Re: [strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

MOSES KARIUKI Mon, 18 Feb 2019 01:47:00 -0800

Thanks. I will and revert.

Thanks


On Mon, Feb 18, 2019 at 5:02 AM IL Ka <[email protected]> wrote:

> You have redundant exclamation marks ("!") in your IKE and ESP sections:
> "modp1024!" and "3des-sha!".
> Remove them and try again.
>
>
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>  Без
> вирусов. www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#m_-8654696345313359050_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> On Mon, Feb 18, 2019 at 1:00 AM MOSES KARIUKI <[email protected]> wrote:
>
>> Dear Team,
>>
>> Thanks Team for your ever valuable help. I am still not able in and the
>> error seems to have changed now. See below :
>>
>> .210.45 DST=102.129.249.173 LEN=40 TOS=0x08 PREC=0x40 TTL=238 ID=38921
>> PROTO=TCP SPT=44785 DPT=4389 WINDOW=1024 RES=0x00 SYN URGP=0
>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET]
>> received packet: from 154.76.***.1*1[500] to  102.1*9.2*9.** [500] (632
>> bytes)
>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC]
>> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
>> N(NATD_D_IP) V V V V ]
>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[CFG]
>> looking for an ike config for  102.1*9.2*9.**  ...154.76.***.1*1
>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE]
>> no IKE config found for  102.1*9.2*9.**  ... 154.76.***.1*1 , sending
>> NO_PROPOSAL_CHOSEN
>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC]
>> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET]
>> sending packet: from  102.1*9.2*9.** [500] to  154.76.***.1*1 [500] (36
>> bytes)
>> Feb 15 20:13:12 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a kernel: [
>> 1898.916216] [UFW BLOCK] IN=ens3 OUT=
>> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.76.122.161
>> DST=102.129.249.173 LEN=52 TOS=0x10 PREC=0x20 TTL=115 ID=24830 DF PROTO=TCP
>> SPT=57716 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
>>
>> My config set up is as follows :
>>
>> conn ikev2-vpn
>>     auto=add
>>     compress=no
>>     type=tunnel
>>     keyexchange=ikev2
>>     fragmentation=yes
>>     forceencaps=yes
>>     dpdaction=clear
>>     dpddelay=300s
>>     rekey=no
>>     left=%any
>>     leftid=102.1*9.2*9.**
>>     leftcert=server-cert.pem
>>     leftsendcert=always
>>     leftsubnet=0.0.0.0/0
>>     right=%any
>>     rightid=%any
>>     rightauth=eap-mschapv2
>>     rightsourceip=10.10.10.0/24
>>     rightdns=8.8.8.8,8.8.4.4
>>     rightsendcert=never
>>     eap_identity=%identity
>>
>> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>>
>> esp=aes256-sha256,aes256-sha1,3des-sha1!,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>>
>> Please assist.
>>
>> Thanks,
>> Moses K
>>
>> On Sat, Feb 16, 2019 at 12:31 AM MOSES KARIUKI <[email protected]>
>> wrote:
>>
>>> Hello team,
>>>
>>> Any assistance on this?
>>> Thanks
>>>
>>> On Fri, Feb 15, 2019 at 11:26 PM MOSES KARIUKI <[email protected]>
>>> wrote:
>>>
>>>> Thanks Team for your ever valuable help. I can't log in and the error
>>>> seems to have changed now. See below :
>>>>
>>>> .210.45 DST=102.129.249.173 LEN=40 TOS=0x08 PREC=0x40 TTL=238 ID=38921
>>>> PROTO=TCP SPT=44785 DPT=4389 WINDOW=1024 RES=0x00 SYN URGP=0
>>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET]
>>>> received packet: from 154.76.***.1*1[500] to  102.1*9.2*9.** [500] (632
>>>> bytes)
>>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC]
>>>> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
>>>> N(NATD_D_IP) V V V V ]
>>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[CFG]
>>>> looking for an ike config for  102.1*9.2*9.**  ...154.76.***.1*1
>>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[IKE]
>>>> no IKE config found for  102.1*9.2*9.**  ... 154.76.***.1*1 , sending
>>>> NO_PROPOSAL_CHOSEN
>>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[ENC]
>>>> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
>>>> Feb 15 20:13:11 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon: 08[NET]
>>>> sending packet: from  102.1*9.2*9.** [500] to  154.76.***.1*1 [500] (36
>>>> bytes)
>>>> Feb 15 20:13:12 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a kernel: [
>>>> 1898.916216] [UFW BLOCK] IN=ens3 OUT=
>>>> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.76.122.161
>>>> DST=102.129.249.173 LEN=52 TOS=0x10 PREC=0x20 TTL=115 ID=24830 DF PROTO=TCP
>>>> SPT=57716 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
>>>>
>>>> My config set up is as follows :
>>>>
>>>> conn ikev2-vpn
>>>>     auto=add
>>>>     compress=no
>>>>     type=tunnel
>>>>     keyexchange=ikev2
>>>>     fragmentation=yes
>>>>     forceencaps=yes
>>>>     dpdaction=clear
>>>>     dpddelay=300s
>>>>     rekey=no
>>>>     left=%any
>>>>     leftid=102.1*9.2*9.**
>>>>     leftcert=server-cert.pem
>>>>     leftsendcert=always
>>>>     leftsubnet=0.0.0.0/0
>>>>     right=%any
>>>>     rightid=%any
>>>>     rightauth=eap-mschapv2
>>>>     rightsourceip=10.10.10.0/24
>>>>     rightdns=8.8.8.8,8.8.4.4
>>>>     rightsendcert=never
>>>>     eap_identity=%identity
>>>>
>>>> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>>>>
>>>> esp=aes256-sha256,aes256-sha1,3des-sha1!,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>>>>
>>>> Please
>>>>
>>>> On Fri, Feb 15, 2019 at 10:01 PM Kostya Vasilyev <[email protected]>
>>>> wrote:
>>>>
>>>>> Moses,
>>>>>
>>>>> Try this in your *.conf file:
>>>>>
>>>>> conn whatever
>>>>>     ....
>>>>>     ....
>>>>>
>>>>> ike=aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>>>>>
>>>>> esp=aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048
>>>>>
>>>>> Technically for this particular client you only need the first one
>>>>> - aes256-sha256-modp2048
>>>>>
>>>>> --
>>>>> Kostya Vasilyev
>>>>> [email protected]
>>>>>
>>>>>
>>>>> On Fri, Feb 15, 2019, at 9:46 PM, MOSES KARIUKI wrote:
>>>>>
>>>>> Thanks IL Ka,
>>>>>
>>>>> Which group should I add. I am a bit of a noob here. I have checked
>>>>> the Strongswan documentation but I cant trace a list of these commands.
>>>>>
>>>>> Thanks,
>>>>>
>>>>>
>>>>> On Fri, Feb 15, 2019 at 10:17 AM IL Ka <[email protected]>
>>>>> wrote:
>>>>>
>>>>> I see DH problem as Tobias said.
>>>>> look:
>>>>>
>>>>> Client:
>>>>>
>>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>>>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
>>>>> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
>>>>>
>>>>> StrongSwan:
>>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>>>
>>>>> Client wants MODP_2048 while Swan has only MODP_1024 enabled.
>>>>>
>>>>> As result, "no acceptable DIFFIE_HELLMAN_GROUP found"
>>>>>
>>>>> See ipsec.conf for "ike" setting. Especially about "modpgroup".
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>>>>> Без вирусов. www.avg.com
>>>>> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>>>>>
>>>>> <#m_-8654696345313359050_m_-278043999855987034_m_179821330790635158_m_4732533215647108036_m_-8112058198006237188_m_8551562222874236904_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>>>>
>>>>> On Fri, Feb 15, 2019 at 8:42 AM MOSES KARIUKI <[email protected]>
>>>>> wrote:
>>>>>
>>>>> Dear Team,
>>>>> Please see below:
>>>>>
>>>>> *ipsec statusall*
>>>>> Status of IKE charon daemon (strongSwan 5.6.2, Linux
>>>>> 4.15.0-45-generic, x86_64):
>>>>>   uptime: 17 hours, since Feb 14 11:52:17 2019
>>>>>   malloc: sbrk 1757184, mmap 0, used 534320, free 1222864
>>>>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>>>>> scheduled: 0
>>>>>   loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random
>>>>> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
>>>>> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
>>>>> kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2
>>>>> xauth-generic counters
>>>>> Virtual IP pools (size/online/offline):
>>>>>   10.10.10.0/24: 254/0/0
>>>>> Listening IP addresses:
>>>>>   102.1*9.2*9.**
>>>>> Connections:
>>>>>    ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
>>>>>    ikev2-vpn:   local:  [102.1*9.2*9.**] uses public key authentication
>>>>>    ikev2-vpn:    cert:  "CN=102.1*9.2*9.**"
>>>>>    ikev2-vpn:   remote: [fromcert] uses EAP_MSCHAPV2 authentication
>>>>> with EAP identity '%any'
>>>>>    ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
>>>>> Security Associations (0 up, 0 connecting):
>>>>>   none
>>>>>
>>>>>
>>>>> *systemctl status strongswan*
>>>>> ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using
>>>>> ipsec.conf
>>>>>    Loaded: loaded (/lib/systemd/system/strongswan.service; enabled;
>>>>> vendor preset: enabled)
>>>>>    Active: active (running) since Thu 2019-02-14 11:52:17 UTC; 17h ago
>>>>>  Main PID: 2204 (starter)
>>>>>     Tasks: 18 (limit: 2275)
>>>>>    CGroup: /system.slice/strongswan.service
>>>>>            ├─2204 /usr/lib/ipsec/starter --daemon charon --nofork
>>>>>            └─2232 /usr/lib/ipsec/charon --debug-ike 1 --debug-knl 1
>>>>> --debug-cfg 2
>>>>>
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>>> 09[CFG] received proposals:
>>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_C
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>>> 09[CFG] configured proposals:
>>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>>> 09[IKE] remote host is behind NAT
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>>> 09[IKE] received proposals inacceptable
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>>> 09[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>>> 09[NET] sending packet: from 102.1*9.2*9.**[500] to 154.153.1*0.***[500]
>>>>> (36 bytes)
>>>>> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>>> 10[CFG] proposing traffic selectors for us:
>>>>> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>>> 10[CFG]  0.0.0.0/0
>>>>> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>>> 10[CFG] proposing traffic selectors for other:
>>>>> Feb 15 05:31:32 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon[2232]:
>>>>> 10[CFG]  dynamic
>>>>>
>>>>> The error log:
>>>>>
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[NET] received packet: from 154.153.1*0.***[500] to 102.1*9.2*9.**[500]
>>>>> (632 bytes)
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
>>>>> N(NATD_D_IP) V V V V ]
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux
>>>>> 4.15.0-45-generic, x86_64)
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[CFG]   loaded ca certificate "CN=VPN root CA" from
>>>>> '/etc/ipsec.d/cacerts/ca-cert.pem'
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[CFG]   loaded RSA private key from 
>>>>> '/etc/ipsec.d/private/server-key.pem'
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[CFG]   loaded EAP secret for remoteprivate
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random
>>>>> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
>>>>> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
>>>>> kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2
>>>>> xauth-generic counters
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[LIB] dropped capabilities, running as uid 0, gid 0
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 00[JOB] spawning 16 worker threads
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG] received stroke: add connection 'ikev2-vpn'
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG] conn ikev2-vpn
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   left=%any
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   leftsubnet=0.0.0.0/0
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   leftid=102.1*9.2*9.**
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   leftcert=server-cert.pem
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   right=%any
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   rightsourceip=10.10.10.0/24
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   rightdns=8.8.8.8,8.8.4.4
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   rightauth=eap-mschapv2
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   rightid=%fromcert
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   eap_identity=%identity
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   
>>>>> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   esp=aes256-sha256,aes256-sha1,3des-sha1!
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   dpddelay=300
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   dpdtimeout=150
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   dpdaction=1
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   sha256_96=no
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   mediation=no
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   keyexchange=ikev2
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG] adding virtual IP address pool 10.10.10.0/24
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG]   loaded certificate "CN=102.1*9.2*9.**" from 'server-cert.pem'
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 05[CFG] added configuration 'ikev2-vpn'
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 08[NET] received packet: from 216.218.206.86[8310] to 102.1*9.2*9.**[500]
>>>>> (64 bytes)
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 08[ENC] parsed ID_PROT request 0 [ SA ]
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[CFG] looking for an ike config for 102.1*9.2*9.**...154.153.1*0.***
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 08[CFG] looking for an ike config for 102.1*9.2*9.**...216.218.206.86
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 08[IKE] no IKE config found for 102.1*9.2*9.**...216.218.206.86, sending
>>>>> NO_PROPOSAL_CHOSEN
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 08[ENC] generating INFORMATIONAL_V1 request 2332246493 [ N(NO_PROP) ]
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 08[NET] sending packet: from 102.1*9.2*9.**[500] to 216.218.206.86[8310]
>>>>> (40 bytes)
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[NET] received packet: from 154.153.1*0.***[500] to 102.1*9.2*9.**[500]
>>>>> (632 bytes)
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
>>>>> N(NATD_D_IP) V V V V ]
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG] looking for an ike config for 102.1*9.2*9.**...154.153.1*0.***
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG]   candidate: %any...%any, prio 28
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG] found matching ike config: %any...%any with prio 28
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[IKE] received MS-Negotiation Discovery Capable vendor ID
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[IKE] received Vid-Initial-Contact vendor ID
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[ENC] received unknown vendor ID:
>>>>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[IKE] 154.153.1*0.*** is initiating an IKE_SA
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG] selecting proposal:
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG] selecting proposal:
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG] selecting proposal:
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG] selecting proposal:
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG] selecting proposal:
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG] selecting proposal:
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG] selecting proposal:
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG] received proposals:
>>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>>>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
>>>>> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[CFG]   candidate: %any...%any, prio 28
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a ipsec[2204]:
>>>>> 09[CFG] configured proposals:
>>>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[CFG] found matching ike config: %any...%any with prio 28
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[IKE] received MS-Negotiation Discovery Capable vendor ID
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[IKE] received Vid-Initial-Contact vendor ID
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[ENC] received unknown vendor ID:
>>>>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[IKE] 154.153.1*0.*** is initiating an IKE_SA
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[CFG] selecting proposal:
>>>>> Feb 15 05:11:49 VM-e2b7eaee-4c52-4455-8364-c1977c8afa6a charon:
>>>>> 09[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
>>>>>
>>>>>
>>>>>

Re: [strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

Reply via email to