1

I am getting the feeling that I have just done somethign very silly on my end but I have no idea what is going on. For context, I have been using wireguard for a bit and am much more knowledgable than this. For a class, I have been told to make a site-to-site ipsec tunnel ebtween two nodes with no instruction. I've been trying to read what I can to understand how this works, and search for people who have had similar problems but I'm getting nowhere fast and am overwhelmed with what I imagine are some pretty obvious errors. I apologize, I don't like being this person

Onto the situation, I have two subnetworks (10.0.53.0/24 and 10.1.53.0/24), each behind their own ubuntu server router configuration. I am using this guide (https://www.xmodulo.com/create-site-to-site-ipsec-vpn-tunnel-openswan-linux.html) to set it up.

The /etc/ipsec.conf files look like this. With the only difference between the two being swapped addresses:

# SITE B's (SITE A's is just flip flopped on left/right values)
config setup
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        ## disable opportunistic encryption in Red Hat ##
        oe=off

# connection to DMZ Router
conn demo-connection-debian
        authby=secret
        auto=start
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        esp=aes256-sha1!
        pfs=yes
        type=tunnel
        left=172.16.2.53
        leftsourceip=172.16.2.53
        leftsubnet=10.1.3.0/24
        leftnexthop=%defaultroute
        right=208.165.192.65 # <-- not the real public ip
        rightsubnet=10.0.3.0/24

and this is the output I get when I run different commands on each machine: SITE A ipsec status

Security Associations (0 up, 1 connecting):
demo-connection-debian[1]: CONNECTING, 208.165.192.65[%any]...172.16.2.53[%any]

SITE B ipsec status

Security Associations (0 up, 0 connecting):
  none

SITE B ipsec up demo-connection-debian

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 172.16.2.53[500] to 208.165.192.65[500] (936 bytes)
received packet: from 208.165.192.65[500] to 172.16.2.53[500] (36 bytes)
parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify error
establishing connection 'demo-connection-debian' failed

I don't know what these errors mean, in the other posts I see comments to check the logs but I can't find them so either my default installation is putting them somewhere else or the files haven't been created because no logs have been made. Appreciate any and all help.

Kyle Champoux
  • 11
  • 1
  • 3
  • As the log message says, the responder didn't like the IKE algorithm proposal. So check the log there (or try different algorithms via `ike` setting). Also note that you have lots of settings configured that are not supported by strongSwan (or are deprecated, but so is the ipsec.conf file in general). – ecdsa Apr 25 '22 at 07:21
  • hmm, okay, I'll do some looking around. Where is this log file you mentioned. Whenever I try looking for where a log file for strongswan should be, I have nothing on my end. – Kyle Champoux Apr 29 '22 at 18:04
  • See [here](https://docs.strongswan.org/docs/5.9/config/logging.html). – ecdsa May 02 '22 at 09:49

0 Answers0