Project

General

Profile

Bug #1068

strongswan 5.3.2 and IKEv1 in transport mode causes NO_PROPOSAL_CHOSEN error

Added by Alexander Velkov about 5 years ago. Updated almost 3 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
charon
Target version:
-
Start date:
17.08.2015
Due date:
Estimated time:
Affected version:
5.3.2
Resolution:

Description

Hello,

I try to configure an IPsec tunnel between two peers (both running StrongSwan 5.3.2) in transport mode.
The tunnel between the peers is successfully established in IKEv2 (IKE_SA=UP + Child_SA=UP) mode but not in IKEv1 (IKE_SA=UP + Child_SA=DOWN).
The following issue https://wiki.strongswan.org/issues/819 maybe related.

ipsec.conf for Peer1:

conn ike1-ip4-transp
        left=172.16.0.4 // revert left and right for Peer2
        right=172.16.0.24
        leftauth=psk
        rightauth=psk
        leftid=@server.garderos.com // revert leftid and rightid for Peer2
        rightid=@client.garderos.com
        aggressive=yes
        auto=start
        keyingtries=1
        keyexchange=ikev1 // with keyexchange=ikev2 the tunnel is established!
        compress=yes
        type=transport
        margintime=540s
        ike=3des-sha1-modp1024!
        ikelifetime=4200s
        esp=3des-sha1-modp1024!
        lifetime=3600s

Logs (IKEv1):
Aug 17 12:15:56 Peer1 info  ipsec_st[ 3389]: Starting weakSwan 5.3.2 IPsec [starter]...
Aug 17 12:15:56 Peer1 info  charon: [  DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.45, armv5teb)
Aug 17 12:15:56 Peer1 info  charon: [  KNL] received netlink error: Address family not supported by protocol (97)
Aug 17 12:15:56 Peer1 info  charon: [  KNL] unable to create IPv6 routing table rule
Aug 17 12:15:56 Peer1 info  charon: [  CFG] loading ca certificates from '/var/etc/strongswan/ipsec.d/cacerts'
Aug 17 12:15:56 Peer1 info  charon: [  CFG] loading aa certificates from '/var/etc/strongswan/ipsec.d/aacerts'
Aug 17 12:15:56 Peer1 info  charon: [  CFG] loading ocsp signer certificates from '/var/etc/strongswan/ipsec.d/ocspcerts'
Aug 17 12:15:56 Peer1 info  charon: [  CFG] loading attribute certificates from '/var/etc/strongswan/ipsec.d/acerts'
Aug 17 12:15:56 Peer1 info  charon: [  CFG] loading crls from '/var/etc/strongswan/ipsec.d/crls'
Aug 17 12:15:56 Peer1 info  charon: [  CFG] loading secrets from '/var/etc/strongswan/ipsec.secrets'
Aug 17 12:15:56 Peer1 info  charon: [  CFG]   loaded IKE secret for client.garderos.com
Aug 17 12:15:56 Peer1 info  charon: [  LIB] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updow
Aug 17 12:15:56 Peer1 info  charon: [  JOB] spawning 32 worker threads
Aug 17 12:15:56 Peer1 info  ipsec_st[ 3402]: charon (3403) started after 200 ms
Aug 17 12:15:56 Peer1 info  charon: [  CFG] received stroke: add connection 'ike1-ip4-transp'
Aug 17 12:15:56 Peer1 info  charon: [  CFG] added configuration 'ike1-ip4-transp'
Aug 17 12:15:56 Peer1 info  charon: [  CFG] received stroke: initiate 'ike1-ip4-transp'
Aug 17 12:15:56 Peer1 info  charon: [  IKE] initiating Aggressive Mode IKE_SA ike1-ip4-transp[1] to 172.16.0.24
Aug 17 12:15:57 Peer1 info  charon: [  ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Aug 17 12:15:57 Peer1 info  charon: [  NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (367 bytes)
Aug 17 12:15:57 Peer1 info  charon: [  NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (419 bytes)
Aug 17 12:15:57 Peer1 info  charon: [  ENC] parsed AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V ]
Aug 17 12:15:57 Peer1 info  charon: [  IKE] received XAuth vendor ID
Aug 17 12:15:57 Peer1 info  charon: [  IKE] received DPD vendor ID
Aug 17 12:15:57 Peer1 info  charon: [  IKE] received Cisco Unity vendor ID
Aug 17 12:15:57 Peer1 info  charon: [  IKE] received NAT-T (RFC 3947) vendor ID
Aug 17 12:15:57 Peer1 info  charon: [  IKE] IKE_SA ike1-ip4-transp[1] established between 172.16.0.4[server.garderos.com]...172.16.0.24[client.garderos.com]
Aug 17 12:15:57 Peer1 info  charon: [  IKE] scheduling reauthentication in 3660s
Aug 17 12:15:57 Peer1 info  charon: [  IKE] maximum IKE_SA lifetime 4200s
Aug 17 12:15:57 Peer1 info  charon: [  ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
Aug 17 12:15:57 Peer1 info  charon: [  NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (108 bytes)
Aug 17 12:15:57 Peer1 info  charon: [  ENC] generating QUICK_MODE request 1928624787 [ HASH SA No KE ID ID ]
Aug 17 12:15:57 Peer1 info  charon: [  NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (372 bytes)
Aug 17 12:15:57 Peer1 info  charon: [  NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (372 bytes)
Aug 17 12:15:57 Peer1 info  charon: [  ENC] parsed QUICK_MODE response 1928624787 [ HASH SA No KE ID ID ]
Aug 17 12:15:57 Peer1 info  charon: [  IKE] no acceptable traffic selectors found
Aug 17 12:15:57 Peer1 info  charon: [  ENC] generating INFORMATIONAL_V1 request 3524574942 [ HASH N(NO_PROP) ]
Aug 17 12:15:57 Peer1 info  charon: [  NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (76 bytes)

Logs (IKEv2):
Aug 17 12:28:01 Peer1 info  ipsec_st[ 3730]: Starting weakSwan 5.3.2 IPsec [starter]...
Aug 17 12:28:01 Peer1 info  charon: [  DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.45, armv5teb)
Aug 17 12:28:01 Peer1 info  charon: [  KNL] received netlink error: Address family not supported by protocol (97)
Aug 17 12:28:01 Peer1 info  charon: [  KNL] unable to create IPv6 routing table rule
Aug 17 12:28:01 Peer1 info  charon: [  CFG] loading ca certificates from '/var/etc/strongswan/ipsec.d/cacerts'
Aug 17 12:28:01 Peer1 info  charon: [  CFG] loading aa certificates from '/var/etc/strongswan/ipsec.d/aacerts'
Aug 17 12:28:01 Peer1 info  charon: [  CFG] loading ocsp signer certificates from '/var/etc/strongswan/ipsec.d/ocspcerts'
Aug 17 12:28:01 Peer1 info  charon: [  CFG] loading attribute certificates from '/var/etc/strongswan/ipsec.d/acerts'
Aug 17 12:28:01 Peer1 info  charon: [  CFG] loading crls from '/var/etc/strongswan/ipsec.d/crls'
Aug 17 12:28:01 Peer1 info  charon: [  CFG] loading secrets from '/var/etc/strongswan/ipsec.secrets'
Aug 17 12:28:01 Peer1 info  charon: [  CFG]   loaded IKE secret for client.garderos.com
Aug 17 12:28:01 Peer1 info  charon: [  LIB] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updow
Aug 17 12:28:01 Peer1 info  charon: [  JOB] spawning 32 worker threads
Aug 17 12:28:01 Peer1 info  ipsec_st[ 3751]: charon (3752) started after 200 ms
Aug 17 12:28:01 Peer1 info  charon: [  CFG] received stroke: add connection 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info  charon: [  CFG] added configuration 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info  charon: [  CFG] received stroke: initiate 'ike1-ip4-transp'
Aug 17 12:28:01 Peer1 info  charon: [  IKE] initiating IKE_SA ike1-ip4-transp[1] to 172.16.0.24
Aug 17 12:28:01 Peer1 info  charon: [  ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Aug 17 12:28:01 Peer1 info  charon: [  NET] sending packet: from 172.16.0.4[500] to 172.16.0.24[500] (316 bytes)
Aug 17 12:28:01 Peer1 info  charon: [  NET] received packet: from 172.16.0.24[500] to 172.16.0.4[500] (324 bytes)
Aug 17 12:28:01 Peer1 info  charon: [  ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 17 12:28:01 Peer1 info  charon: [  IKE] authentication of 'server.garderos.com' (myself) with pre-shared key
Aug 17 12:28:01 Peer1 info  charon: [  IKE] establishing CHILD_SA ike1-ip4-transp
Aug 17 12:28:01 Peer1 info  charon: [  ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(IPCOMP_SUP) N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 17 12:28:01 Peer1 info  charon: [  NET] sending packet: from 172.16.0.4[4500] to 172.16.0.24[4500] (284 bytes)
Aug 17 12:28:01 Peer1 info  charon: [  NET] received packet: from 172.16.0.24[4500] to 172.16.0.4[4500] (244 bytes)
Aug 17 12:28:01 Peer1 info  charon: [  ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Aug 17 12:28:01 Peer1 info  charon: [  IKE] authentication of 'client.garderos.com' with pre-shared key successful
Aug 17 12:28:01 Peer1 info  charon: [  IKE] IKE_SA ike1-ip4-transp[1] established between 172.16.0.4[server.garderos.com]...172.16.0.24[client.garderos.com]
Aug 17 12:28:01 Peer1 info  charon: [  IKE] scheduling reauthentication in 3660s
Aug 17 12:28:01 Peer1 info  charon: [  IKE] maximum IKE_SA lifetime 4200s
Aug 17 12:28:01 Peer1 info  charon: [  IKE] CHILD_SA ike1-ip4-transp{1} established with SPIs c39bc78a_i ccda98bb_o and TS 172.16.0.4/32 === 172.16.0.24/32 
Aug 17 12:28:01 Peer1 info  charon: [  IKE] received AUTH_LIFETIME of 3660s, scheduling reauthentication in 3120s
Aug 17 12:28:01 Peer1 info  charon: [  IKE] peer supports MOBIKE

History

#1 Updated by Tobias Brunner about 5 years ago

  • Description updated (diff)
  • Status changed from New to Feedback

The following issue https://wiki.strongswan.org/issues/819 maybe related.

Why would you think so?

I assume this is due to the unity plugin. Do you have that plugin loaded (the plugin list is cut off so we don't see that in the log)? If you don't need it otherwise, try disabling it (or disable charon.cisco_unity in strongswan.conf). What might work too is explicitly configuring left|rightsubnet.

#2 Updated by Alexander Velkov about 5 years ago

Hi Tobias,

Thank you for the quick reply!

Tobias Brunner wrote:

The following issue https://wiki.strongswan.org/issues/819 maybe related.

Why would you think so?

Issue 819 was what I was reading before I opened this one. Noe Kunze wrote '...A couple of people have reported INVALID_ID or NO_PROPOSAL_CHOSEN errors with IKEv1...', I thought it may be relevant.

I assume this is due to the unity plugin. Do you have that plugin loaded (the plugin list is cut off so we don't see that in the log)? If you don't need it otherwise, try disabling it (or disable charon.cisco_unity in strongswan.conf). What might work too is explicitly configuring left|rightsubnet.

That is right, the cisco_unity plugin was loaded during my tests. I tried your both suggestions and both of them worked for my scenario with IKEv1, great!
  • Deconfiguring cisco_unity by specifying charon.cisco_unity=no in strongswan.conf on both peers solved the issue and the Child_SA successfully came UP.
  • Explicitly specifying left/rightsubnet on the peers solved the issue too, even when the cisco_unity plugin is loaded and activated.

Thank you once again for the great support!

#3 Updated by Tobias Brunner about 5 years ago

I assume this is due to the unity plugin. Do you have that plugin loaded (the plugin list is cut off so we don't see that in the log)? If you don't need it otherwise, try disabling it (or disable charon.cisco_unity in strongswan.conf). What might work too is explicitly configuring left|rightsubnet.

That is right, the cisco_unity plugin was loaded during my tests. I tried your both suggestions and both of them worked for my scenario with IKEv1, great!

OK, thanks for testing. We might be able to somehow catch this in the unity plugin in the future, so it won't affect such scenarios.

#4 Updated by Alexander Velkov about 5 years ago

OK, thanks for testing. We might be able to somehow catch this in the unity plugin in the future, so it won't affect such scenarios.

Yes, this sounds good. It is not straightforward to make the association with the unity plugin.

#5 Updated by Cornee Traas almost 3 years ago

I just want to add that I had the same problem. I disabled the unity plugin and the problem went away.
But this solution, found here, was extremely difficult to find, and impossible to implement for a novice user only using the networkmanager GUIs.
The last reply may be over 2 years ago, but its a problem that is still occurring, with probably many users not being able to find a solution.
I suggest that, if the people with the skills to implement a proper solution are absent or otherwise busy, at least a band-aid should be put in place.
This could be putting the exact error message and solution in the wiki, or disabling the unity plugin by default.

Also available in: Atom PDF