[Swan] what problem do I have here?

Marc Marc at f1-outsourcing.eu
Wed Feb 7 21:28:45 EET 2024 

> 
> This is a win10 client. What problem do I have here?
> 
> Feb  6 21:47:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #320: Child SA
> proposals (new child):
> Feb  6 21:47:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #320:
> 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-MODP2048-ENABLED+DISABLED
> Feb  6 21:47:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #320: no local
> proposal matches remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED
> Feb  6 21:47:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #320:
> CREATE_CHILD_SA request failed, responder SA processing returned
> NO_PROPOSAL_CHOSEN
> Feb  6 21:47:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #211: responding
> to CREATE_CHILD_SA message (ID 118) from x.x.x.x:18369 with encrypted
> notification NO_PROPOSAL_CHOSEN
> Feb  6 21:49:09 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #321: Child SA
> proposals (new child):
> Feb  6 21:49:09 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #321:
> 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-MODP2048-ENABLED+DISABLED
> Feb  6 21:49:09 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #321: no local
> proposal matches remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED
> Feb  6 21:49:09 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #321:
> CREATE_CHILD_SA request failed, responder SA processing returned
> NO_PROPOSAL_CHOSEN
> Feb  6 21:49:09 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #211: responding
> to CREATE_CHILD_SA message (ID 119) from x.x.x.x:18369 with encrypted
> notification NO_PROPOSAL_CHOSEN
> Feb  6 21:50:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #322: Child SA
> proposals (new child):
> Feb  6 21:50:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #322:
> 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-MODP2048-ENABLED+DISABLED
> Feb  6 21:50:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #322: no local
> proposal matches remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED
> Feb  6 21:50:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #322:
> CREATE_CHILD_SA request failed, responder SA processing returned
> NO_PROPOSAL_CHOSEN
> Feb  6 21:50:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #211: responding
> to CREATE_CHILD_SA message (ID 120) from x.x.x.x:18369 with encrypted
> notification NO_PROPOSAL_CHOSEN

I think this results in:

20240206-084530 down
20240206-084530 xfrm unroute-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32

However windows is still in 'connected' state. So I have to disconnect and reconnect.


output from updown script:

20240206-083957 xfrm prepare-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-083957 xfrm route-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-084530 xfrm down-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-084530 down
20240206-084530 xfrm unroute-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-123803 xfrm up-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-123803 up
20240206-123803 xfrm prepare-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-123803 xfrm route-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-133503 xfrm down-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-133503 down
20240206-133503 xfrm unroute-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-134050 xfrm up-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-134050 up
20240206-134050 xfrm prepare-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-134050 xfrm route-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-143750 xfrm down-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-143750 down
20240206-143750 xfrm unroute-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-153623 xfrm up-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-153623 up
20240206-153623 xfrm prepare-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-153623 xfrm route-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-163323 xfrm down-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-163323 down
20240206-163323 xfrm unroute-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-173347 xfrm up-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-173347 up
20240206-173347 xfrm prepare-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-173347 xfrm route-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-183047 xfrm down-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-183047 down
20240206-183047 xfrm unroute-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-211332 xfrm up-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-211332 up
20240206-211332 xfrm prepare-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-211332 xfrm route-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-221032 xfrm down-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32
20240206-221032 down
20240206-221032 xfrm unroute-client vpn-ikev2-crt eth1 x.x.x.x y.y.y.y/32

More information about the Swan mailing list