Issue #3074
Swanctl - No Proposal chosen - manual start / restart works
Description
Hi,
Googled this to death and have been going through the Wiki but cannot find an answer. Have a working VPN between Cisco ASA and Swanctl. However once the tunnel has timed out they only way to get it back (or to start in the first place) is to restart (start) it manually.
Error when not working.
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 12[IKE] no IKE config found for 192.168.210.4...194.70.246.245, sending NO_PROPOSAL_CHOSEN May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 12[NET] sending packet: from 192.168.210.4[500] to 194.70.246.245[500] (36 bytes) May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 14[NET] received packet: from 194.70.246.245[500] to 192.168.210.4[500] (870 bytes) May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V
To bring it up from the Swanctl end:
swanctl -q
swanctl -i -c net-net
I've tried dpd_actions and the commands which don't work for strongswan such as auto=start
Here is my code.
include conf.d/*.conf
include /etc/strongswan/*.conf
connections {
a2a {
local_addrs = 192.168.210.4
remote_addrs = 194.70.246.245
local {
auth = psk
id = 192.168.210.4
}
remote {
auth = psk
id = 194.70.246.245
}
children {
net-net {
local_ts = 192.168.210.0/24
remote_ts = 10.1.0.0/16
start_action = trap
updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
#start_action = trap
esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
dpd_action = restart
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
}
}
secrets {
#ike-secret {
ike-a2a {
id = 192.168.210.4
I've also been playing with strongswan.conf as I've see references to that
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon-systemd {
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
}
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
pools = /usr/local/sbin/swanctl --load-pools
}
filelog {
/var/log/charon.log {
flush_line = yes
}
Any help greatly appreciated.....as I've run out of ideas.........
thanks
alex
History
#1 Updated by Tobias Brunner over 6 years ago
- Description updated (diff)
- Category changed from swanctl to configuration
- Status changed from New to Feedback
- Assignee deleted (
alex johnson)
However once the tunnel has timed out
What exactly does that mean?
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 12[IKE] no IKE config found for 192.168.210.4...194.70.246.245, sending NO_PROPOSAL_CHOSEN
This indicates the config is not loaded when the peer tries to contact your host (or the loaded config doesn't match, based on the IKE version and IP addresses, for some reason). So make sure the config is actually there.
I've also been playing with strongswan.conf as I've see references to that
That might not be the best idea if you don't know what you are doing. Also, don't use dpd_action=restart with start_action=trap, the latter will automatically create the SAs again if matching traffic hits the trap policies (if both are set this might result in duplicate SAs).
#2 Updated by alex johnson over 6 years ago
Hi
Thanks for the reply.
I meant if I bring the tunnel up manually it works fine. If I then walk away and come back later its down. It won't then restart without manual intervention.
If there was a mismatch in IP's or IKE versions would the tunnel come up at all? You mention the config is not loaded - have do I get it to load - this is what I thought strongswan.conf was for as the examples on line had entries such as --load-conns?
And thanks for the tip on "dpd_action", have removed it.
regards
Alex
#3 Updated by Tobias Brunner over 6 years ago
If I then walk away and come back later its down.
That's what needs clarifying. Check the log for what happens.
It won't then restart without manual intervention.
That's strange as the trap policies should cause the automatic recreation of the SAs, unless no traps are installed anymore for some reason (again check the log and/or check the status).
If there was a mismatch in IP's or IKE versions would the tunnel come up at all?
It's possible (e.g. the local IP doesn't matter that much when initiating), but unlikely.
You mention the config is not loaded - have do I get it to load - this is what I thought strongswan.conf was for as the examples on line had entries such as --load-conns?
If you use charon-systemd the systemd unit already loads the config. You can also load it manually (which you said you did before initiating) and it also works via strongswan.conf. Doing it multiple times is probably not ideal, but shouldn't really be a problem.
#4 Updated by alex johnson over 6 years ago
Hi,
thanks for the advice.
regarding getting the tunnel to start on boot I'm seeing a few options
charon {
...
start-scripts {
swanctl = /usr/sbin/swanctl -q
}
...
}
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
pools = /usr/local/sbin/swanctl --load-pools
}
We may have many tunnels on this server so wouldn't want to manually restart each time. Or have to add into one of the scripts the name of the Child SA each time a restart is done.
Again, many thanks for the help.
regards
Alex
#5 Updated by Tobias Brunner almost 6 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required