[Swan] L2TP/IKEv1 connection deleted and NO_PROPOSAL_CHOSEN behind NAT (AWS EC2)

Auu Wang meow at imlibra.me
Wed Dec 13 12:23:43 EET 2023 

My ipsec.conf:

 
config setup

   virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.10.0.0/16

   uniqueids=no

 
conn internet

   ikev2=yes

   authby=secret

   left=172.31.2.1

   leftid=@ipsec.imlibra.me

   leftsubnet=0.0.0.0/0

   right=%any

   rightaddresspool=10.10.0.1-10.10.0.254

   modecfgdns=172.31.0.2

   mobike=yes

   mtu=1380

   auto=add

 
conn internet-cert

   ikev2=insist

   left=172.31.2.1

   leftcert="imlibra.me"

   leftid=@ipsec.imlibra.me

   leftsendcert=always

   leftsubnet=0.0.0.0/0

   leftrsasigkey=%cert

   right=%any

   rightaddresspool=10.10.1.1-10.10.1.254

   rightca="trustid-ca-a13"

   rightrsasigkey=%cert

   narrowing=yes

   dpddelay=30

   dpdtimeout=120

   dpdaction=clear

   rekey=no

   fragmentation=yes

   auto=add

 
conn internet-ikev1

  left=172.31.2.1

  right=%any

  encapsulation=yes

  authby=secret

  pfs=no

  rekey=no

  keyingtries=5

  dpddelay=30

  dpdtimeout=300

  dpdaction=clear

  ikev2=never

  ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048

  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2

  ikelifetime=24h

  salifetime=24h

  sha2-truncbug=no

 
conn internet-l2tp

  leftprotoport=17/1701

  rightprotoport=17/%any

  type=transport

  also=internet-ikev1

  auto=add

 
conn internet-xauth

  leftsubnet=0.0.0.0/0

  rightaddresspool=10.10.4.1-10.10.4.254

  modecfgdns=172.31.0.2

  leftxauthserver=yes

  rightxauthclient=yes

  leftmodecfgserver=yes

  rightmodecfgclient=yes

  modecfgpull=yes

  cisco-unity=yes

  also=internet-ikev1

  auto=add

 
include /etc/crypto-policies/back-ends/libreswan.config

 
include /etc/ipsec.d/*.conf

 
Error log:

 
"internet-l2tp"[1] 114.246.207.132 #1: responding to Main Mode from unknown peer 114.246.207.132:500

"internet-l2tp"[1] 114.246.207.132 #1: sent Main Mode R1

"internet-l2tp"[1] 114.246.207.132 #1: sent Main Mode R2

"internet-l2tp"[1] 114.246.207.132 #1: Peer ID is ID_IPV4_ADDR: '192.168.1.98'

"internet-l2tp"[1] 114.246.207.132 #1: switched to "internet-l2tp"[2] 114.246.207.132

"internet-l2tp"[1] 114.246.207.132: deleting connection instance with peer 114.246.207.132 {isakmp=#0/ipsec=#0}

 
CRYPTO_IKE_SA pid=31910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 msg='op=start direction=responder conn-name="internet-l2tp" connstate=1 ike-version=1 auth=PRESHARED_KEY cipher=aes ksize=128 integ=sha1 prf=sha1 pfs=MODP2048  raddr=114.246.207.132 exe="/usr/libexec/ipsec/pluto" hostname=? addr=172.31.2.1 terminal=? res=success'

 
"internet-l2tp"[2] 114.246.207.132 #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP2048}

"internet-l2tp"[2] 114.246.207.132 #1: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support

"internet-l2tp"[2] 114.246.207.132 #1: the peer proposed: 57.180.75.245/32:1701 -UDP-> 192.168.1.98/32:1701

 
CRYPTO_IKE_SA pid=31910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 msg='op=start direction=responder conn-name="internet-l2tp" connstate=2 ike-version=1 auth=PRESHARED_KEY cipher=aes ksize=128 integ=sha1 prf=sha1 pfs=MODP2048  raddr=114.246.207.132 exe="/usr/libexec/ipsec/pluto" hostname=? addr=172.31.2.1 terminal=? res=failed'

 
|   checking hostpair 172.31.2.1/32:1701 -> 114.246.207.132/32:0

"internet-l2tp"[2] 114.246.207.132 #1: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others

"internet-l2tp"[2] 114.246.207.132 #2: no acceptable Proposal in IPsec SA

"internet-l2tp"[2] 114.246.207.132 #2: sending encrypted notification NO_PROPOSAL_CHOSEN to 114.246.207.132:4500

"internet-l2tp"[2] 114.246.207.132 #2: deleting state (STATE_QUICK_R0) aged 0.000276s and NOT sending notification

"internet-l2tp"[2] 114.246.207.132 #1: the peer proposed: 57.180.75.245/32:1701 -UDP-> 192.168.1.98/32:1701

 
CRYPTO_IKE_SA pid=31910 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 msg='op=start direction=responder conn-name="internet-l2tp" connstate=3 ike-version=1 auth=PRESHARED_KEY cipher=aes ksize=128 integ=sha1 prf=sha1 pfs=MODP2048  raddr=114.246.207.132 exe="/usr/libexec/ipsec/pluto" hostname=? addr=172.31.2.1 terminal=? res=failed'

 
……

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20231213/12ef577e/attachment.htm>

More information about the Swan mailing list