Strongswan: “received NO_PROPOSAL_CHOSEN error notify” while connecting to Cisco Router
7,302
The ESP proposal in the strongSwan config must match that of the Cisco box, so change it to esp=3des-md5!
, or, alternatively, modify the Cisco config to use SHA-1 as integrity algorithm.
Be aware that these are all very weak algorithms.
Related videos on Youtube
![Admin](/assets/logo_square_200-5d0d61d6853298bd2a4fe063103715b4daf2819fc21225efa21dfb93e61952ea.png)
Author by
Admin
Updated on September 18, 2022Comments
-
Admin over 1 year
I'm trying to establish an ipsec connection from a raspberry pi with Strongswan (Linux strongSwan U5.5.1/K4.14.50+) to a Cisco Router.
This is the Strongswan output:
root@raspberrypi:~# ipsec up Ciscoios initiating Main Mode IKE_SA Ciscoios[1] to x.x.x.138 generating ID_PROT request 0 [ SA V V V V V ] sending packet: from x.x.x.118[500] to x.x.x.138[500] (180 bytes) received packet: from x.x.x.138[500] to x.x.x.118[500] (104 bytes) parsed ID_PROT response 0 [ SA V ] received NAT-T (RFC 3947) vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from x.x.x.118[500] to x.x.x.138[500] (244 bytes) received packet: from x.x.x.138[500] to x.x.x.118[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received DPD vendor ID received unknown vendor ID: d4:35:02:b0:57:db:41:f3:0a:fc:a9:73:1f:79:b2:e4 received XAuth vendor ID generating ID_PROT request 0 [ ID HASH ] sending packet: from x.x.x.118[500] to x.x.x.138[500] (84 bytes) received packet: from x.x.x.138[500] to x.x.x.118[500] (68 bytes) parsed ID_PROT response 0 [ ID HASH ] IKE_SA Ciscoios[1] established between x.x.x.118[[email protected]]...x.x.x.138[x.x.x.138] scheduling reauthentication in 86201s maximum IKE_SA lifetime 86381s generating QUICK_MODE request 3400625212 [ HASH SA No ID ID ] sending packet: from x.x.x.118[500] to x.x.x.138[500] (172 bytes) received packet: from x.x.x.138[500] to x.x.x.118[500] (84 bytes) parsed INFORMATIONAL_V1 request 1129071936 [ HASH N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify establishing connection 'Ciscoios' failed
This is the ipsec.conf:
ipsec.conf - strongSwan IPsec configuration file config setup strictcrlpolicy=no #charondebug="ike 4, knl 4, cfg 2" #useful debugs uniqueids = no conn %default ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn Ciscoios left=x.x.x.118 leftid=fqdn:[email protected] leftsubnet=10.10.145.0/24 leftfirewall=no right=x.x.x.138 rightsubnet=x.x.x.138/32 rightid=x.x.x.x.138 rightauth=psk leftauth=psk auto=add ike=3des-sha1-modp1024! esp=3des-sha1!
On the Cisco I have configured this:
crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac mode transport crypto ipsec transform-set ESP-NULL-MD5 esp-null esp-md5-hmac mode transport crypto dynamic-map TEST description ipsecTest set transform-set ESP-NULL-MD5 ESP-3DES-MD5 set isakmp-profile Routing match address IPSEC
I think I might have the wrong parameters set at ike and esp in the ipsec.conf. The ipsec config on the Cisco works fine with another Cisco router as a peer but not with the Raspberry Pi. Can anyone help?