Bug #1068
strongswan 5.3.2 and IKEv1 in transport mode causes NO_PROPOSAL_CHOSEN error
Description
Hello,
I try to configure an IPsec tunnel between two peers (both running StrongSwan 5.3.2) in transport mode.
The tunnel between the peers is successfully established in IKEv2 (IKE_SA=UP + Child_SA=UP) mode but not in IKEv1 (IKE_SA=UP + Child_SA=DOWN).
The following issue https://wiki.strongswan.org/issues/819 maybe related.
ipsec.conf for Peer1:
conn ike1-ip4-transp
left=172.16.0.4 // revert left and right for Peer2
right=172.16.0.24
leftauth=psk
rightauth=psk
leftid=@server.garderos.com // revert leftid and rightid for Peer2
rightid=@client.garderos.com
aggressive=yes
auto=start
keyingtries=1
keyexchange=ikev1 // with keyexchange=ikev2 the tunnel is established!
compress=yes
type=transport
margintime=540s
ike=3des-sha1-modp1024!
ikelifetime=4200s
esp=3des-sha1-modp1024!
lifetime=3600s
Logs (IKEv1):
Aug 17 12:15:56 Peer1 info ipsec_st[ 3389]: Starting weakSwan 5.3.2 IPsec [starter]... Aug 17 12:15:56 Peer1 info charon: [ DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.45, armv5teb) Aug 17 12:15:56 Peer1 info charon: [ KNL] received netlink error: Address family not supported by protocol (97) Aug 17 12:15:56 Peer1 info charon: [ KNL] unable to create IPv6 routing table rule Aug 17 12:15:56 Peer1 info charon: [ CFG] loading ca certificates from '/var/etc/strongswan/ipsec.d/cacerts' Aug 17 12:15:56 Peer1 info charon: [ CFG] loading aa certificates from '/var/etc/strongswan/ipsec.d/aacerts' Aug 17 12:15:56 Peer1 info charon: [ CFG] loading ocsp signer certificates from '/var/etc/strongswan/ipsec.d/ocspcerts' Aug 17 12:15:56 Peer1 info charon: [ CFG] loading attribute certificates from '/var/etc/strongswan/ipsec.d/acerts' Aug 17 12:15:56 Peer1 info charon: [ CFG] loading crls from '/var/etc/strongswan/ipsec.d/crls' Aug 17 12:15:56 Peer1 info charon: [ CFG] loading secrets from '/var/etc/strongswan/ipsec.secrets' Aug 17 12:15:56 Peer1 info charon: [ CFG] loaded IKE secret for client.garderos.com Aug 17 12:15:56 Peer1 info charon: [ LIB] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updow Aug 17 12:15:56 Peer1 info charon: [ JOB] spawning 32 worker threads Aug 17 12:15:56 Peer1 info ipsec_st[ 3402]: charon (3403) started after 200 ms Aug 17 12:15:56 Peer1 info charon: [ CFG] received stroke: add connection 'ike1-ip4-transp' Aug 17 12:15:56 Peer1 info charon: [ CFG] added configuration 'ike1-ip4-transp' Aug 17 12:15:56 Peer1 info charon: [ CFG] received stroke: initiate 'ike1-ip4-transp' Aug 17 12:15:56 Peer1 info charon: [ IKE] initiating Aggressive Mode IKE_SA ike1-ip4-transp[1] to 172.16.0.24 Aug 17 12:15:57 Peer1 info charon: [ ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (367 bytes) Aug 17 12:15:57 Peer1 info charon: [ NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (419 bytes) Aug 17 12:15:57 Peer1 info charon: [ ENC] parsed AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V ] Aug 17 12:15:57 Peer1 info charon: [ IKE] received XAuth vendor ID Aug 17 12:15:57 Peer1 info charon: [ IKE] received DPD vendor ID Aug 17 12:15:57 Peer1 info charon: [ IKE] received Cisco Unity vendor ID Aug 17 12:15:57 Peer1 info charon: [ IKE] received NAT-T (RFC 3947) vendor ID Aug 17 12:15:57 Peer1 info charon: [ IKE] IKE_SA ike1-ip4-transp[1] established between 172.16.0.4[server.garderos.com]...172.16.0.24[client.garderos.com] Aug 17 12:15:57 Peer1 info charon: [ IKE] scheduling reauthentication in 3660s Aug 17 12:15:57 Peer1 info charon: [ IKE] maximum IKE_SA lifetime 4200s Aug 17 12:15:57 Peer1 info charon: [ ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ] Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (108 bytes) Aug 17 12:15:57 Peer1 info charon: [ ENC] generating QUICK_MODE request 1928624787 [ HASH SA No KE ID ID ] Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (372 bytes) Aug 17 12:15:57 Peer1 info charon: [ NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (372 bytes) Aug 17 12:15:57 Peer1 info charon: [ ENC] parsed QUICK_MODE response 1928624787 [ HASH SA No KE ID ID ] Aug 17 12:15:57 Peer1 info charon: [ IKE] no acceptable traffic selectors found Aug 17 12:15:57 Peer1 info charon: [ ENC] generating INFORMATIONAL_V1 request 3524574942 [ HASH N(NO_PROP) ] Aug 17 12:15:57 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (76 bytes)
Logs (IKEv2):
Aug 17 12:28:01 Peer1 info ipsec_st[ 3730]: Starting weakSwan 5.3.2 IPsec [starter]...
Aug 17 12:28:01 Peer1 info charon: [ DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.45, armv5teb)
Aug 17 12:28:01 Peer1 info charon: [ KNL] received netlink error: Address family not supported by protocol (97)
Aug 17 12:28:01 Peer1 info charon: [ KNL] unable to create IPv6 routing table rule
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading ca certificates from '/var/etc/strongswan/ipsec.d/cacerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading aa certificates from '/var/etc/strongswan/ipsec.d/aacerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading ocsp signer certificates from '/var/etc/strongswan/ipsec.d/ocspcerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading attribute certificates from '/var/etc/strongswan/ipsec.d/acerts'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading crls from '/var/etc/strongswan/ipsec.d/crls'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loading secrets from '/var/etc/strongswan/ipsec.secrets'
Aug 17 12:28:01 Peer1 info charon: [ CFG] loaded IKE secret for client.garderos.com
Aug 17 12:28:01 Peer1 info charon: [ LIB] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updow
Aug 17 12:28:01 Peer1 info charon: [ JOB] spawning 32 worker threads
Aug 17 12:28:01 Peer1 info ipsec_st[ 3751]: charon (3752) started after 200 ms
Aug 17 12:28:01 Peer1 info charon: [ CFG] received stroke: add connection 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info charon: [ CFG] added configuration 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info charon: [ CFG] received stroke: initiate 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info charon: [ IKE] initiating IKE_SA ike1-ip4-transp[1] to 172.16.0.24
Aug 17 12:28:01 Peer1 info charon: [ ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Aug 17 12:28:01 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (316 bytes)
Aug 17 12:28:01 Peer1 info charon: [ NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (324 bytes)
Aug 17 12:28:01 Peer1 info charon: [ ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 17 12:28:01 Peer1 info charon: [ IKE] authentication of 'server.garderos.com' (myself) with pre-shared key
Aug 17 12:28:01 Peer1 info charon: [ IKE] establishing CHILD_SA ike1-ip4-transp
Aug 17 12:28:01 Peer1 info charon: [ ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(IPCOMP_SUP) N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 17 12:28:01 Peer1 info charon: [ NET] sending packet: from 172.16.0.4[4500] to 172.16.0.24[4500] (284 bytes)
Aug 17 12:28:01 Peer1 info charon: [ NET] received packet: from 172.16.0.24[4500] to 172.16.0.4[4500] (244 bytes)
Aug 17 12:28:01 Peer1 info charon: [ ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Aug 17 12:28:01 Peer1 info charon: [ IKE] authentication of 'client.garderos.com' with pre-shared key successful
Aug 17 12:28:01 Peer1 info charon: [ IKE] IKE_SA ike1-ip4-transp[1] established between 172.16.0.4[server.garderos.com]...172.16.0.24[client.garderos.com]
Aug 17 12:28:01 Peer1 info charon: [ IKE] scheduling reauthentication in 3660s
Aug 17 12:28:01 Peer1 info charon: [ IKE] maximum IKE_SA lifetime 4200s
Aug 17 12:28:01 Peer1 info charon: [ IKE] CHILD_SA ike1-ip4-transp{1} established with SPIs c39bc78a_i ccda98bb_o and TS 172.16.0.4/32 === 172.16.0.24/32
Aug 17 12:28:01 Peer1 info charon: [ IKE] received AUTH_LIFETIME of 3660s, scheduling reauthentication in 3120s
Aug 17 12:28:01 Peer1 info charon: [ IKE] peer supports MOBIKE
History
#1 Updated by Tobias Brunner about 5 years ago
- Description updated (diff)
- Status changed from New to Feedback
The following issue https://wiki.strongswan.org/issues/819 maybe related.
Why would you think so?
I assume this is due to the unity plugin. Do you have that plugin loaded (the plugin list is cut off so we don't see that in the log)? If you don't need it otherwise, try disabling it (or disable charon.cisco_unity in strongswan.conf). What might work too is explicitly configuring left|rightsubnet.
#2 Updated by Alexander Velkov about 5 years ago
Hi Tobias,
Thank you for the quick reply!
Tobias Brunner wrote:
The following issue https://wiki.strongswan.org/issues/819 maybe related.
Why would you think so?
Issue 819 was what I was reading before I opened this one. Noe Kunze wrote '...A couple of people have reported INVALID_ID or NO_PROPOSAL_CHOSEN errors with IKEv1...', I thought it may be relevant.
That is right, the cisco_unity plugin was loaded during my tests. I tried your both suggestions and both of them worked for my scenario with IKEv1, great!I assume this is due to the unity plugin. Do you have that plugin loaded (the plugin list is cut off so we don't see that in the log)? If you don't need it otherwise, try disabling it (or disable charon.cisco_unity in strongswan.conf). What might work too is explicitly configuring left|rightsubnet.
- Deconfiguring cisco_unity by specifying charon.cisco_unity=no in strongswan.conf on both peers solved the issue and the Child_SA successfully came UP.
- Explicitly specifying left/rightsubnet on the peers solved the issue too, even when the cisco_unity plugin is loaded and activated.
Thank you once again for the great support!
#3 Updated by Tobias Brunner about 5 years ago
I assume this is due to the unity plugin. Do you have that plugin loaded (the plugin list is cut off so we don't see that in the log)? If you don't need it otherwise, try disabling it (or disable charon.cisco_unity in strongswan.conf). What might work too is explicitly configuring left|rightsubnet.
That is right, the cisco_unity plugin was loaded during my tests. I tried your both suggestions and both of them worked for my scenario with IKEv1, great!
OK, thanks for testing. We might be able to somehow catch this in the unity plugin in the future, so it won't affect such scenarios.
#4 Updated by Alexander Velkov about 5 years ago
OK, thanks for testing. We might be able to somehow catch this in the unity plugin in the future, so it won't affect such scenarios.
Yes, this sounds good. It is not straightforward to make the association with the unity plugin.
#5 Updated by Cornee Traas almost 3 years ago
I just want to add that I had the same problem. I disabled the unity plugin and the problem went away.
But this solution, found here, was extremely difficult to find, and impossible to implement for a novice user only using the networkmanager GUIs.
The last reply may be over 2 years ago, but its a problem that is still occurring, with probably many users not being able to find a solution.
I suggest that, if the people with the skills to implement a proper solution are absent or otherwise busy, at least a band-aid should be put in place.
This could be putting the exact error message and solution in the wiki, or disabling the unity plugin by default.