Troubleshooting IPsec VPN between strongSwan (Ubuntu) and Remote Endpoint - Configuration Help Neede

VPN
1

I’m attempting to set up an IPsec VPN tunnel between a strongSwan client (Ubuntu 22.04) and a remote endpoint. I have limited information about the remote side, which is complicating the setup. Here’s an overview of what I understand about the setup:

+-------------------+                    +-------------------+
|    strongSwan     |                    |   Remote Endpoint |
|    (Ubuntu 22.04) |                    |   (Unknown Config)|
|                   |                    |                   |
| [MY_SERVER_IP]    |   IPsec Tunnel     | [REMOTE_ENDPOINT_IP]
|                   | ==================>|                   |
| 192.168.156.134/30|   (Possibly GRE    | 192.168.156.134/30|
|                   |    over IPsec)     |   (Assumed)       |
+-------------------+                    +-------------------+
         |                                         |
         |                                         |
         V                                         V
   Local Network                             Possibly [SPECIFIED_INTERNAL_IP]/32
                                             (Unsure about this)

Despite numerous attempts, I’m consistently receiving a “NO_PROPOSAL_CHOSEN” error during Phase 2 (CHILD_SA) negotiation. I need help troubleshooting and potentially reconfiguring the setup.

Remote Endpoint Configuration (based on provided specification):

I’ve been given what appears to be a Cisco IOS configuration specification for connecting to the remote endpoint. However, I’m not certain if this is the actual configuration or just a template I should follow. Here’s what I was provided:

crypto isakmp policy 6570
    encr aes 256
    hash md5
    authentication pre-share
    group 14
    lifetime 28800
crypto isakmp key [REDACTED] address [MY_SERVER_IP]

crypto ipsec transform-set [VPN_NAME]-TS esp-aes 256 esp-sha-hmac 
    mode tunnel
crypto ipsec profile [VPN_NAME]-PF
    set security-association lifetime seconds 28800
    set transform-set [VPN_NAME]-TS 
    set pfs group5
interface Tunnel7040
    description [VPN_NAME]
    ip address 192.168.156.134 255.255.255.252
    tunnel source [REMOTE_ENDPOINT_IP]
    tunnel destination [MY_SERVER_IP]
    tunnel protection ipsec profile [VPN_NAME]-PF
    ip mtu 1400
ip access-list extended POST-NAT
permit ip any host [SPECIFIED_INTERNAL_IP]
ip nat inside source list POST-NAT interface tunnel 7040 overload
interface tunnel 7040
ip nat outside
interface XXXX => connect to LAN
ip nat inside
ip route [SPECIFIED_INTERNAL_IP] 255.255.255.255 192.168.156.133 name POST

Note: I’m unsure about the significance of [SPECIFIED_INTERNAL_IP] in this context. It was provided in the specification, but I don’t know if it represents an actual internal network or if it’s just a placeholder.

strongSwan Configuration (/etc/ipsec.conf):

I’ve tried two different configurations on my Ubuntu server running strongSwan, one with a GRE tunnel and one without it. Both have the same problems, and I am not able to connect in Phase 2:

Configuration 1 (with GRE):

config setup
    charondebug="ike 4, knl 4, cfg 4, net 4, esp 4, dmn 4, mgr 4"
    uniqueids=yes

conn %default
    ikelifetime=28800s
    keylife=28800s
    rekeymargin=540s
    keyingtries=%forever
    keyexchange=ikev1
    authby=secret

conn [VPN_NAME]
    left=[MY_SERVER_IP]
    leftsubnet=192.168.156.132/30
    right=[REMOTE_ENDPOINT_IP]
    rightsubnet=[SPECIFIED_INTERNAL_IP]/32
    auto=start
    ike=aes256-md5-modp2048!
    esp=aes256-sha1-modp1536!
    aggressive=no
    keyexchange=ikev1
    ikelifetime=28800s
    lifetime=28800s
    dpddelay=10s
    dpdtimeout=30s
    dpdaction=restart
    type=tunnel
    leftprotoport=gre
    rightprotoport=gre

Configuration 2 (without GRE):

config setup
    charondebug="ike 2, knl 2, cfg 2"
    uniqueids = yes

conn %default
    ikelifetime=8h
    keylife=8h
    rekeymargin=3m
    keyingtries=%forever
    authby=secret
    fragmentation=yes

conn [VPN_NAME]
    left=[MY_SERVER_IP]
    leftsubnet=0.0.0.0/0
    right=[REMOTE_ENDPOINT_IP]
    rightsubnet=[SPECIFIED_INTERNAL_IP]/32
    auto=start
    ikelifetime=28800s
    lifetime=28800s
    dpdaction=restart
    dpddelay=30s
    dpdtimeout=120s
    keyexchange=ikev1
    ike=aes256-md5-modp2048
    esp=aes256-sha1
#    pfs=yes
    leftid=[MY_SERVER_IP]
    rightid=[REMOTE_ENDPOINT_IP]
    authby=secret
    auto=start
    forceencaps=yes

Note: I’m uncertain if I should explicitly define PFS given that the provided Cisco IOS specification seems to be using an older configuration style. It’s possible that it might still require an explicit PFS configuration, but I’m not entirely sure.

/etc/ipsec.secrets:

[MY_SERVER_IP] [REMOTE_ENDPOINT_IP] : PSK "[REDACTED]"

Error when trying to establish the connection:

root@[HOSTNAME]:~# sudo ipsec up [VPN_NAME]
generating QUICK_MODE request 3522219162 [ HASH SA No KE ID ID ]
sending packet: from [MY_SERVER_IP][500] to [REMOTE_ENDPOINT_IP][500] (380 bytes)
received packet: from [REMOTE_ENDPOINT_IP][500] to [MY_SERVER_IP][500] (92 bytes)
parsed INFORMATIONAL_V1 request 586344814 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection '[VPN_NAME]' failed

Additional Information:

  • strongSwan version: 5.9.5-2ubuntu2.3
  • Ubuntu version: 22.04 LTS
  • GRE tunnel setup (if needed):
    sudo ip tunnel add gre1 mode gre remote [REMOTE_ENDPOINT_IP] local [MY_SERVER_IP]
sudo ip link set gre1 up
sudo ip addr add 192.168.156.134/30 dev gre1
sudo ip route add [SPECIFIED_INTERNAL_IP]/32 dev gre1

ipsec statusall output:

root@[HOSTNAME]:~# sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-91-generic, x86_64):
  uptime: 2 minutes, since Oct 15 15:23:01 2024
  malloc: sbrk 3031040, mmap 0, used 1147456, free 1883584
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 12
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem gcrypt af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm ntru drbg curl attr kernel-netlink resolve socket-default forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
  [DOCKER_INTERFACE_IP]
  [MY_SERVER_IP]
  [DOCKER_INTERFACE_IP]
  192.168.156.134
Connections:
[VPN_NAME]:  [MY_SERVER_IP]...[REMOTE_ENDPOINT_IP]  IKEv1, dpddelay=10s
[VPN_NAME]:   local:  [[MY_SERVER_IP]] uses pre-shared key authentication
[VPN_NAME]:   remote: [[REMOTE_ENDPOINT_IP]] uses pre-shared key authentication
[VPN_NAME]:   child:  192.168.156.132/30[gre] === [SPECIFIED_INTERNAL_IP]/32[gre] TRANSPORT, dpdaction=restart
Security Associations (1 up, 0 connecting):
[VPN_NAME][5]: ESTABLISHED 9 seconds ago, [MY_SERVER_IP][[MY_SERVER_IP]]...[REMOTE_ENDPOINT_IP][[REMOTE_ENDPOINT_IP]]
[VPN_NAME][5]: IKEv1 SPIs: 890e3509158a8d1f_i 7c29fe705b4d5aa9_r*, pre-shared key reauthentication in 7 hours
[VPN_NAME][5]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048

Note: In the Security Associations section, it initially shows 1 association as up, but after a while, it goes down, displaying only the following message:

Security Associations (0 up, 0 connecting):
  none

Relevant log entries:

Oct 15 15:25:26 [HOSTNAME] charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Oct 15 15:25:26 [HOSTNAME] charon: 09[CFG] selecting proposal:
Oct 15 15:25:26 [HOSTNAME] charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Oct 15 15:25:26 [HOSTNAME] charon: 09[CFG] selecting proposal:
Oct 15 15:25:26 [HOSTNAME] charon: 09[CFG]   proposal matches
Oct 15 15:25:26 [HOSTNAME] charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, ...

Questions:

  1. Given the uncertainties about the remote endpoint configuration, what changes should I make to my strongSwan configuration to increase the chances of compatibility?
  2. How can I enable PFS in this version of strongSwan to match the set pfs group5 setting in the provided specification?
  3. Are there any known issues with strongSwan 5.9.5 and older VPN endpoints that I should be aware of?
  4. Should I consider using a different version of strongSwan? If so, which one?
  5. What additional debugging steps or commands should I run to gather more information about why the connection is failing?
  6. Given the uncertainty about the GRE tunnel requirement, how can I determine if it’s necessary and verify it’s set up correctly if needed?
  7. The ipsec statusall output shows a connection as ESTABLISHED, but I’m still getting errors. What could be causing this discrepancy?
  8. How can I verify if the [SPECIFIED_INTERNAL_IP] mentioned in the provided specification is actually relevant to my setup, and if so, how should I incorporate it into my configuration?
  9. Are there any potential misconfigurations or misunderstandings in how I’m interpreting the provided Cisco IOS specification for my strongSwan setup?

I’ve tried various configurations, including adjusting the ike and esp lines, but I’m still unable to establish a working connection. Any help or guidance would be greatly appreciated. I’m open to alternative solutions or approaches if there’s a better way to set up this VPN connection, especially considering the uncertainties about the remote endpoint configuration.

Thank you everyone.