[Swan] L2TP/IKEv1 connection deleted and NO_PROPOSAL_CHOSEN behind NAT (AWS EC2)
Auu Wang
meow at imlibra.me
Wed Dec 13 12:23:43 EET 2023
My ipsec.conf:
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.10.0.0/16
uniqueids=no
conn internet
ikev2=yes
authby=secret
left=172.31.2.1
leftid=@ipsec.imlibra.me
leftsubnet=0.0.0.0/0
right=%any
rightaddresspool=10.10.0.1-10.10.0.254
modecfgdns=172.31.0.2
mobike=yes
mtu=1380
auto=add
conn internet-cert
ikev2=insist
left=172.31.2.1
leftcert="imlibra.me"
leftid=@ipsec.imlibra.me
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
right=%any
rightaddresspool=10.10.1.1-10.10.1.254
rightca="trustid-ca-a13"
rightrsasigkey=%cert
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
fragmentation=yes
auto=add
conn internet-ikev1
left=172.31.2.1
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=300
dpdaction=clear
ikev2=never
ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
ikelifetime=24h
salifetime=24h
sha2-truncbug=no
conn internet-l2tp
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
also=internet-ikev1
auto=add
conn internet-xauth
leftsubnet=0.0.0.0/0
rightaddresspool=10.10.4.1-10.10.4.254
modecfgdns=172.31.0.2
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
cisco-unity=yes
also=internet-ikev1
auto=add
include /etc/crypto-policies/back-ends/libreswan.config
include /etc/ipsec.d/*.conf
Error log:
"internet-l2tp"[1] 114.246.207.132 #1: responding to Main Mode from unknown peer 114.246.207.132:500
"internet-l2tp"[1] 114.246.207.132 #1: sent Main Mode R1
"internet-l2tp"[1] 114.246.207.132 #1: sent Main Mode R2
"internet-l2tp"[1] 114.246.207.132 #1: Peer ID is ID_IPV4_ADDR: '192.168.1.98'
"internet-l2tp"[1] 114.246.207.132 #1: switched to "internet-l2tp"[2] 114.246.207.132
"internet-l2tp"[1] 114.246.207.132: deleting connection instance with peer 114.246.207.132 {isakmp=#0/ipsec=#0}
CRYPTO_IKE_SA pid=31910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 msg='op=start direction=responder conn-name="internet-l2tp" connstate=1 ike-version=1 auth=PRESHARED_KEY cipher=aes ksize=128 integ=sha1 prf=sha1 pfs=MODP2048 raddr=114.246.207.132 exe="/usr/libexec/ipsec/pluto" hostname=? addr=172.31.2.1 terminal=? res=success'
"internet-l2tp"[2] 114.246.207.132 #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP2048}
"internet-l2tp"[2] 114.246.207.132 #1: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
"internet-l2tp"[2] 114.246.207.132 #1: the peer proposed: 57.180.75.245/32:1701 -UDP-> 192.168.1.98/32:1701
CRYPTO_IKE_SA pid=31910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 msg='op=start direction=responder conn-name="internet-l2tp" connstate=2 ike-version=1 auth=PRESHARED_KEY cipher=aes ksize=128 integ=sha1 prf=sha1 pfs=MODP2048 raddr=114.246.207.132 exe="/usr/libexec/ipsec/pluto" hostname=? addr=172.31.2.1 terminal=? res=failed'
| checking hostpair 172.31.2.1/32:1701 -> 114.246.207.132/32:0
"internet-l2tp"[2] 114.246.207.132 #1: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
"internet-l2tp"[2] 114.246.207.132 #2: no acceptable Proposal in IPsec SA
"internet-l2tp"[2] 114.246.207.132 #2: sending encrypted notification NO_PROPOSAL_CHOSEN to 114.246.207.132:4500
"internet-l2tp"[2] 114.246.207.132 #2: deleting state (STATE_QUICK_R0) aged 0.000276s and NOT sending notification
"internet-l2tp"[2] 114.246.207.132 #1: the peer proposed: 57.180.75.245/32:1701 -UDP-> 192.168.1.98/32:1701
CRYPTO_IKE_SA pid=31910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 msg='op=start direction=responder conn-name="internet-l2tp" connstate=3 ike-version=1 auth=PRESHARED_KEY cipher=aes ksize=128 integ=sha1 prf=sha1 pfs=MODP2048 raddr=114.246.207.132 exe="/usr/libexec/ipsec/pluto" hostname=? addr=172.31.2.1 terminal=? res=failed'
……
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20231213/12ef577e/attachment.htm>
More information about the Swan
mailing list