[Swan] Windows 10 client to libreswan VPN server: CHILD SA: no local proposal matches remote proposals

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Wed Jan 5 00:13:05 EET 2022


Hi all,

I have succeeded connecting by adding the following line

esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1

to config. The

esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024

line I've found in options doesn't work well with libreswan 4.5 I'm 
using. Perhaps someone should update the cookbooks on the libreswan.org 
site?

Thanks for the thought and all the help.

Kind regards,
Mirsad Todorovac

On 1/4/2022 10:38 PM, Mirsad Goran Todorovac wrote:
> Hi all,
>
> I have recreated the pub and priv certs according to instructions 
> again. This time I was lucky and the connection made in through the 
> initial message exchange and SA negotiation.
>
> However, when libreswan tries to negotiate CHILD SA, something goes 
> wrong, and it can't choose right ESP proposal. I tried to set it 
> manually (the recommended commented esp), but then even the first 
> phase doesn't come through:
>
> Jan  4 22:19:06.408740: "MYCONN-ikev2-cp"[1] 94.253.211.242 #3: no 
> local proposal matches remote proposals 
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED 
> 2:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED 
> 3:ESP:ENCR=3DES;INTEG=HMAC_SHA1_96;ESN=DISABLED 
> 4:ESP:ENCR=DES(UNUSED);INTEG=HMAC_SHA1_96;ESN=DISABLED 
> 5:ESP:ENCR=NULL;INTEG=HMAC_SHA1_96;ESN=DISABLED
> Jan  4 22:19:06.408749: "MYCONN-ikev2-cp"[1] 94.253.211.242 #3: 
> IKE_AUTH responder matching remote ESP/AH proposals failed, responder 
> SA processing returned STF_FAIL+v2N_NO_PROPOSAL_CHOSEN
> Jan  4 22:19:06.408756: | process_v2_childs_sa_payload returned 
> STF_FAIL+v2N_NO_PROPOSAL_CHOSEN
> Jan  4 22:19:06.408762: | should_send_delete: #3? no, IKEv2 SA in 
> state STATE_V2_IKE_AUTH_CHILD_R0 is not established
> Jan  4 22:19:06.408769: | deleting state (STATE_V2_IKE_AUTH_CHILD_R0) 
> aged 0.001362s and NOT sending notification
>
> Here is the session log: 
> https://domac.alu.hr/mtodorov/ikev2-20220104-06.log
>
> /etc/ipsec.d/ikev2.conf:
>
> conn MYCONN-ikev2-cp
>         # The server's actual IP goes here - not elastic IPs
>         left=161.53.235.3
>         leftcert=vpn.alu.hr
>         leftid=@vpn.alu.hr
>         leftsendcert=always
>         leftsubnet=0.0.0.0/0
>         leftrsasigkey=%cert
>         # Clients
>         right=%any
>         # your addresspool to use - you might need NAT rules if 
> providing full internet to clients
>         rightaddresspool=192.168.100.10-192.168.100.253
>         # optional rightid with restrictions
>         rightid="O=ALU-UNIZG,CN=win7client.alu.hr"
>         rightca=%same
>         rightrsasigkey=%cert
>         #
>         # connection configuration
>         # DNS servers for clients to use
>         modecfgdns=8.8.8.8,192.168.100.1
>         # Versions up to 3.22 used modecfgdns1 and modecfgdns2
>         #modecfgdns1=8.8.8.8
>         #modecfgdns2=193.110.157.123
>         narrowing=yes
>         # recommended dpd/liveness to cleanup vanished clients
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=clear
>         auto=add
>         ikev2=insist
>         rekey=no
>         # 
> esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
>         # ikev2 fragmentation support requires libreswan 3.14 or newer
>         fragmentation=yes
>         # optional PAM username verification (eg to implement 
> bandwidth quota
>         # pam-authorize=yes
>
> -- 
> Mirsad Goran Todorovac
> CARNet sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355



More information about the Swan mailing list