[Swan] Windows 10 client to libreswan VPN server: CHILD SA: no local proposal matches remote proposals

Tue Jan 4 23:38:31 EET 2022

Hi all,

I have recreated the pub and priv certs according to instructions again. 
This time I was lucky and the connection made in through the initial 
message exchange and SA negotiation.

However, when libreswan tries to negotiate CHILD SA, something goes 
wrong, and it can't choose right ESP proposal. I tried to set it 
manually (the recommended commented esp), but then even the first phase 
doesn't come through:

Jan  4 22:19:06.408740: "MYCONN-ikev2-cp"[1] 94.253.211.242 #3: no local 
proposal matches remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED 
2:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED 
3:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED 
4:ESP:ENCR=DES(UNUSED);INTEG=HMAC_SHA1_96;ESN=DISABLED 
5:ESP:ENCR=NULL;INTEG=HMAC_SHA1_96;ESN=DISABLED
Jan  4 22:19:06.408749: "MYCONN-ikev2-cp"[1] 94.253.211.242 #3: IKE_AUTH 
responder matching remote ESP/AH proposals failed, responder SA 
processing returned STF_FAIL+v2N_NO_PROPOSAL_CHOSEN
Jan  4 22:19:06.408756: | process_v2_childs_sa_payload returned 
STF_FAIL+v2N_NO_PROPOSAL_CHOSEN
Jan  4 22:19:06.408762: | should_send_delete: #3? no, IKEv2 SA in state 
STATE_V2_IKE_AUTH_CHILD_R0 is not established
Jan  4 22:19:06.408769: | deleting state (STATE_V2_IKE_AUTH_CHILD_R0) 
aged 0.001362s and NOT sending notification

Here is the session log: https://domac.alu.hr/mtodorov/ikev2-20220104-06.log

/etc/ipsec.d/ikev2.conf:

conn MYCONN-ikev2-cp
         # The server's actual IP goes here - not elastic IPs
         left=161.53.235.3
         leftcert=vpn.alu.hr
         leftid=@vpn.alu.hr
         leftsendcert=always
         leftsubnet=0.0.0.0/0
         leftrsasigkey=%cert
         # Clients
         right=%any
         # your addresspool to use - you might need NAT rules if 
providing full internet to clients
         rightaddresspool=192.168.100.10-192.168.100.253
         # optional rightid with restrictions
         rightid="O=ALU-UNIZG,CN=win7client.alu.hr"
         rightca=%same
         rightrsasigkey=%cert
         #
         # connection configuration
         # DNS servers for clients to use
         modecfgdns=8.8.8.8,192.168.100.1
         # Versions up to 3.22 used modecfgdns1 and modecfgdns2
         #modecfgdns1=8.8.8.8
         #modecfgdns2=193.110.157.123
         narrowing=yes
         # recommended dpd/liveness to cleanup vanished clients
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         auto=add
         ikev2=insist
         rekey=no
         # 
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
         # ikev2 fragmentation support requires libreswan 3.14 or newer
         fragmentation=yes
         # optional PAM username verification (eg to implement bandwidth 
quota
         # pam-authorize=yes

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355