Hello Shashi, ike=3des looks like a very simple proposal. Could it be that some cryptographic plugins were not correctly loaded during the daemon startup? Look for any strange entries in the logs.
In order to diagnose the situation could you ramp up the debugging level on both sides by defining charondebug="cfg 2" which will show the proposed and selected crypto suites. Regards Andreas On 08/25/2011 12:58 AM, Shashi Yash wrote: > Trying to setup ipsec site to site scenario on two red hat machines. I > get the following error: "no acceptable proposal found" on both > machines. Can you guys please tell me why I'm getting the following > error. > > I jave pasted the configs and logs from both machines. > > RH1: ipsec.conf > conn net-net > left=10.19.61.35 > leftsubnet=192.168.100.0/24 > leftcert=rh1_Cert.pem > right=10.19.61.67 > rightsubnet=192.168.200.0/24 > leftid="C=us, ST=il, O=ics, OU=mp, CN=RH6-1" > auto=start > ike=3des > esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048 > > > > RH2:ipsec.conf > conn net-net > left=10.19.61.67 > leftsubnet=192.168.200.0/24 > leftcert=rh2_Cert.pem > right=10.19.61.35 > rightsubnet=192.168.100.0/24 > rightid="C=us, ST=il, O=ics, OU=mp, CN=RH6-2" > auto=start > ike=3des > esp=aes256gcm16-modp1024-modp2048,aes128gcm16-modp1024-modp2048 > > > RH1 Log: > ------------------- > 13[NET] received packet: from 10.19.61.67[500] to 10.19.61.35[500] > 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > 13[IKE] 10.19.61.67 is initiating an IKE_SA > 13[IKE] no acceptable proposal found > 13[ENC] generating IKE_SA_INIT response 0 [ ] > 13[NET] sending packet: from 10.19.61.35[500] to 10.19.61.67[500] > 14[NET] received packet: from 10.19.61.67[500] to 10.19.61.35[500] > 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > 14[IKE] 10.19.61.67 is initiating an IKE_SA > 14[IKE] no acceptable proposal found > > > RH2 Log: > --------------------- > > 10[IKE] initiating IKE_SA net-net[1] to 10.19.61.35 > 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > ] > 10[NET] sending packet: from 10.19.61.67[500] to 10.19.61.35[500] > 11[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500] > 11[ENC] payload of type SECURITY_ASSOCIATION not occurred 1 times (0) > 11[IKE] IKE_SA_INIT response with message ID 0 processing failed > 12[IKE] retransmit 1 of request with message ID 0 > 12[NET] sending packet: from 10.19.61.67[500] to 10.19.61.35[500] > 13[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500] > 13[ENC] payload of type SECURITY_ASSOCIATION not occurred 1 times (0) > 13[IKE] IKE_SA_INIT response with message ID 0 processing failed > 14[NET] received packet: from 10.19.61.35[500] to 10.19.61.67[500] > 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > 14[IKE] 10.19.61.35 is initiating an IKE_SA > 14[IKE] no acceptable proposal found > > Thanks in Advance > -shashi.. ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
