Can someone look at my debugs and config and tell me why Strongswan is sending
a no proposal chosen notify message based on the configs for my strongswan and
asa below? I tried changing the leftid and rightid to the private outside
address of ASA, natted address, not sure what Strongswan doesn’t like,
everything looks like it matches..
Configuring Strongswan with an ASA, ASA is behind firewall, NATing occurs
upstream , 500, 4500 are portforwarded back to ASA
Strongawan syslog output:
Dec 30 02:46:29 lagunesrevengeII charon: 07[ENC] generating INFORMATIONAL_V1
request 469970900 [ N(NO_PROP) ]
Dec 30 02:46:29 lagunesrevengeII charon: 07[NET] sending packet: from
104.x.x.x[500] to 98.x.x.x[500] (40 bytes)
Dec 30 02:46:37 lagunesrevengeII charon: 08[NET] received packet: from
98.x.x.x[500] to 104.x.x.x[500] (112 bytes)
Dec 30 02:46:37 lagunesrevengeII charon: 08[ENC] parsed ID_PROT request 0 [ SA
V ]
Dec 30 02:46:37 lagunesrevengeII charon: 08[IKE] no IKE config found for
104.x.x.x...98.x.x.x, sending NO_PROPOSAL_CHOSEN
ASA debug output
ec 30 01:38:24 [IKEv1]IP = 104.x.x.x., IKE_DECODE RECEIVED Message
(msgid=954138f9) with payloads : HDR + NOTIFY (1
1) + NONE (0) total length : 40
Dec 30 01:38:24 [IKEv1]IP = 104.x.x.x, IKE_DECODE RECEIVED Message
(msgid=954138f9) with payloads : HDR + NOTIFY (1
1) + NONE (0) total length : 40
Dec 30 01:38:24 [IKEv1]IP = 104.x.x.x, Received an un-encrypted
NO_PROPOSAL_CHOSEN notify message, dropping
Dec 30 01:38:24 [IKEv1]IP = 104.x.x.x, Information Exchange processing failed
IPsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn toflakjacket
left=104.x.x.x
leftsubnet=10.0.0.0/24
leftfirewall=yes
right=98.x.x.x
rightsubnet=192.168.7.0/24
auto=route
ike=aes128-sha1-modp1536
esp=aes128-sha1
IPsec.secrets
104.x.x.x 98.x.x.x : PSK mypassword
ASA config
interface Vlan1
nameif inside
security-level 100
ip address 192.168.7.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.250 255.255.255.0
object-group network localinteresting
network-object 192.168.7.0 255.255.255.0
object-group network remoteinteresting
network-object 10.0.0.0 255.255.255.0
access-list interestingtraffic extended permit ip object-group localinteresting
object-group remoteinteresting
crypto ipsec ikev1 transform-set myVPN esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map revengemap 1 match address interestingtraffic
crypto map revengemap 1 set peer 104.x.x.x
crypto map revengemap 1 set ikev1 transform-set myVPN
crypto map revengemap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
tunnel-group 104.x.x.x type ipsec-l2l
tunnel-group 104.x.x.x ipsec-attributes
ikev1 pre-shared-key mypassword
Sent from Mail for Windows 10
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
