Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC IKEv2 NO_PROP error in Ubuntu 22.04.3 using network-manager-strongswan

    Scheduled Pinned Locked Moved
    IPsec
    ubuntu network-manager strongswan charon-nm noprop
    2
    4
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dchang0
      last edited by

      Hi, everyone--

      We have a Netgate 4100 that has been running IPSEC IKEv2 VPNs to macos and Windows 10/11 mobile clients very successfully for quite a while. It blows our previous Cisco ASA5508X away, and the end users love it.

      I'm facing our very first LINUX mobile client running Ubuntu Desktop 22.04.3. I followed these official instructions exactly--the screenshots are almost exactly what I see (all the input fields are there, but they are in slightly different positions/locations).

      https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-client-ubuntu.html

      However, the VPN connection always fails when I try to turn it on in Network Manager by sliding the little switch to On.

      On the client side, in /var/log/syslog, I can see that Phase 1 seems to work, then Phase 2 fails with this error:

      Aug 25 23:35:05 bbjdev4 charon-nm: 04[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Aug 25 23:35:05 bbjdev4 charon-nm: 04[IKE] received NO_PROPOSAL_CHOSEN notify error

      On the Netgate 4100 side, I get these corresponding log lines:

      Aug 25 23:35:05	charon	36696	04[IKE] <447> IKE_SA (unnamed)[447] state change: CREATED => CONNECTING
Aug 25 23:35:05	charon	36696	04[CFG] <447> selecting proposal:
Aug 25 23:35:05	charon	36696	04[CFG] <447> no acceptable KEY_EXCHANGE_METHOD found
Aug 25 23:35:05	charon	36696	04[CFG] <447> selecting proposal:
Aug 25 23:35:05	charon	36696	04[CFG] <447> no acceptable ENCRYPTION_ALGORITHM found
Aug 25 23:35:05	charon	36696	04[CFG] <447> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/CURVE_448/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/CURVE_448/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Aug 25 23:35:05	charon	36696	04[CFG] <447> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Aug 25 23:35:05	charon	36696	04[CFG] <447> looking for IKEv2 configs for [netgateIP]...[clientIP]
Aug 25 23:35:05	charon	36696	04[CFG] <447> candidate: [netgateIP]...0.0.0.0/0, ::/0, prio 1052
Aug 25 23:35:05	charon	36696	04[CFG] <447> received supported signature hash algorithms: sha256 sha384 sha512 identity
Aug 25 23:35:05	charon	36696	04[IKE] <447> remote host is behind NAT
Aug 25 23:35:05	charon	36696	04[IKE] <447> received proposals unacceptable
Aug 25 23:35:05	charon	36696	04[ENC] <447> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Aug 25 23:35:05	charon	36696	04[NET] <447> sending packet: from [netgateIP][500] to [clientIP][55551] (36 bytes)
Aug 25 23:35:05	charon	36696	04[IKE] <447> IKE_SA (unnamed)[447] state change: CONNECTING => DESTROYING

      It looks like there are no acceptable proposals for KEY_EXCHANGE_METHOD and no proposals for ENCRYPTION_ALGORITHM.

      I don't know much about network-manager-strongswan and charon-nm; I don't even know how or where it stores its configurations.

      I figure the proper fix is to enable a few more proposals on the 4100's side, but doing so must not interfere with the existing macos and Windows 10/11 mobile clients.

      Any tips on how to get past this are welcome--thanks in advance!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I haven't tried it in a long time but you should be able to set custom proposals in the network manager config:

        https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-client-ubuntu.html

        It's not specifically called out there but you can see it in the screenshot. You could copy the IKE and ESP proposals out of /var/etc/ipsec/swanctl.conf on pfSense (or take what it shows there in the log)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        D 1 Reply Last reply Reply Quote 1
        • D
          dchang0 @jimp
          last edited by

          @jimp

          Fantastic idea! I saw those fields but didn't know what to put in there (specifically how to spell each one). Thanks for the suggestion to copy from swanctl.conf!

          D 1 Reply Last reply Reply Quote 0
          • D
            dchang0 @dchang0
            last edited by

            Okay, I took jimp's advice, and after some struggling with syntax, I was able to get past the NO_PROP error (to run into a different error right behind it).

            Anyway, to help someone else with the NO_PROP error, I'll document what I did.

            1. I looked in the /var/etc/ipsec/swanctl.conf file on the Netgate 4100 and found these two lines:
            proposals = aes256-sha256-modp1024

esp_proposals  = aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512

            Note that the syntax is very different from what was shown in the log file such as "AES_CBC_128".

            1. I copied these into the corresponding fields in the network-manager-strongswan VPN settings.

            On Ubuntu 22.04, it is in this location:

            VPN Settings > Identity tab > Algorithms at the bottom

            Check the box "Enable custom algorithm proposals"

            In the IKE text input, I put:

            aes256-sha256-modp1024

            In the ESP text input, I put:

            aes256-sha1;aes256-sha256;aes256-sha384;aes256-sha512

            NOTE THAT THE COMMAS WERE REPLACED WITH SEMICOLONS! This caused me a bit of frustration until I accidentally mouse-overed the input label and saw that it said the list must be semi-colon-separated.

            Anyway, with these changes, I now no longer get the NO_PROP error.

            Now, I get a missing public key on the SSL certificate. If I can't solve that, I'll start a new thread.

            Thanks, @jimp !

            1 Reply Last reply Reply Quote 0
            • First post
              Last post