Join Log in
Score:0
Kyle Champoux avatar Server

Strongswan: {parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]} and {recieved NO_PROPOSAL_CHOSEN notify error}

cn flag
Kyle Champoux

I am getting the feeling that I have just done somethign very silly on my end but I have no idea what is going on. For context, I have been using wireguard for a bit and am much more knowledgable than this. For a class, I have been told to make a site-to-site ipsec tunnel ebtween two nodes with no instruction. I've been trying to read what I can to understand how this works, and search for people who have had similar problems but I'm getting nowhere fast and am overwhelmed with what I imagine are some pretty obvious errors. I apologize, I don't like being this person

Onto the situation, I have two subnetworks (10.0.53.0/24 and 10.1.53.0/24), each behind their own ubuntu server router configuration. I am using this guide (https://www.xmodulo.com/create-site-to-site-ipsec-vpn-tunnel-openswan-linux.html) to set it up.

The /etc/ipsec.conf files look like this. With the only difference between the two being swapped addresses:

# SITE B's (SITE A's is just flip flopped on left/right values)
config setup
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        ## disable opportunistic encryption in Red Hat ##
        oe=off

# connection to DMZ Router
conn demo-connection-debian
        authby=secret
        auto=start
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        esp=aes256-sha1!
        pfs=yes
        type=tunnel
        left=172.16.2.53
        leftsourceip=172.16.2.53
        leftsubnet=10.1.3.0/24
        leftnexthop=%defaultroute
        right=208.165.192.65 # <-- not the real public ip
        rightsubnet=10.0.3.0/24

and this is the output I get when I run different commands on each machine: SITE A ipsec status

Security Associations (0 up, 1 connecting):
demo-connection-debian[1]: CONNECTING, 208.165.192.65[%any]...172.16.2.53[%any]

SITE B ipsec status

Security Associations (0 up, 0 connecting):
  none

SITE B ipsec up demo-connection-debian

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 172.16.2.53[500] to 208.165.192.65[500] (936 bytes)
received packet: from 208.165.192.65[500] to 172.16.2.53[500] (36 bytes)
parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify error
establishing connection 'demo-connection-debian' failed

I don't know what these errors mean, in the other posts I see comments to check the logs but I can't find them so either my default installation is putting them somewhere else or the files haven't been created because no logs have been made. Appreciate any and all help.

110
0 + 0
vpn
cn flag
ecdsa
As the log message says, the responder didn't like the IKE algorithm proposal. So check the log there (or try different algorithms via `ike` setting). Also note that you have lots of settings configured that are not supported by strongSwan (or are deprecated, but so is the ipsec.conf file in general).
0
Reply
Kyle Champoux avatar
cn flag
Kyle Champoux
hmm, okay, I'll do some looking around. Where is this log file you mentioned. Whenever I try looking for where a log file for strongswan should be, I have nothing on my end.
0
Reply
cn flag
ecdsa
See [here](https://docs.strongswan.org/docs/5.9/config/logging.html).
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.