Project

General

Profile

Issue #676

OSX Native Client (Racoon) --> Strongswan Server "no IKE config found for 10.0.0.135...XX.XXX.XXX.X, sending NO_PROPOSAL_CHOSEN"

Added by Matthew Pilon about 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Category:
charon
Affected version:
5.2.0
Resolution:
No change required

Description

Hi Andreas-

I am assigning my issue you to you because I see you reply often--if that is inappropriate somehow I apologize. Hopefully someone who knows more what they are doing can take one look at this and save me from more weeks of surfing Wikis and beating my head against the wall :)

Am attempting to connect an OSX Native Client (using Racoon) to my server running self-compiled Strongswan 5.2.0 on Ubuntu Trusty 14.04.

I would rather not mess with the Racoon configuration because I would like to be able to distribute credentials to folks on OSX and not require extensive client configuration, but I am willing to mess with that if necessary.

I believe my certificates are generated/installed correctly and I am attempting "xauthrsasig" authentication.

I have attempted to add encryption settings to match Racoon (aes-sha1-modp1024) for "ike" and "esp" parameters but that is to no avail in obtaining a connection.

Here is my server config, following as closely to the documentation as possible:

conn osx
    keyexchange=ikev1
    authby=xauthrsasig
    xauth=server
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    leftcert=serverCert.pem
    leftsendcert=always
    right=%any
    rightsubnet=192.168.0.0/24
    rightsourceip=192.168.0.14
    rightcert=clientCert.pem
    rightauth=pubkey
    rightauth=psk
    auto=add

Here is the syslog from the Strongswan server from Ipsec start to end of failed connection:

Aug 14 15:16:03 ip-10-0-0-135 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 3.13.0-29-generic, x86_64)
Aug 14 15:16:03 ip-10-0-0-135 charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Aug 14 15:16:03 ip-10-0-0-135 charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Aug 14 15:16:03 ip-10-0-0-135 charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Aug 14 15:16:03 ip-10-0-0-135 charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Aug 14 15:16:03 ip-10-0-0-135 charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Aug 14 15:16:03 ip-10-0-0-135 charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Aug 14 15:16:03 ip-10-0-0-135 charon: 00[CFG]   loaded RSA private key from '/usr/local/etc/ipsec.d/private/serverKey.pem'
Aug 14 15:16:03 ip-10-0-0-135 charon: 00[CFG]   loaded EAP secret for mpilon
Aug 14 15:16:03 ip-10-0-0-135 charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic xauth-eap unity
Aug 14 15:16:03 ip-10-0-0-135 charon: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)
Aug 14 15:16:03 ip-10-0-0-135 charon: 00[JOB] spawning 16 worker threads
Aug 14 15:17:01 ip-10-0-0-135 CRON[414]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Aug 14 15:17:36 ip-10-0-0-135 charon: 05[NET] received packet: from XX.XXX.XXX.X[500] to 10.X.X.XXX[500] (500 bytes)
Aug 14 15:17:36 ip-10-0-0-135 charon: 05[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Aug 14 15:17:36 ip-10-0-0-135 charon: 05[IKE] no IKE config found for 10.X.X.XXX...XX.XXX.XXX.X, sending NO_PROPOSAL_CHOSEN
Aug 14 15:17:36 ip-10-0-0-135 charon: 05[ENC] generating INFORMATIONAL_V1 request 856728090 [ N(NO_PROP) ]
Aug 14 15:17:36 ip-10-0-0-135 charon: 05[NET] sending packet: from 10.X.X.XXX[500] to XX.XXX.XXX.X[500] (40 bytes)
Aug 14 15:17:36 ip-10-0-0-135 charon: 05[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
Aug 14 15:17:40 ip-10-0-0-135 charon: 10[NET] received packet: from XX.XXX.XXX.X[500] to 10.X.X.XXX[500] (500 bytes)
Aug 14 15:17:40 ip-10-0-0-135 charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Aug 14 15:17:40 ip-10-0-0-135 charon: 10[IKE] no IKE config found for 10.X.X.XXX...XX.XXX.XXX.X, sending NO_PROPOSAL_CHOSEN
Aug 14 15:17:40 ip-10-0-0-135 charon: 10[ENC] generating INFORMATIONAL_V1 request 2569808815 [ N(NO_PROP) ]
Aug 14 15:17:40 ip-10-0-0-135 charon: 10[NET] sending packet: from 10.X.X.XXX[500] to XX.XXX.XXX.X[500] (40 bytes)
Aug 14 15:17:40 ip-10-0-0-135 charon: 10[IKE] IKE_SA (unnamed)[2] state change: CREATED => DESTROYING
Aug 14 15:17:42 ip-10-0-0-135 charon: 11[NET] received packet: from XX.XXX.XXX.X[500] to 10.X.X.XXX[500] (500 bytes)
Aug 14 15:17:42 ip-10-0-0-135 charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Aug 14 15:17:42 ip-10-0-0-135 charon: 11[IKE] no IKE config found for 10.X.X.XXX...XX.XXX.XXX.X, sending NO_PROPOSAL_CHOSEN
Aug 14 15:17:42 ip-10-0-0-135 charon: 11[ENC] generating INFORMATIONAL_V1 request 1068615913 [ N(NO_PROP) ]
Aug 14 15:17:42 ip-10-0-0-135 charon: 11[NET] sending packet: from 10.X.X.XXX[500] to XX.XXX.XXX.X[500] (40 bytes)
Aug 14 15:17:42 ip-10-0-0-135 charon: 11[IKE] IKE_SA (unnamed)[3] state change: CREATED => DESTROYING
Aug 14 15:17:45 ip-10-0-0-135 charon: 12[NET] received packet: from XX.XXX.XXX.X[500] to 10.X.X.XXX[500] (500 bytes)
Aug 14 15:17:45 ip-10-0-0-135 charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Aug 14 15:17:45 ip-10-0-0-135 charon: 12[IKE] no IKE config found for 10.X.X.XXX...XX.XXX.XXX.X, sending NO_PROPOSAL_CHOSEN
Aug 14 15:17:45 ip-10-0-0-135 charon: 12[ENC] generating INFORMATIONAL_V1 request 3512962582 [ N(NO_PROP) ]
Aug 14 15:17:45 ip-10-0-0-135 charon: 12[NET] sending packet: from 10.X.X.XXX[500] to XX.XXX.XXX.X[500] (40 bytes)
Aug 14 15:17:45 ip-10-0-0-135 charon: 12[IKE] IKE_SA (unnamed)[4] state change: CREATED => DESTROYING

Here is the log from Racoon log from failed connection:

2014-08-14 10:17:36: [1384] INFO: racoon launched by launchd.
2014-08-14 10:17:36: [1384] DEBUG: my interface: ::1 (lo0)
2014-08-14 10:17:36: [1384] DEBUG: my interface: 127.0.0.1 (lo0)
2014-08-14 10:17:36: [1384] DEBUG: my interface: fe80::1%lo0 (lo0)
2014-08-14 10:17:36: [1384] DEBUG: my interface: fe80::3e15:c2ff:fed1:8b32%en0 (en0)
2014-08-14 10:17:36: [1384] DEBUG: my interface: 192.168.1.144 (en0)
2014-08-14 10:17:36: [1384] DEBUG: my interface: 2601:d:2480:51b:3e15:c2ff:fed1:8b32 (en0)
2014-08-14 10:17:36: [1384] DEBUG: my interface: 2601:d:2480:51b:884b:f343:40ab:5624 (en0)
2014-08-14 10:17:36: [1384] DEBUG: configuring default isakmp port.
2014-08-14 10:17:36: [1384] DEBUG: 14 addrs are configured successfully
2014-08-14 10:17:36: [1384] INFO: 2601:d:2480:51b:884b:f343:40ab:5624[500] used as isakmp port (fd=6)
2014-08-14 10:17:36: [1384] INFO: 2601:d:2480:51b:884b:f343:40ab:5624[4500] used as isakmp port (fd=8)
2014-08-14 10:17:36: [1384] INFO: 2601:d:2480:51b:3e15:c2ff:fed1:8b32[500] used as isakmp port (fd=9)
2014-08-14 10:17:36: [1384] INFO: 2601:d:2480:51b:3e15:c2ff:fed1:8b32[4500] used as isakmp port (fd=10)
2014-08-14 10:17:36: [1384] INFO: 192.168.1.144[500] used as isakmp port (fd=11)
2014-08-14 10:17:36: [1384] INFO: 192.168.1.144[4500] used as isakmp port (fd=12)
2014-08-14 10:17:36: [1384] INFO: fe80::3e15:c2ff:fed1:8b32%en0[500] used as isakmp port (fd=13)
2014-08-14 10:17:36: [1384] INFO: fe80::3e15:c2ff:fed1:8b32%en0[4500] used as isakmp port (fd=14)
2014-08-14 10:17:36: [1384] INFO: fe80::1%lo0[500] used as isakmp port (fd=15)
2014-08-14 10:17:36: [1384] INFO: fe80::1%lo0[4500] used as isakmp port (fd=16)
2014-08-14 10:17:36: [1384] INFO: 127.0.0.1[500] used as isakmp port (fd=17)
2014-08-14 10:17:36: [1384] INFO: 127.0.0.1[4500] used as isakmp port (fd=18)
2014-08-14 10:17:36: [1384] INFO: ::1[500] used as isakmp port (fd=19)
2014-08-14 10:17:36: [1384] INFO: ::1[4500] used as isakmp port (fd=20)
2014-08-14 10:17:36: [1384] DEBUG: open /var/run/racoon.sock as racoon management.
2014-08-14 10:17:36: [1384] INFO: found launchd socket.
2014-08-14 10:17:36: [1384] NOTIFY: accepted connection on vpn control socket.
2014-08-14 10:17:36: [1384] DEBUG: received bind command on vpn control socket.
2014-08-14 10:17:36: [1384] DEBUG: suitable outbound SP found: 192.168.1.144/32[64061] XX.XXX.XXX.XX/32[1701] proto=udp dir=out.
2014-08-14 10:17:36: [1384] DEBUG: suitable inbound SP found: XX.XXX.XXX.XX/32[1701] 192.168.1.144/32[64061] proto=udp dir=in.
2014-08-14 10:17:36: [1384] DEBUG: new acquire 192.168.1.144/32[64061] XX.XXX.XXX.XX/32[1701] proto=udp dir=out
2014-08-14 10:17:36: [1384] DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
2014-08-14 10:17:36: [1384] DEBUG:   (trns_id=AES encklen=256 authtype=hmac-sha)
2014-08-14 10:17:36: [1384] DEBUG:   (trns_id=AES encklen=256 authtype=hmac-md5)
2014-08-14 10:17:36: [1384] DEBUG:   (trns_id=AES encklen=128 authtype=hmac-sha)
2014-08-14 10:17:36: [1384] DEBUG:   (trns_id=AES encklen=128 authtype=hmac-md5)
2014-08-14 10:17:36: [1384] DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-sha)
2014-08-14 10:17:36: [1384] DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-md5)
2014-08-14 10:17:36: [1384] DEBUG: in post_acquire
2014-08-14 10:17:36: [1384] DEBUG: configuration found for XX.XXX.XXX.XX.
2014-08-14 10:17:36: [1384] DEBUG: NULL parent session.
2014-08-14 10:17:36: [1384] DEBUG: start search for IKE-Session. target XX.XXX.XXX.XX[0].
2014-08-14 10:17:36: [1384] DEBUG: New IKE-Session to XX.XXX.XXX.XX[0].
2014-08-14 10:17:36: [1384] DEBUG: new parent session.
2014-08-14 10:17:36: [1384] INFO: IPsec-SA request for XX.XXX.XXX.XX queued due to no phase1 found.
2014-08-14 10:17:36: [1384] DEBUG: start search for IKE-Session. target XX.XXX.XXX.XX[500].
2014-08-14 10:17:36: [1384] DEBUG: still search for IKE-Session. this XX.XXX.XXX.XX[0].
2014-08-14 10:17:36: [1384] DEBUG: Best-match IKE-Session to XX.XXX.XXX.XX[0].
2014-08-14 10:17:36: [1384] DEBUG: ===
2014-08-14 10:17:36: [1384] INFO: initiate new phase 1 negotiation: 192.168.1.144[500]<=>XX.XXX.XXX.XX[500]
2014-08-14 10:17:36: [1384] INFO: begin Identity Protection mode.
2014-08-14 10:17:36: [1384] DEBUG: new cookie:
386ec5c795bac746 
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 224, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 16, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 16, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 16, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 16, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 16, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 16, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 16, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 16, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 16, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 16, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 20, next type 13
2014-08-14 10:17:36: [1384] DEBUG: add payload of len 16, next type 0
2014-08-14 10:17:36: [1384] DEBUG: 500 bytes from 192.168.1.144[500] to XX.XXX.XXX.XX[500]
2014-08-14 10:17:36: [1384] DEBUG: sockname 192.168.1.144[500]
2014-08-14 10:17:36: [1384] DEBUG: send packet from 192.168.1.144[500]
2014-08-14 10:17:36: [1384] DEBUG: send packet to XX.XXX.XXX.XX[500]
2014-08-14 10:17:36: [1384] DEBUG: 1 times of 500 bytes message will be sent to XX.XXX.XXX.XX[500]
2014-08-14 10:17:36: [1384] DEBUG: 
386ec5c7 95bac746 00000000 00000000 01100200 00000000 000001f4 0d0000e4
00000001 00000001 000000d8 01010006 03000024 01010000 800b0001 800c0e10
80010007 800e0100 80030003 80020002 80040002 03000024 02010000 800b0001
800c0e10 80010007 800e0100 80030003 80020001 80040002 03000024 03010000
800b0001 800c0e10 80010007 800e0080 80030003 80020002 80040002 03000024
04010000 800b0001 800c0e10 80010007 800e0080 80030003 80020001 80040002
03000020 05010000 800b0001 800c0e10 80010005 80030003 80020002 80040002
00000020 06010000 800b0001 800c0e10 80010005 80030003 80020001 80040002
0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 4df37928 e9fc4fd1
b3262170 d515c662 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014
439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f
02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e
ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56
0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e
086381b5 ec427b1f 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000
00000014 afcad713 68a1f1c9 6b8696fc 77570100
2014-08-14 10:17:36: [1384] DEBUG: resend phase1 packet 386ec5c795bac746:0000000000000000
2014-08-14 10:17:36: [1384] DEBUG: sending vpn_control phase change status
2014-08-14 10:17:36: [1384] DEBUG: vpn control writing 20 bytes
2014-08-14 10:17:36: [1384] DEBUG: 
80110000 00000000 00000000 00000004 36c14b12
2014-08-14 10:17:36: [1384] DEBUG: ===
2014-08-14 10:17:36: [1384] DEBUG: 40 bytes message received from XX.XXX.XXX.XX[500] to 192.168.1.144[500]
2014-08-14 10:17:36: [1384] DEBUG: 
386ec5c7 95bac746 1607a960 540dc224 0b100500 3310a21a 00000028 0000000c
00000001 0100000e
2014-08-14 10:17:36: [1384] DEBUG: receive Information.
2014-08-14 10:17:36: [1384] DEBUG: begin.
2014-08-14 10:17:36: [1384] DEBUG: seen nptype=11(notify)
2014-08-14 10:17:36: [1384] DEBUG: succeed.
2014-08-14 10:17:36: [1384] ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
2014-08-14 10:17:39: [1384] DEBUG: 500 bytes from 192.168.1.144[500] to XX.XXX.XXX.XX[500]
2014-08-14 10:17:39: [1384] DEBUG: sockname 192.168.1.144[500]
2014-08-14 10:17:39: [1384] DEBUG: send packet from 192.168.1.144[500]
2014-08-14 10:17:39: [1384] DEBUG: send packet to XX.XXX.XXX.XX[500]
2014-08-14 10:17:39: [1384] DEBUG: 1 times of 500 bytes message will be sent to XX.XXX.XXX.XX[500]
2014-08-14 10:17:39: [1384] DEBUG: 
386ec5c7 95bac746 00000000 00000000 01100200 00000000 000001f4 0d0000e4
00000001 00000001 000000d8 01010006 03000024 01010000 800b0001 800c0e10
80010007 800e0100 80030003 80020002 80040002 03000024 02010000 800b0001
800c0e10 80010007 800e0100 80030003 80020001 80040002 03000024 03010000
800b0001 800c0e10 80010007 800e0080 80030003 80020002 80040002 03000024
04010000 800b0001 800c0e10 80010007 800e0080 80030003 80020001 80040002
03000020 05010000 800b0001 800c0e10 80010005 80030003 80020002 80040002
00000020 06010000 800b0001 800c0e10 80010005 80030003 80020001 80040002
0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 4df37928 e9fc4fd1
b3262170 d515c662 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014
439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f
02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e
ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56
0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e
086381b5 ec427b1f 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000
00000014 afcad713 68a1f1c9 6b8696fc 77570100
2014-08-14 10:17:39: [1384] DEBUG: resend phase1 packet 386ec5c795bac746:0000000000000000
2014-08-14 10:17:39: [1384] DEBUG: ===
2014-08-14 10:17:39: [1384] DEBUG: 40 bytes message received from XX.XXX.XXX.XX[500] to 192.168.1.144[500]
2014-08-14 10:17:39: [1384] DEBUG: 
386ec5c7 95bac746 dd73ae8b 96dd8401 0b100500 992c2baf 00000028 0000000c
00000001 0100000e
2014-08-14 10:17:39: [1384] DEBUG: receive Information.
2014-08-14 10:17:39: [1384] DEBUG: begin.
2014-08-14 10:17:39: [1384] DEBUG: seen nptype=11(notify)
2014-08-14 10:17:39: [1384] DEBUG: succeed.
2014-08-14 10:17:39: [1384] ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
2014-08-14 10:17:42: [1384] DEBUG: 500 bytes from 192.168.1.144[500] to XX.XXX.XXX.XX[500]
2014-08-14 10:17:42: [1384] DEBUG: sockname 192.168.1.144[500]
2014-08-14 10:17:42: [1384] DEBUG: send packet from 192.168.1.144[500]
2014-08-14 10:17:42: [1384] DEBUG: send packet to XX.XXX.XXX.XX[500]
2014-08-14 10:17:42: [1384] DEBUG: 1 times of 500 bytes message will be sent to XX.XXX.XXX.XX[500]
2014-08-14 10:17:42: [1384] DEBUG: 
386ec5c7 95bac746 00000000 00000000 01100200 00000000 000001f4 0d0000e4
00000001 00000001 000000d8 01010006 03000024 01010000 800b0001 800c0e10
80010007 800e0100 80030003 80020002 80040002 03000024 02010000 800b0001
800c0e10 80010007 800e0100 80030003 80020001 80040002 03000024 03010000
800b0001 800c0e10 80010007 800e0080 80030003 80020002 80040002 03000024
04010000 800b0001 800c0e10 80010007 800e0080 80030003 80020001 80040002
03000020 05010000 800b0001 800c0e10 80010005 80030003 80020002 80040002
00000020 06010000 800b0001 800c0e10 80010005 80030003 80020001 80040002
0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 4df37928 e9fc4fd1
b3262170 d515c662 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014
439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f
02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e
ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56
0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e
086381b5 ec427b1f 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000
00000014 afcad713 68a1f1c9 6b8696fc 77570100
2014-08-14 10:17:42: [1384] DEBUG: resend phase1 packet 386ec5c795bac746:0000000000000000
2014-08-14 10:17:42: [1384] DEBUG: ===
2014-08-14 10:17:42: [1384] DEBUG: 40 bytes message received from XX.XXX.XXX.XX[500] to 192.168.1.144[500]
2014-08-14 10:17:42: [1384] DEBUG: 
386ec5c7 95bac746 d1e4d834 ff8ff538 0b100500 3fb1c8e9 00000028 0000000c
00000001 0100000e
2014-08-14 10:17:42: [1384] DEBUG: receive Information.
2014-08-14 10:17:42: [1384] DEBUG: begin.
2014-08-14 10:17:42: [1384] DEBUG: seen nptype=11(notify)
2014-08-14 10:17:42: [1384] DEBUG: succeed.
2014-08-14 10:17:42: [1384] ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
2014-08-14 10:17:45: [1384] DEBUG: 500 bytes from 192.168.1.144[500] to XX.XXX.XXX.XX[500]
2014-08-14 10:17:45: [1384] DEBUG: sockname 192.168.1.144[500]
2014-08-14 10:17:45: [1384] DEBUG: send packet from 192.168.1.144[500]
2014-08-14 10:17:45: [1384] DEBUG: send packet to XX.XXX.XXX.XX[500]
2014-08-14 10:17:45: [1384] DEBUG: 1 times of 500 bytes message will be sent to XX.XXX.XXX.XX[500]
2014-08-14 10:17:45: [1384] DEBUG: 
386ec5c7 95bac746 00000000 00000000 01100200 00000000 000001f4 0d0000e4
00000001 00000001 000000d8 01010006 03000024 01010000 800b0001 800c0e10
80010007 800e0100 80030003 80020002 80040002 03000024 02010000 800b0001
800c0e10 80010007 800e0100 80030003 80020001 80040002 03000024 03010000
800b0001 800c0e10 80010007 800e0080 80030003 80020002 80040002 03000024
04010000 800b0001 800c0e10 80010007 800e0080 80030003 80020001 80040002
03000020 05010000 800b0001 800c0e10 80010005 80030003 80020002 80040002
00000020 06010000 800b0001 800c0e10 80010005 80030003 80020001 80040002
0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 4df37928 e9fc4fd1
b3262170 d515c662 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014
439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f
02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e
ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56
0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e
086381b5 ec427b1f 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000
00000014 afcad713 68a1f1c9 6b8696fc 77570100
2014-08-14 10:17:45: [1384] DEBUG: resend phase1 packet 386ec5c795bac746:0000000000000000
2014-08-14 10:17:45: [1384] DEBUG: ===
2014-08-14 10:17:45: [1384] DEBUG: 40 bytes message received from XX.XXX.XXX.XX[500] to 192.168.1.144[500]
2014-08-14 10:17:45: [1384] DEBUG: 
386ec5c7 95bac746 296f83d1 0db844b2 0b100500 d1638e16 00000028 0000000c
00000001 0100000e
2014-08-14 10:17:45: [1384] DEBUG: receive Information.
2014-08-14 10:17:45: [1384] DEBUG: begin.
2014-08-14 10:17:45: [1384] DEBUG: seen nptype=11(notify)
2014-08-14 10:17:45: [1384] DEBUG: succeed.
2014-08-14 10:17:45: [1384] ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
2014-08-14 10:17:46: [1384] DEBUG: vpn_control socket closed by peer.
2014-08-14 10:17:46: [1384] DEBUG: received disconnect all command.
2014-08-14 10:17:46: [1384] WARNING: in purgephXbydstaddrwop... purging phase2s
2014-08-14 10:17:46: [1384] INFO: phase2 sa expired 192.168.1.144-XX.XXX.XXX.XX
2014-08-14 10:17:46: [1384] WARNING: in purgephXbydstaddrwop... purging phase1 and related phase2s
2014-08-14 10:17:46: [1384] DEBUG: IPsec-SA needs to be purged: ESP 192.168.1.144[0]->XX.XXX.XXX.XX[0] spi=822083584(0x31000000)
2014-08-14 10:17:46: [1384] INFO: ISAKMP-SA expired 192.168.1.144[500]-XX.XXX.XXX.XX[500] spi:386ec5c795bac746:0000000000000000
2014-08-14 10:17:46: [1384] DEBUG: vpncontrol_close_comm.
2014-08-14 10:17:46: [1384] DEBUG: ==== Got usr1 signal - re-parsing.
2014-08-14 10:17:46: [1384] DEBUG: an undead schedule has been deleted.
2014-08-14 10:17:46: [1384] DEBUG: an undead schedule has been deleted.
2014-08-14 10:17:46: [1384] DEBUG: ===== parse config
2014-08-14 10:17:46: [1384] DEBUG: reading config file /etc/racoon/racoon.conf
2014-08-14 10:17:46: [1384] DEBUG: hmac(modp1024)
2014-08-14 10:17:46: [1384] DEBUG: filename: /var/run/racoon/*.conf
2014-08-14 10:17:46: [1384] WARNING: glob found no matches for path "/var/run/racoon/*.conf" 
2014-08-14 10:17:46: [1384] DEBUG: my interface: ::1 (lo0)
2014-08-14 10:17:46: [1384] DEBUG: my interface: 127.0.0.1 (lo0)
2014-08-14 10:17:46: [1384] DEBUG: my interface: fe80::1%lo0 (lo0)
2014-08-14 10:17:46: [1384] DEBUG: my interface: fe80::3e15:c2ff:fed1:8b32%en0 (en0)
2014-08-14 10:17:46: [1384] DEBUG: my interface: 192.168.1.144 (en0)
2014-08-14 10:17:46: [1384] DEBUG: my interface: 2601:d:2480:51b:3e15:c2ff:fed1:8b32 (en0)
2014-08-14 10:17:46: [1384] DEBUG: my interface: 2601:d:2480:51b:884b:f343:40ab:5624 (en0)
2014-08-14 10:17:46: [1384] DEBUG: configuring default isakmp port.
2014-08-14 10:17:46: [1384] DEBUG: 14 addrs are configured successfully
2014-08-14 10:17:46: [1384] DEBUG: an undead schedule has been deleted.
2014-08-14 10:17:46: [1384] INFO: 2601:d:2480:51b:884b:f343:40ab:5624[500] used as isakmp port (fd=6)
2014-08-14 10:17:46: [1384] INFO: 2601:d:2480:51b:884b:f343:40ab:5624[4500] used as isakmp port (fd=8)
2014-08-14 10:17:46: [1384] INFO: 2601:d:2480:51b:3e15:c2ff:fed1:8b32[500] used as isakmp port (fd=9)
2014-08-14 10:17:46: [1384] INFO: 2601:d:2480:51b:3e15:c2ff:fed1:8b32[4500] used as isakmp port (fd=10)
2014-08-14 10:17:46: [1384] INFO: 192.168.1.144[500] used as isakmp port (fd=11)
2014-08-14 10:17:46: [1384] INFO: 192.168.1.144[4500] used as isakmp port (fd=12)
2014-08-14 10:17:46: [1384] INFO: fe80::3e15:c2ff:fed1:8b32%en0[500] used as isakmp port (fd=13)
2014-08-14 10:17:46: [1384] INFO: fe80::3e15:c2ff:fed1:8b32%en0[4500] used as isakmp port (fd=14)
2014-08-14 10:17:46: [1384] INFO: fe80::1%lo0[500] used as isakmp port (fd=15)
2014-08-14 10:17:46: [1384] INFO: fe80::1%lo0[4500] used as isakmp port (fd=16)
2014-08-14 10:17:46: [1384] INFO: 127.0.0.1[500] used as isakmp port (fd=17)
2014-08-14 10:17:46: [1384] INFO: 127.0.0.1[4500] used as isakmp port (fd=18)
2014-08-14 10:17:46: [1384] INFO: ::1[500] used as isakmp port (fd=19)
2014-08-14 10:17:46: [1384] INFO: ::1[4500] used as isakmp port (fd=20)
2014-08-14 10:17:49: [1384] DEBUG: performing auto exit
2014-08-14 10:17:50: [1384] DEBUG: call pfkey_send_dump
2014-08-14 10:17:50: [1384] DEBUG: vpncontrol_close.
2014-08-14 10:17:50: [1384] INFO: racoon shutdown
I have tried a thousand things based on this and other wikis and am very much at a loss. Do you have any recommendations? I do not even know where to start.

History

#1 Updated by Matthew Pilon about 6 years ago

I forgot to mask my IP in the title :/

#2 Updated by Tobias Brunner about 6 years ago

  • Subject changed from OSX Native Client (Racoon) --> Strongswan Server "no IKE config found for 10.0.0.135...XX.XXX.XXX.x, sending NO_PROPOSAL_CHOSEN" to OSX Native Client (Racoon) --> Strongswan Server "no IKE config found for 10.0.0.135...XX.XXX.XXX.X, sending NO_PROPOSAL_CHOSEN"
  • Status changed from New to Feedback
  • Assignee changed from Andreas Steffen to Tobias Brunner
  • Priority changed from High to Normal
conn osx
    authby=xauthrsasig
    ...
    rightauth=pubkey
    rightauth=psk

These settings will not result in a usable configuration in this scenario. Because at least one of left|rightauth is configured authby will be ignored, and because left|rightauth default to pubkey you end up with:

conn osx
    leftauth=pubkey
    rightauth=psk
    ...

To use XAuth with RSA either remove/comment the two rightauth lines and only configure authby or remove/comment all of them and just configure rightauth2=xauth.

I have tried a thousand things based on this and other wikis and am very much at a loss. Do you have any recommendations? I do not even know where to start.

We have some notes on iOS/Mac OS X interoperability and you could also run strongSwan on Mac OS X.

#3 Updated by Matthew Pilon almost 6 years ago

Thank you much for your support here Tobias!!

Indeed, I had many of my own kinks to work out. And work them out I did over many hours and days.

I will say now that I had already found the links you posted (iOS/Mac OS X interoperability, strongSwan on Mac OS X), but for a complete beginner these were a little abstract and incomplete. Certainly not your fault I am a beginner :)

Also, on OSX I had no luck with the strongSwan on OSX app. Maybe I was doing it wrong, but there was no place to select a machine certificate and I couldn't figure out where to set encryption and integrity algorithms. (No matching encryption algorithms was a complaint of the application.) **Most importantly, on my OSX system trying to connnect there were what appeared to me as highly complex and serious application errors in the log, so it kind of scared me off.

I am going to post some details and findings (as a beginner of course) and my configuration here in case it helps anyone who is attempting to connect OSX/iOS via native OSX VPN connection (tested up to iOS 7 and OSX Yosemite -- 10.10) to a Strongswan server on Ubuntu.

+ My Strongswan is on Ubuntu Trusty on Amazon, for which this (https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc) was a solid guide.

+ For anyone on Ubuntu server, it is important to note that you can install many Strongswan plugins via Ubuntu packages rather than recompiling Strongswan manually, and **ONE SHOULD NOT ASSUME THE STRONGSWAN PLUGINS THEY NEED ARE INSTALLED :) Here is an example of the XAUTH plugin I needed to install for Strongswan on Ubuntu. http://packages.ubuntu.com/trusty/strongswan-plugin-xauth-noauth

+ I did complete the certificate generation exactly (or almost exactly) as prescribed in the iOS/Mac OS X interoperability. Someone on a Mac forum said they needed to change the size of the key to 1024 in the "ipsec gen" utility (by adding the flag "--size 1024") to get OSX to use the key in their case. I generated my keys so long ago I don't remember if I did that or not. I don't think you need to do that.

**WHEN YOU IMPORT THE CERTIFICATE INTO OSX KEYCHAIN "SYSTEM" MUST BE CHOSEN AS THE KEYCHAIN -- NOT "LOGIN"!! :)

**These keys also work for Windows. The windows guide to installing certificates on Strongswan's website is complete. My windows configuration is also below.

+ When you configure the native OSX client, use System Preferences >>> Network >>> (+ sign to add connection) >>> Choose Interface "VPN" and "Cisco IPSec" for VPN Type. Under Authentication settings you will need to select the system certificate you installed.

Here is the config I am using:


config setup
        keyexchange=ikev2
        nat_traversal=yes
        ikelifetime=86400s
        lifetime=28800s
        rekeymargin=3m
        keyingtries=10
        compress=yes
conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftid="C=CH, O=theorganizationusedinipsecgen, CN=subdomain.domain.com" 
        leftsubnet=0.0.0.0/0
        leftcert=serverCert.pem
        leftfirewall=yes
        right=%any
        rightid="C=CH, O=theorganizationusedinipsecgen, CN=client" 
        rightsubnet=10.XXX.X.X/28
        rightsourceip=10.XXX.X.X/28
        rightcert=clientCert.pem
        auto=add
        rightauth=pubkey
        rightauth2=xauth-generic
        ike=aes256-sha1-modp1536
        esp=aes-sha-modp768

conn win
        keyexchange=ikev2
        left=%defaultroute
        leftid="C=CH, O=theorganizationusedinipsecgen, CN=subdomain.domain.com" 
        leftsubnet=0.0.0.0/0
        leftcert=serverCert.pem
        leftsendcert=always
        right=%any
        rightid="C=CH, O=theorganizationusedinipsecgen, CN=client" 
        rightsubnet=10.XXX.X.X/28
        rightsourceip=10.XXX.X.X/28
        rightcert=clientCert.pem
        auto=add

#4 Updated by Tobias Brunner almost 6 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No change required

OK, great you got it working. I've added a description of the configuration on Mac OS X to IOS_(Apple).

Also available in: Atom PDF