<html dir="ltr"><head></head><body style="text-align:left; direction:ltr;" bgcolor="#ffffff" text="#2e3436" link="#2a76c6" vlink="#2e3436"><div><font color="#202223" size="4"><br></font></div><div><font size="4">Hi Forum users, experts and developer team. I am new to Libreswan and trying to setup a remote VPN on a CentOS 8 machine running Libreswan Version 4.3, the client machine at the moment is also a CentOS 8 with the same version of Libreswan.</font></div><div><font size="4"><b>Additional note</b>: The VPN server has site-to-site VPNs established successfully to 4 other locations. This remote VPN has been attempted without disturbing the existing setup. </font></div><div><font size="4"><br></font></div><div><font size="4"><b>Documentation followed</b> : I have followed almost entirely <a href="https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2">https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2</a> to setup this environment. The "ike" and "esp" statements were just added while trying to figure out various options, but with and without it, the results are the same.</font></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><b><font size="4">Server side</font></b></div><div><font size="4"><br></font></div><div><font size="4">conn MOBILE</font></div><div><font size="4"> left=europa.abc.com</font></div><div><font size="4"> leftsubnet=192.168.1.0/24</font></div><div><font size="4"> leftcert=europa.abc.com</font></div><div><font size="4"> leftid=%fromcert</font></div><div><font size="4"> leftrsasigkey=%cert</font></div><div><font size="4"> leftsendcert=always</font></div><div><font size="4"> right=%any</font></div><div><font size="4"> rightaddresspool=10.10.128.10-10.10.128.20</font></div><div><font size="4"> rightca=%same</font></div><div><font size="4"> rightrsasigkey=%cert</font></div><div><font size="4"> modecfgdns="208.67.222.222,208.67.220.220"</font></div><div><font size="4"> auto=add</font></div><div><font size="4"> ike=aes256-sha2_512+sha2_256-dh21</font></div><div><font size="4"> esp=aes256-sha2_512+sha1+sha2_256;dh21</font></div><div><font size="4"> dpddelay=60</font></div><div><font size="4"> dpdtimeout=300</font></div><div><font size="4"> dpdaction=clear</font></div><div><font size="4"> ikev2=insist</font></div><div><font size="4"> fragmentation=yes</font></div><div><font size="4"> type=tunnel</font></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><font size="4">ipsec status</font></div><div><font size="4"><br></font></div><div><font size="4">000 "MOBILE": 192.168.1.0/24===192.168.1.1<europa.abc.com>[CN=europa.abc.com, O=Europa,MS+S=C]...%any[+MC+S=C]; unrouted; eroute owner: #0</font></div><div><font size="4">000 "MOBILE": oriented; my_ip=unset; their_ip=unset; mycert=europa.abc.com; my_updown=ipsec _updown;</font></div><div><font size="4">000 "MOBILE": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]</font></div><div><font size="4">000 "MOBILE": our auth:rsasig, their auth:rsasig</font></div><div><font size="4">000 "MOBILE": modecfg info: us:server, them:client, modecfg policy:push, dns:208.67.222.222,208.67.220.220, domains:unset, cat:unset;</font></div><div><font size="4">000 "MOBILE": sec_label:unset;</font></div><div><font size="4">000 "MOBILE": CAs: 'CN=Europa CA, O=Europa'...'CN=Europa CA, O=Europa'</font></div><div><font size="4">000 "MOBILE": ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</font></div><div><font size="4">000 "MOBILE": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;</font></div><div><font size="4">000 "MOBILE": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</font></div><div><font size="4">000 "MOBILE": policy: IKEv2+RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5;</font></div><div><font size="4">000 "MOBILE": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;</font></div><div><font size="4">000 "MOBILE": conn_prio: 24,0; interface: eno1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</font></div><div><font size="4">000 "MOBILE": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;</font></div><div><font size="4">000 "MOBILE": our idtype: ID_DER_ASN1_DN; our id=CN=europa.abc.com, O=Europa; their idtype: %none; their id=(none)</font></div><div><font size="4">000 "MOBILE": dpd: action:clear; delay:60; timeout:300; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</font></div><div><font size="4">000 "MOBILE": newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $4;</font></div><div><font size="4">000 "MOBILE": IKE algorithms: AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-DH21</font></div><div><font size="4">000 "MOBILE": ESP algorithms: AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-DH21</font></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><b><font size="4">Client side</font></b></div><div><font size="4"><br></font></div><div><font size="4">conn EUROPA</font></div><div><font size="4"> left=%defaultroute</font></div><div><font size="4"> leftcert=ceres.xyz.com</font></div><div><font size="4"> leftid=%fromcert</font></div><div><font size="4"> leftrsasigkey=%cert</font></div><div><font size="4"> leftsubnet=10.10.128.0/24</font></div><div><font size="4"> leftmodecfgclient=yes</font></div><div><font size="4"> right=europa.abc.com</font></div><div><font size="4"> rightsubnet=192.168.1.0/24</font></div><div><font size="4"> <a href="mailto:rightid=@europa.abc.com">rightid=@europa.abc.com</a></font></div><div><font size="4"> rightrsasigkey=%cert</font></div><div><font size="4"> ike=aes256-sha2_512+sha2_256-dh21</font></div><div><font size="4"> esp=aes256-sha2_512+sha1+sha2_256;dh21</font></div><div><font size="4"> ikev2=insist</font></div><div><font size="4"> rekey=yes</font></div><div><font size="4"> fragmentation=yes</font></div><div><font size="4"> mobike=yes</font></div><div><font size="4"> auto=add</font></div><div><font size="4"><br></font></div><div><font size="4">ipsec status</font></div><div><font size="4"><br></font></div><div><font size="4">000 "EUROPA": 10.10.128.0/24===10.10.128.10[CN=ceres.xyz.com, O=Europa,+MC+S=C]---10.10.128.1...1.2.3.4<europa.abc.com>[@europa.abc.com]===192.168.1.0/24; unrouted; eroute owner: #0</font></div><div><font size="4">000 "EUROPA": oriented; my_ip=unset; their_ip=unset; mycert=ceres.xyz.com; my_updown=ipsec _updown;</font></div><div><font size="4">000 "EUROPA": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]</font></div><div><font size="4">000 "EUROPA": our auth:rsasig, their auth:rsasig</font></div><div><font size="4">000 "EUROPA": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;</font></div><div><font size="4">000 "EUROPA": sec_label:unset;</font></div><div><font size="4">000 "EUROPA": CAs: 'CN=Europa CA, O=Europa'...'%any'</font></div><div><font size="4">000 "EUROPA": ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</font></div><div><font size="4">000 "EUROPA": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;</font></div><div><font size="4">000 "EUROPA": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</font></div><div><font size="4">000 "EUROPA": policy: IKEv2+RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+RSASIG_v1_5;</font></div><div><font size="4">000 "EUROPA": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;</font></div><div><font size="4">000 "EUROPA": conn_prio: 24,24; interface: wlp2s0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</font></div><div><font size="4">000 "EUROPA": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;</font></div><div><font size="4">000 "EUROPA": our idtype: ID_DER_ASN1_DN; our id=CN=ceres.xyz.com, O=Europa; their idtype: ID_FQDN; their <a href="mailto:id=@europa.abc.com">id=@europa.abc.com</a></font></div><div><font size="4">000 "EUROPA": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</font></div><div><font size="4">000 "EUROPA": newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $1;</font></div><div><font size="4">000 "EUROPA": IKE algorithms: AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-DH21</font></div><div><font size="4">000 "EUROPA": ESP algorithms: AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-DH21</font></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><font size="4">/var/log/pluto.log</font></div><div><font size="4"><br></font></div><div><font size="4">Mar 24 23:43:05.426935: "EUROPA": loaded private key matching left certificate 'ceres.xyz.com'</font></div><div><font size="4">Mar 24 23:43:05.427225: "EUROPA": added IKEv2 connection</font></div><div><font size="4">Mar 24 23:43:05.427319: listening for IKE messages</font></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><font size="4">-------------------------</font></div><div><b><font size="4">On the client</font></b></div><div><font size="4"><br></font></div><div><font size="4"># ipsec auto --add EUROPA</font></div><div><font size="4">002 "EUROPA": terminating SAs using this connection</font></div><div><font size="4">002 "EUROPA": added IKEv2 connection</font></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><font size="4"># ipsec auto --up EUROPA</font></div><div><font size="4">181 "EUROPA" #1: initiating IKEv2 connection</font></div><div><font size="4">181 "EUROPA" #1: sent IKE_SA_INIT request</font></div><div><font size="4">003 "EUROPA" #1: dropping unexpected IKE_SA_INIT message containing NO_PROPOSAL_CHOSEN notification; message payloads: N; missing payloads: SA,KE,Ni</font></div><div><font size="4">010 "EUROPA" #1: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response</font></div><div><font size="4">003 "EUROPA" #1: dropping unexpected IKE_SA_INIT message containing NO_PROPOSAL_CHOSEN notification; message payloads: N; missing payloads: SA,KE,Ni</font></div><div><font size="4">010 "EUROPA" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response</font></div><div><font size="4">003 "EUROPA" #1: dropping unexpected IKE_SA_INIT message containing NO_PROPOSAL_CHOSEN notification; message payloads: N; missing payloads: SA,KE,Ni</font></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><b><font size="4">On the Server logs</font></b></div><div><font size="4"><br></font></div><div><font size="4">Mar 25 00:13:38.299168: packet from 5.6.7.8:51286: ISAKMP_v2_IKE_SA_INIT message received on 1.2.3.4:500 but no suitable connection found with IKEv2 policy</font></div><div><font size="4">Mar 25 00:13:38.299192: packet from 5.6.7.8:51286: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN</font></div><div><font size="4">Mar 25 00:13:38.797770: packet from 5.6.7.8:51286: ISAKMP_v2_IKE_SA_INIT message received on 1.2.3.4:500 but no suitable connection found with IKEv2 policy</font></div><div><font size="4">Mar 25 00:13:38.797794: packet from 5.6.7.8:51286: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN</font></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><font size="4">Thanks, Best</font></div><div></div><div><br></div><div></div></body></html>