Project

General

Profile

Issue #3277

StrongSwan tunnel to GCP Cloud VPN gateway, NO_PROPOSAL_CHOSEN in IKE SA

Added by Pedro Rigotti 11 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.6.2
Resolution:
No feedback

Description

Hi,

I'm working on setting up a GCP VPC peering with a VPN.
As GCP's Cloud VPN service supports IKEv2, I've decided to test it with strongSwan + BIRD (to support BGP, as I might need HA), both configured in a DigitalOcean droplet.
After going through [[https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan]], I haven't been able to get past phase 1, as the following log states:

Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 03[NET] received packet: from 35.x.x.x[500] to 159.x.x.x[500]
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 03[NET] waiting for data on sockets
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[MGR] checkout IKEv2 SA by message with SPIs 41ca4f7369784af1_i 0000000000000000_r
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[MGR] created IKE_SA (unnamed)[2638]
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[NET] received packet: from 35.x.x.x[500] to 159.x.x.x[500] (892 bytes)
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[CFG] looking for an ike config for 159.x.x.x...35.x.x.x
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[IKE] no IKE config found for 159.x.x.x...35.x.x.x, sending NO_PROPOSAL_CHOSEN
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[NET] sending packet: from 159.x.x.x[500] to 35.x.x.x[500] (36 bytes)
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[MGR] checkin and destroy IKE_SA (unnamed)[2638]
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[IKE] IKE_SA (unnamed)[2638] state change: CREATED => DESTROYING
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[MGR] checkin and destroy of IKE_SA successful
Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 04[NET] sending packet: from 159.x.x.x[500] to 35.x.x.x[500]

Cloud VPN setup was pretty straightforward, so I believe there's some misconfiguration with strongSwan and/or BIRD that I can't find, although the latter displays no error logs.

conn %default
    ikelifetime=600m
    keylife=180m
    rekeymargin=3m
    keyingtries=3
    keyexchange=ikev2
    mobike=no
    ike=aes256gcm16-sha512-modp4096
    esp=aes256gcm16-sha512-modp8192
    authby=psk

conn net-net
    leftupdown="/var/lib/strongswan/ipsec-vti.sh 0 169.254.3.1/30 169.254.3.2/30" # Script can be found in the linked guide
    left=35.x.x.x # DigitalOcean droplet running both strongSwan and BIRD external IP address
    leftid=35.x.x.x # Same as above
    leftsubnet=0.0.0.0/0
    leftauth=psk
    right=35.x.x.x # Cloud VPN gateway IP address
    rightid=35.x.x.x # Same as above
    rightsubnet=0.0.0.0/0
    rightauth=psk
    type=tunnel
    auto=start
    dpdaction=restart
    closeaction=restart
    mark=%unique

Ciphers and DH groups are set accordingly to GCP's recommended ones.
Ports 500 and 4500 are accepting UDP connections.
ESP traffic should be forwarded, although I've seen comments on issues with that in DigitalOcean without official sources.
Using strongSwan v5.6.2 and BIRD v1.6.3.

I'd appreciate any help you can give me.

History

#1 Updated by Vladimir Smirnov 7 months ago

Pedro Rigotti wrote:

Hi,

I'm working on setting up a GCP VPC peering with a VPN.
As GCP's Cloud VPN service supports IKEv2, I've decided to test it with strongSwan + BIRD (to support BGP, as I might need HA), both configured in a DigitalOcean droplet.
After going through [[https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan]], I haven't been able to get past phase 1, as the following log states:

[...]

Cloud VPN setup was pretty straightforward, so I believe there's some misconfiguration with strongSwan and/or BIRD that I can't find, although the latter displays no error logs.

[...]

Ciphers and DH groups are set accordingly to GCP's recommended ones.
Ports 500 and 4500 are accepting UDP connections.
ESP traffic should be forwarded, although I've seen comments on issues with that in DigitalOcean without official sources.
Using strongSwan v5.6.2 and BIRD v1.6.3.

I'd appreciate any help you can give me.

This log line is actually tells what's the problem with the current configuration:

"Nov 21 13:57:12 ubuntu-s-4vcpu-8gb-sfo2-01 charon[8954]: 05[IKE] no IKE config found for 159.x.x.x...35.x.x.x, sending NO_PROPOSAL_CHOSEN" 

This means that there is no configuration loaded that have the matching rightid and leftid.

In your config you've specified left as 35.x.x.x, but in the logs you are sending packet from 159.x.x.x, that could be the problem here.

Anyway I'd suggest to increase log level of the strongswan and have a look at the matching decision there (what it tried to match, what config was loaded, etc).

It could be that in the distro you have for the version you have connection filed must be placed in other directory or something like that. As the guide was based on Debian 10 and on a directory layout of strongswan from debian's repos. I wouldn't be surprised if other distros have their own understanding of the perfect layout and default include paths.

Also please note that some hostings and cloud providers do not allow VMs to act as a router, so if you need to access other VMs, you might want to look at DigitalOcean's documentation and restrictions or even ask their support if this is something they support.

#2 Updated by Tobias Brunner 7 months ago

  • Status changed from New to Feedback

This log line is actually tells what's the problem with the current configuration:
[...]

This means that there is no configuration loaded that have the matching rightid and leftid.

Actually, no. To find an IKE config only the IP addresses, IKE version, and, with newer releases, the IKE proposals are relevant. The identities are used later to select a peer config.

#3 Updated by Tobias Brunner about 1 month ago

  • Status changed from Feedback to Closed
  • Resolution set to No feedback

Also available in: Atom PDF