IKE_SA_INIT no proposal chosen

Hello all,

I’m having trouble setting up a site-to-site connection like this between two vyos installations.
One is running in my lab called “central” and one is running in the oracle cloud called “ingress”.
I have double and triple checked the configuration but I cannot get past IKE_SA_INIT.

“Central” is behind a NAT without a static address and is initiating the connection, “Ingess” is probably also behind a NAT but has a static IP courtesy of Oracle.

Ingress config:

vincent@ingress# show vpn
 ipsec {
     esp-group common {
         pfs dh-group19
         proposal 1 {
             encryption aes128
             hash sha1
         }
         proposal 2 {
             encryption aes256gcm128
             hash sha256
         }
     }
     ike-group commonIKE {
         key-exchange ikev2
         proposal 1 {
             dh-group 2
             encryption aes128
             hash sha1
         }
         proposal 2 {
             dh-group 19
             encryption aes256gcm128
             hash sha256
         }
     }
     interface eth0
     log {
         level 2
         subsystem ike
     }
     site-to-site {
         peer central {
             authentication {
                 local-id ingress
                 mode rsa
                 remote-id central
                 rsa {
                     local-key ipsec-ingress
                     remote-key ipsec-central
                 }
             }
             connection-type respond
             default-esp-group common
             ike-group commonIKE
             local-address 138.2.151.6
             tunnel 1 {
                 local {
                     prefix 192.168.250.2/32
                 }
                 remote {
                     prefix 192.168.250.1/32
                 }
             }
         }
     }
 }

Central config:

vincent@central# show vpn
 ipsec {
     esp-group common {
         pfs dh-group19
         proposal 1 {
             encryption aes128
             hash sha1
         }
         proposal 2 {
             encryption aes256gcm128
             hash sha256
         }
     }
     ike-group commonIKE {
         key-exchange ikev2
         proposal 1 {
             dh-group 2
             encryption aes128
             hash sha1
         }
         proposal 2 {
             dh-group 19
             encryption aes256gcm128
             hash sha256
         }
     }
     interface eth0
     site-to-site {
         peer ingress {
             authentication {
                 local-id central
                 mode rsa
                 remote-id ingress
                 rsa {
                     local-key ipsec-central
                     remote-key ipsec-ingress
                 }
             }
             connection-type initiate
             default-esp-group common
             ike-group commonIKE
             local-address any
             remote-address 138.2.151.6
             tunnel 1 {
                 local {
                     prefix 192.168.250.1/32
                 }
                 remote {
                     prefix 192.168.250.2/32
                 }
             }
         }
     }
 }

This is the output of the log on the “Ingress”/Responder site:

vincent@ingress:~$ sudo swanctl --log
08[NET] received packet: from 138.199.18.65[10588] to 10.0.0.169[500] (372 bytes)
08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08[IKE] no IKE config found for 10.0.0.169...138.199.18.65, sending NO_PROPOSAL_CHOSEN
08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
08[NET] sending packet: from 10.0.0.169[500] to 138.199.18.65[10588] (36 bytes)

As you can see I’ve tried adding different proposals from the docs to both IKE and ESP groups but that didn’t help. At this point I assume it has something to do with the NAT but I think that should be an issue because I configured matching IDs in the authentication section and use RSA like in the docs, no?

Edit: version info is probably useful too

Version:          VyOS 1.5-rolling-202310240118
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Tue 24 Oct 2023 02:41 UTC
Build UUID:       66471dfc-8348-4dbf-953e-133854c539ff
Build commit ID:  142e8770563716

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    df3bd66b-a30a-42e2-a824-57439af15abb

Copyright:        VyOS maintainers and contributors

I’ve tried scouring the internet but the issue seems to usually be solved by just matching the proposals which I have done.
Any help is appreciated.

You may need to specify local-address in your site-to site config

set vpn ipsec site-to-site peer central local-address '10.0.0.169'   # IP address of interface eth0
2 Likes

That did it, thank you very much.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.