[Swan] Libreswan 4.3 | Failing with dropping unexpected IKE_SA_INIT message containing NO_PROPOSAL_CHOSEN notification

Blue Aquan blueaquan at zuwissen.com
Thu Mar 25 17:41:08 UTC 2021

Hi Paul	I made the changes as suggested by you and there's progress, I
see the tunnel is getting established now, but no communication is
happening between the client and Server. By the way this tunnel I am
looking at establishing is between my laptop running CentOS 8 at home
and a CentOS 8 gateway at office which as I mentioned earlier has site-
to-site VPN established successfully to 4 other locations using
Libreswan.  As of now, I am only looking at accessing resources behind
this gateway, eventually the intention is to access all those 4
locations the gateway is talking to.
As of now, the changes and logs look like this
Server side. Replaced Server's public Ip with
conn MOBILE	left=    	leftsubnet=    	
leftcert=europa.abc.com    	leftid=@europa.abc.com    	leftrsa
sigkey=%cert    	leftsendcert=always    	right=%any    	rightsu
bnet=    	rightca=%same    	rightrsasigkey=%cert   
 	auto=add    	dpddelay=60    	dpdtimeout=300    	dpdacti
on=clear    	ikev2=insist	narrowing=yes	fragmentation=yes    	

Client side
conn EUROPA	left=%defaultroute	leftcert=ceres.xyz.com	leftid=
%fromcert	leftrsasigkey=%cert	leftsubnet=	
leftmodecfgclient=yes	right=	rightsubnet=	
rightid=@europa.abc.com	rightrsasigkey=%cert	ikev2=insist	rekey=y
es	fragmentation=yes	narrowing=yes	mobike=yes	auto=ad

On the client side when an attempt is made.
# ipsec auto --up EUROPA181 "EUROPA"[2] #5: initiating IKEv2
connection181 "EUROPA"[2] #5: sent IKE_SA_INIT request182
"EUROPA"[2] #5: sent IKE_AUTH request {auth=IKEv2
cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}002
"EUROPA"[2] #5: certificate verified OK:
O=Europa,CN=europa.abc.com002 "EUROPA"[2] #5: IKEv2 mode peer
ID is ID_FQDN: '@europa.abc.com'003 "EUROPA"[2] #5:
authenticated using RSA with SHA2_512003 "EUROPA"[2] #6:
missing v2CP reply, not attempting to setup child SA214 "EUROPA"[2] #6: state transition 'Initiator: process IKE_AUTH response'
failed with v2N_NO_PROPOSAL_CHOSEN002 "EUROPA"[2] #6: deleting
state (STATE_PARENT_I2) aged 60.09774s and NOT sending notification

On the Server side, /var/log/pluto.log shows this. Replaced my public
IP with
Mar 25 20:18:03.398343: "MOBILE"[3] local IKE proposals (IKE
SA responder matching remote proposals): Mar 25 20:18:03.398376:
"MOBILE"[3]   1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-
ar 25 20:18:03.398381: "MOBILE"[3]   2:IKE=AES_GCM_C_128-
ar 25 20:18:03.398385: "MOBILE"[3]   3:IKE=AES_CBC_256-
ar 25 20:18:03.398403: "MOBILE"[3]   4:IKE=AES_CBC_128-
ar 25 20:18:03.398418: "MOBILE"[3] #9: proposal
1:IKE=AES_GCM_C_256-HMAC_SHA2_512-MODP2048 chosen from remote proposals
;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519Mar 25
20:18:03.399828: "MOBILE"[3] #9: sent IKE_SA_INIT reply
{auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512
group=MODP2048}Mar 25 20:18:03.452119: "MOBILE"[3] #9:
processing decrypted IKE_AUTH request:
SK{IDi,CERT,IDr,AUTH,CP,SA,TSi,TSr,N}Mar 25 20:18:03.452836:
"MOBILE"[3] #9: certificate verified OK:
O=Europa,CN=ceres.xyz.comMar 25 20:18:03.452857: "MOBILE"[3]
#9: certificate subjectAltName extension does not match ID_IPV4_ADDR
''Mar 25 20:18:03.452862: "MOBILE"[3] #9: Peer CERT
payload SubjectAltName does not match peer ID for this connectionMar 25
20:18:03.452880: "MOBILE"[3] #9: X509: connection failed due to
unmatched IKE ID in certificate SANMar 25 20:18:03.452935: "MOBILE"[3] #9: switched from "MOBILE"[3] to "MOBILE"Mar 25
20:18:03.452949: "MOBILE"[3] deleting connection instance with
peer {isakmp=#0/ipsec=#0}Mar 25 20:18:03.452964: "MOBILE"[4] #9: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=ceres.xyz.com,
O=Europa'Mar 25 20:18:03.453185: "MOBILE"[4] #9: authenticated
using RSA with SHA2_512Mar 25 20:18:03.461603: "MOBILE"[4]
local ESP/AH proposals (IKE_AUTH responder matching remote ESP/AH
proposals): Mar 25 20:18:03.461622: "MOBILE"[4]   1:ESP=AES_GCM_C_256-NONE-NONE-DISABLEDMar 25
20:18:03.461626: "MOBILE"[4]   2:ESP=AES_GCM_C_128-NONE-NONE-
DISABLEDMar 25 20:18:03.461630: "MOBILE"[4]   3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-
DISABLEDMar 25 20:18:03.461633: "MOBILE"[4]   4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-
DISABLEDMar 25 20:18:03.461642: "MOBILE"[4] #10: proposal
1:ESP=AES_GCM_C_256-DISABLED SPI=7f84b6fd chosen from remote proposals
ESN=DISABLEDMar 25 20:18:03.494155: "MOBILE"[4] #10: negotiated
connection [ 0] -> [ 0]Mar 25 20:18:03.494182: "MOBILE"[4]
#10: IPsec SA established tunnel mode {ESPinUDP=>0x7f84b6fd <0xd8d28ada
xfrm=AES_GCM_16_256-NONE NATOA=none NATD= DPD=active}

Thanks, Best

On Wed, 2021-03-24 at 15:36 -0400, Paul Wouters wrote:
> On Thu, 25 Mar 2021, Blue Aquan wrote:
> > Server side
> > conn
> > MOBILE        left=europa.abc.com        leftsubnet=
> >         right=%any        rightaddresspool=
> >
> add leftid=@europa.abc.com
> > Client side
> > conn
> > EUROPA        left=%defaultroute        leftsubnet=  
> >       right=europa.abc.com        rightsubnet=       
> >  rightid=@europa.abc.com
> I cannot tell whether you want a tunnel established from
> <-> that you want to hand out an
> addresspool to the client via rightaddresspool=
> If you meant a subnet to subnet, then on the conn MOBILE replace
> theaddresspool line with rightsubnet=
> If you meant giving it a single IP, then remote
> therightsubnet= and add rightsubnet= with
> narrowing=yes
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210325/41d41020/attachment.html>

More information about the Swan mailing list