Strongswan: “received NO_PROPOSAL_CHOSEN error notify” while connecting to Cisco Router

7,302

The ESP proposal in the strongSwan config must match that of the Cisco box, so change it to esp=3des-md5!, or, alternatively, modify the Cisco config to use SHA-1 as integrity algorithm.

Be aware that these are all very weak algorithms.

Share:
7,302

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin over 1 year

    I'm trying to establish an ipsec connection from a raspberry pi with Strongswan (Linux strongSwan U5.5.1/K4.14.50+) to a Cisco Router.

    This is the Strongswan output:

    root@raspberrypi:~# ipsec up Ciscoios
    initiating Main Mode IKE_SA Ciscoios[1] to x.x.x.138
    generating ID_PROT request 0 [ SA V V V V V ]
    sending packet: from x.x.x.118[500] to x.x.x.138[500] (180 bytes)
    received packet: from x.x.x.138[500] to x.x.x.118[500] (104 bytes)
    parsed ID_PROT response 0 [ SA V ]
    received NAT-T (RFC 3947) vendor ID
    generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    sending packet: from x.x.x.118[500] to x.x.x.138[500] (244 bytes)
    received packet: from x.x.x.138[500] to x.x.x.118[500] (304 bytes)
    parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
    received Cisco Unity vendor ID
    received DPD vendor ID
    received unknown vendor ID: d4:35:02:b0:57:db:41:f3:0a:fc:a9:73:1f:79:b2:e4
    received XAuth vendor ID
    generating ID_PROT request 0 [ ID HASH ]
    sending packet: from x.x.x.118[500] to x.x.x.138[500] (84 bytes)
    received packet: from x.x.x.138[500] to x.x.x.118[500] (68 bytes)
    parsed ID_PROT response 0 [ ID HASH ]
    IKE_SA Ciscoios[1] established between x.x.x.118[[email protected]]...x.x.x.138[x.x.x.138]
    scheduling reauthentication in 86201s
    maximum IKE_SA lifetime 86381s
    generating QUICK_MODE request 3400625212 [ HASH SA No ID ID ]
    sending packet: from x.x.x.118[500] to x.x.x.138[500] (172 bytes)
    received packet: from x.x.x.138[500] to x.x.x.118[500] (84 bytes)
    parsed INFORMATIONAL_V1 request 1129071936 [ HASH N(NO_PROP) ]
    received NO_PROPOSAL_CHOSEN error notify
    establishing connection 'Ciscoios' failed
    

    This is the ipsec.conf:

    ipsec.conf - strongSwan IPsec configuration file
    
    
    config setup
        strictcrlpolicy=no
        #charondebug="ike 4, knl 4, cfg 2"    #useful debugs
        uniqueids = no
    
    
    
    conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret
    
    conn Ciscoios
        left=x.x.x.118
        leftid=fqdn:[email protected]
        leftsubnet=10.10.145.0/24
        leftfirewall=no
        right=x.x.x.138
        rightsubnet=x.x.x.138/32
        rightid=x.x.x.x.138
        rightauth=psk
        leftauth=psk
        auto=add
        ike=3des-sha1-modp1024!
        esp=3des-sha1!
    

    On the Cisco I have configured this:

    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    mode transport
    crypto ipsec transform-set ESP-NULL-MD5 esp-null esp-md5-hmac
    mode transport
    
    crypto dynamic-map TEST
    description ipsecTest
    set transform-set ESP-NULL-MD5 ESP-3DES-MD5
    set isakmp-profile Routing
    match address IPSEC
    

    I think I might have the wrong parameters set at ike and esp in the ipsec.conf. The ipsec config on the Cisco works fine with another Cisco router as a peer but not with the Raspberry Pi. Can anyone help?