I solved the "no netkey IPsec stack detected" errors. It turned out that the NixOS strongSwan configuration used a modprobe which couldn't find the right kernel modules. I fixed that and now it starts up without that error. See the log at: http://pastebin.com/ufutkmdC
However, my original problem remains. With the following ipsec.conf: conn data-display aggressive=no auto=add fragmentation=yes ike=des-sha1-modp1024 ikelifetime=24h keyexchange=ikev1 left=%any leftauth=psk leftfirewall=yes leftid=83.161.66.130 lifetime=1h right=213.163.70.4 rightauth=psk rightsubnet=10.180.0.0/16 I get the following error: $ sudo ipsec up data-display initiating Main Mode IKE_SA data-display[1] to 213.163.70.4 generating ID_PROT request 0 [ SA V V V V V ] sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (220 bytes) received packet: from 213.163.70.4[500] to 192.168.42.178[500] (128 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 192.168.42.178[500] to 213.163.70.4[500] (244 bytes) received packet: from 213.163.70.4[500] to 192.168.42.178[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: 4a:1c:a1:c6:1d:26:60:b5:3f:0b:02:29:da:eb:0e:5a received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (84 bytes) received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA data-display[1] established between 192.168.42.178[83.161.66.130]...213.163.70.4[213.163.70.4] scheduling reauthentication in 85668s maximum IKE_SA lifetime 86208s generating QUICK_MODE request 384749459 [ HASH SA No ID ID ] sending packet: from 192.168.42.178[4500] to 213.163.70.4[4500] (228 bytes) received packet: from 213.163.70.4[4500] to 192.168.42.178[4500] (84 bytes) parsed INFORMATIONAL_V1 request 1953095225 [ HASH N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify establishing connection 'data-display' failed What does NO_PROPOSAL_CHOSEN mean? Thanks, Bas On 10 February 2015 at 16:48, Bas van Dijk <[email protected]> wrote: > Hello, > > Apologies in advance for the rather long message but I'm new to > strongSwan and want to include as much information as I think is > relevant to my problem. > > I'm having some problems using strongSwan-5.2.2 to establish a > connection to a host on the subnet 10.180.0.0/16 which is behind the > gateway 213.163.70.4. The IP address of my machine is 192.168.42.162 > and I'm using NAT to access the internet. My public IP address is: > 83.161.66.130. I don't control the 213.163.70.4 gateway and I have > been told it uses the following settings: > > Target address: 213.163.70.4 > Source address: 83.161.66.130 > IKE SA: Phase 1 > Encryption: AES-128 with SHA-1 > Diffie-hellman: Group 2 > SA lifetime: 86400 seconds > IKE negotistion mode: Main (non aggressive) > Pre-shared key: XXXX (censored) > IPsec proposal: Phase 2 > Encryption: AES-128 with SHA-1 > IPsec type: ESP > IPsec tunnel lifetime: 3600 seconds > > I set my ipsec.secrets (censored) to: > 213.163.70.4 %any : PSK 0xXXXX > > ipsec.conf: > conn data-display > aggressive=no > authby=secret > auto=add > esp=aes128-sha1 > fragmentation=yes > ike=des-sha1-modp1024 > ikelifetime=24h > keyexchange=ikev1 > left=%any > leftfirewall=yes > leftid=83.161.66.130 > lifetime=1h > right=213.163.70.4 > rightsubnet=10.180.0.0/16 > > I noticed from the strongSwan logs that the gateway is a Cisco Unity > device so I configured strongSwan with --enable-unity. I'm not sure > that is required. > > When I start stongSwan using "sudo systemctl start strongswan" I get > the following log (I'm using logging level 2): > > http://pastebin.com/pC1WYegL > > I'm a bit confused why I get the "no netkey IPsec stack detected" > warning since all required[1] kernel options are enabled (either build > in or as modules). In particular: > > cat /proc/config.gz | gunzip | grep CONFIG_NET_KEY= > CONFIG_NET_KEY=m > > Since it's a warning I ignore it for a moment and try to start up the > "data-display" connection using "sudo ipsec up data-display". I get > the following output: > > initiating Main Mode IKE_SA data-display[1] to 213.163.70.4 > generating ID_PROT request 0 [ SA V V V V V ] > sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (220 bytes) > received packet: from 213.163.70.4[500] to 192.168.42.162[500] (128 bytes) > parsed ID_PROT response 0 [ SA V V ] > received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > received FRAGMENTATION vendor ID > generating ID_PROT request 0 [ KE No NAT-D NAT-D ] > sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (244 bytes) > received packet: from 213.163.70.4[500] to 192.168.42.162[500] (304 bytes) > parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] > received Cisco Unity vendor ID > received XAuth vendor ID > received unknown vendor ID: c5:dd:ab:2d:d0:7e:27:16:a3:59:1d:ba:91:49:75:8d > received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 > local host is behind NAT, sending keep alives > generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] > sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (84 bytes) > received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes) > parsed ID_PROT response 0 [ ID HASH V ] > received DPD vendor ID > IKE_SA data-display[1] established between > 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4] > scheduling reauthentication in 85593s > maximum IKE_SA lifetime 86133s > generating QUICK_MODE request 3299461263 [ HASH SA No ID ID ] > sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (204 bytes) > received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes) > parsed INFORMATIONAL_V1 request 1571124148 [ HASH N(NO_PROP) ] > received NO_PROPOSAL_CHOSEN error notify > received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes) > parsed INFORMATIONAL_V1 request 3331205321 [ HASH D ] > received DELETE for IKE_SA data-display[1] > deleting IKE_SA data-display[1] between > 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4] > establishing connection 'data-display' failed > > The following is posted to syslog: > > http://pastebin.com/1Vj1rXaq > > So I can see that an IKE_SA is established between me and the gateway. > However, after that something goes wrong. > > Can somebody explain what is going wrong and point me in the right direction? > > Also note that I'm using NixOS running in VirtualBox. My virtual NIC > is bridged to my physical NIC. > > Let me know if any more information is desired. > > Cheers, > > Bas > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
