Hi Bas, > What does NO_PROPOSAL_CHOSEN mean?
As Noel pointed out it could mean the responder doesn't like the proposed algorithms. But the responder could also return this error because it doesn't like the proposed traffic selectors (i.e. the subnets in `left|rightsubnet`) or the mode (type=tunnel|transport). In your case you propose to tunnel traffic from 192.168.42.178/32 to 10.180.0.0/16 (since you haven't specified `leftsubnet` its value defaults to `left` i.e. your local address behind the NAT). If that's not correct then you have to fix these addresses as for IKEv1 these traffic selectors have to match exactly. The problem is, though, that due to the NAT you can't just "fix" this by configuring `leftsubnet=83.161.66.130/32` (i.e. your public IP). Because for this to work you'd have to NAT local traffic to the subnet in `rightsubnet` locally on the client to your NAT's public IP. Otherwise, the traffic sent to the remote subnet won't match the IPsec policy (as the source address of such packets would still be your privaet address). Similarly, packets sent from hosts in 10.180.0.0/16 would be decrypted by your client behind the NAT and then get forwarded from 192.168.42.178 to 83.161.66.130 (unless the aforementioned NAT rule would locally rewrite the destination address of these packets to your private address again). You could try to use transport mode, if the server accepts it. That way the NAT would translate the IPs for you. Another option is to change the traffic selector on the server (i.e. make its remote traffic selector equal your client's private IP address), but if you use dynamic DHCP in your client's LAN that won't work very well as you'd have to change that traffic selector all the time. To use tunnel mode in such situations one usually uses virtual IPs via Mode Config or statically assigned. For more information on virtual IPs, check out [1]. And for this to work the server obviously has to be configured accordingly. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
