding to IKE_SA_INIT (34) message (Message ID 0)
with unencrypted notification NO_PROPOSAL_CHOSENMar 25 00:13:38.797770:
packet from 5.6.7.8:51286: ISAKMP_v2_IKE_SA_INIT message received on
1.2.3.4:500 but no suitable connection found with IKEv2 policyMar 25
00:13:38.797794: packet from 5.6.7.8:51286: responding to IKE_SA_INIT
(34) message (Message ID 0) with unencrypted notification
NO_PROPOSAL_CHOSEN


Thanks, Best

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210325/b8b2edbc/attachment.html>

More information about the Swan mailing list