Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 10981 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built issue

M@rik

Admin - Merged thread from duplicate thread

 

Hi,

I am facing an issue that am not sure what i need to be checking on. I have an IPSEC connection that seems to be identical on both the sophos and the Cisco ASA end. When I attempt to start the connection, the phase1 comes up but the phase2 fails. When cisco ASA initiates the connection, the phase2 comes up and I can connect to devices on the remote side behind the ASA. If I terminate the connection, i cannot start the phase2 unless Cisco ASA initiates from their end by attempting to pass me traffic.

WHat do I need to check on?

 

Hi,

I am unable to initiate the IPSEC connection as much as I am set to be the initiator. The remote device is an ASA that is able to initiate the connection for it to work. Only logs I can find that are errors are:

2020-05-28 22:51:15 26[IKE] <vpn001-1|31> establishing CHILD_SA vpn001-8
2020-05-28 22:51:15 26[ENC] <vpn001-1|31> generating CREATE_CHILD_SA request 8 [ SA No TSi TSr ]
2020-05-28 22:51:15 26[NET] <vpn001-1|31> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
2020-05-28 22:51:15 15[NET] <vpn001-1|31> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
2020-05-28 22:51:15 15[ENC] <vpn001-1|31> parsed CREATE_CHILD_SA response 8 [ N(NO_PROP) ]
2020-05-28 22:51:15 15[IKE] <vpn001-1|31> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
2020-05-28 22:51:15 15[DMN] <vpn001-1|31> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
2020-05-28 22:51:15 15[IKE] <vpn001-1|31> creating CHILD_SA failed, trying again in 69 seconds



This thread was automatically locked due to age.
  • +1

    Hello M@rik,

    Thank you for contacting the Sophos Community.

    This NO_PROPOSAL_CHOSEN usually means that there is one setting in the Policy not matching between both devices.

    Are the subnets matching in both ends?

    Please follow the recommendations in this KB for XG and ASA

    ===

    Sophos XG Firewall: How to setup IPSec between Sophos XG Firewall and Cisco ASA

    https://community.sophos.com/kb/en-us/127731

    ===

    If the issue persist, please put strongswan in debug mode (service strongswan:debug -ds nosync) and send us the output, also provide some screenshots of your configuration and Cisco ASA if you can.

    Regards,

  • 0 in reply to emmosophos

    Hi emmosophos,

     

    I have followed the instructions provided on the https://community.sophos.com/kb/en-us/127731 and shared the same to the ASA engineer but still facing the same error. Of note, is that the phase2 only comes up if he initiates from his end.

     

    KEY:-

    a.a.a.a - this is my WAN interface IP which is a local IP as my device is behind a router

    b.b.b.b - Public IP, Peer IP on the ASA end.

     

    Below are the settings on my end:

    ------------------------------------------------------

    Connection type
    site to site
    Gateway Type
    Initiate the connection
    Authentication type
    Preshared Key

    Local gateway
    Listening interface
    Port2 (This is my wan port with IP a.a.a.a) - This os a private IP as fw is behind router
    Local ID type
    Select Local ID
    Local ID
    (blank)
    Local subnet
    10.10.10.12 (Device on lAN that needs to access remote devices)
    Network Address Translation (NAT)
    Not enabled

    Remote gateway
    Gateway address
    b.b.b.b (Peer IP to ASA)
    Remote ID type
    Select Local ID
    Local ID
    (blank)
    Remote subnet
    10.15.10.0/24 (Remote Subnet to access)
    196.x.x.77
    196.x.x.78
    196.x.x.79

    User authentication mode
    none

    +++++++++++++++++++++++++++++++++++++++++++++
    IPSEC POLICY:

    Key exchange
    IKEv2
    Authentication mode
    Main mode
    Re-key connection
    Enabled
    Pass data in compressed format
    Disbabled
    Key negotiation tries
    0 (Set 0 for unlimited number of negotiation tries)

    Phase 1
    Key life
    86400 secs
    Re-key margin
    360 secs
    Randomize re-keying margin by
    100 %
    DH group (key group)
    2(DH1024)
    Encryption
    AES256
    Authentication
    SHA1

    Phase 2
    PFS group (DH group)
    None
    Key life
    3600 secs
    Encryption
    AES256
    Authentication
    SHA1

    Dead Peer Detection
    Enabled
    Check peer after every
    30secs
    Wait for response up to
    120secs
    When peer unreachable
    Re-initiate

    --------------------------------------------------------------------------

    Below Is the log from the strongswan log after enabling debug with shared command.

     

     

    2020-05-29 08:31:51 13[CFG] rereading secrets
    2020-05-29 08:31:51 13[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
    2020-05-29 08:31:51 13[CFG] loading secrets from '/_conf/ipsec/connections/vpn001.secrets'
    2020-05-29 08:31:51 13[CFG] loaded IKE secret for a.a.a.a b.b.b.b
    2020-05-29 08:31:51 09[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-05-29 08:31:51 32[CFG] received stroke: add connection 'vpn001-1'
    2020-05-29 08:31:51 32[CFG] conn vpn001-1
    2020-05-29 08:31:51 32[CFG] left=a.a.a.a
    2020-05-29 08:31:51 32[CFG] leftsubnet=10.10.10.12/32
    2020-05-29 08:31:51 32[CFG] leftauth=psk
    2020-05-29 08:31:51 32[CFG] leftid=a.a.a.a
    2020-05-29 08:31:51 32[CFG] leftupdown=iptables,route,ipsec0
    2020-05-29 08:31:51 32[CFG] right=b.b.b.b
    2020-05-29 08:31:51 32[CFG] rightsubnet=196.x.x.79/32
    2020-05-29 08:31:51 32[CFG] rightauth=psk
    2020-05-29 08:31:51 32[CFG] rightid=b.b.b.b
    2020-05-29 08:31:51 32[CFG] ike=aes256-sha1-modp1024
    2020-05-29 08:31:51 32[CFG] esp=aes256-sha1
    2020-05-29 08:31:51 32[CFG] dpddelay=30
    2020-05-29 08:31:51 32[CFG] dpdtimeout=120
    2020-05-29 08:31:51 32[CFG] dpdaction=3
    2020-05-29 08:31:51 32[CFG] closeaction=3
    2020-05-29 08:31:51 32[CFG] sha256_96=no
    2020-05-29 08:31:51 32[CFG] mediation=no
    2020-05-29 08:31:51 32[CFG] keyexchange=ikev2
    2020-05-29 08:31:51 32[CFG] added configuration 'vpn001-1'
    2020-05-29 08:31:51 25[CFG] received stroke: initiate 'vpn001-1'
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> queueing IKE_VENDOR task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> queueing IKE_INIT task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> queueing IKE_NATD task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> queueing IKE_CERT_PRE task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> queueing IKE_AUTH task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> queueing IKE_CERT_POST task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> queueing IKE_CONFIG task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> queueing IKE_AUTH_LIFETIME task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> queueing IKE_ME task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> activating IKE_VENDOR task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> activating IKE_INIT task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> activating IKE_NATD task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> activating IKE_CERT_PRE task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> activating IKE_ME task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> activating IKE_AUTH task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> activating IKE_CERT_POST task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> activating IKE_CONFIG task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> activating IKE_AUTH_LIFETIME task
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> initiating IKE_SA vpn001-1[42] to b.b.b.b
    2020-05-29 08:31:51 25[IKE] <vpn001-1|42> IKE_SA vpn001-1[42] state change: CREATED => CONNECTING
    2020-05-29 08:31:51 25[CFG] <vpn001-1|42> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048
    2020-05-29 08:31:51 25[CFG] <vpn001-1|42> sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
    2020-05-29 08:31:51 25[ENC] <vpn001-1|42> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    2020-05-29 08:31:51 25[NET] <vpn001-1|42> sending packet: from a.a.a.a[500] to b.b.b.b[500] (830 bytes)
    2020-05-29 08:31:51 04[NET] sending packet: from a.a.a.a[500] to b.b.b.b[500]
    2020-05-29 08:31:51 18[CFG] received stroke: add connection 'vpn001-2'
    2020-05-29 08:31:51 18[CFG] conn vpn001-2
    2020-05-29 08:31:51 18[CFG] left=a.a.a.a
    2020-05-29 08:31:51 18[CFG] leftsubnet=10.10.10.12/32
    2020-05-29 08:31:51 18[CFG] leftauth=psk
    2020-05-29 08:31:51 18[CFG] leftid=a.a.a.a
    2020-05-29 08:31:51 18[CFG] leftupdown=iptables,route,ipsec0
    2020-05-29 08:31:51 18[CFG] right=b.b.b.b
    2020-05-29 08:31:51 18[CFG] rightsubnet=10.15.10.0/24
    2020-05-29 08:31:51 18[CFG] rightauth=psk
    2020-05-29 08:31:51 18[CFG] rightid=b.b.b.b
    2020-05-29 08:31:51 18[CFG] ike=aes256-sha1-modp1024
    2020-05-29 08:31:51 18[CFG] esp=aes256-sha1
    2020-05-29 08:31:51 18[CFG] dpddelay=30
    2020-05-29 08:31:51 18[CFG] dpdtimeout=120
    2020-05-29 08:31:51 18[CFG] dpdaction=3
    2020-05-29 08:31:51 18[CFG] closeaction=3
    2020-05-29 08:31:51 18[CFG] sha256_96=no
    2020-05-29 08:31:51 18[CFG] mediation=no
    2020-05-29 08:31:51 18[CFG] keyexchange=ikev2
    2020-05-29 08:31:51 18[CFG] added child to existing configuration 'vpn001-1'
    2020-05-29 08:31:51 28[CFG] received stroke: initiate 'vpn001-2'
    2020-05-29 08:31:51 28[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:31:51 28[IKE] <vpn001-1|42> delaying task initiation, IKE_SA_INIT exchange in progress
    2020-05-29 08:31:51 10[CFG] received stroke: add connection 'vpn001-3'
    2020-05-29 08:31:51 10[CFG] conn vpn001-3
    2020-05-29 08:31:51 10[CFG] left=a.a.a.a
    2020-05-29 08:31:51 10[CFG] leftsubnet=10.10.10.12/32
    2020-05-29 08:31:51 10[CFG] leftauth=psk
    2020-05-29 08:31:51 10[CFG] leftid=a.a.a.a
    2020-05-29 08:31:51 10[CFG] leftupdown=iptables,route,ipsec0
    2020-05-29 08:31:51 10[CFG] right=b.b.b.b
    2020-05-29 08:31:51 10[CFG] rightsubnet=196.x.x.78/32
    2020-05-29 08:31:51 10[CFG] rightauth=psk
    2020-05-29 08:31:51 10[CFG] rightid=b.b.b.b
    2020-05-29 08:31:51 10[CFG] ike=aes256-sha1-modp1024
    2020-05-29 08:31:51 10[CFG] esp=aes256-sha1
    2020-05-29 08:31:51 10[CFG] dpddelay=30
    2020-05-29 08:31:51 10[CFG] dpdtimeout=120
    2020-05-29 08:31:51 10[CFG] dpdaction=3
    2020-05-29 08:31:51 10[CFG] closeaction=3
    2020-05-29 08:31:51 10[CFG] sha256_96=no
    2020-05-29 08:31:51 10[CFG] mediation=no
    2020-05-29 08:31:51 10[CFG] keyexchange=ikev2
    2020-05-29 08:31:51 10[CFG] added child to existing configuration 'vpn001-1'
    2020-05-29 08:31:51 11[CFG] received stroke: initiate 'vpn001-3'
    2020-05-29 08:31:51 11[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:31:51 11[IKE] <vpn001-1|42> delaying task initiation, IKE_SA_INIT exchange in progress
    2020-05-29 08:31:51 23[CFG] received stroke: add connection 'vpn001-4'
    2020-05-29 08:31:51 23[CFG] conn vpn001-4
    2020-05-29 08:31:51 23[CFG] left=a.a.a.a
    2020-05-29 08:31:51 23[CFG] leftsubnet=10.10.10.12/32
    2020-05-29 08:31:51 23[CFG] leftauth=psk
    2020-05-29 08:31:51 23[CFG] leftid=a.a.a.a
    2020-05-29 08:31:51 23[CFG] leftupdown=iptables,route,ipsec0
    2020-05-29 08:31:51 23[CFG] right=b.b.b.b
    2020-05-29 08:31:51 23[CFG] rightsubnet=196.x.x.77/32
    2020-05-29 08:31:51 23[CFG] rightauth=psk
    2020-05-29 08:31:51 23[CFG] rightid=b.b.b.b
    2020-05-29 08:31:51 23[CFG] ike=aes256-sha1-modp1024
    2020-05-29 08:31:51 23[CFG] esp=aes256-sha1
    2020-05-29 08:31:51 23[CFG] dpddelay=30
    2020-05-29 08:31:51 23[CFG] dpdtimeout=120
    2020-05-29 08:31:51 23[CFG] dpdaction=3
    2020-05-29 08:31:51 23[CFG] closeaction=3
    2020-05-29 08:31:51 23[CFG] sha256_96=no
    2020-05-29 08:31:51 23[CFG] mediation=no
    2020-05-29 08:31:51 23[CFG] keyexchange=ikev2
    2020-05-29 08:31:51 23[CFG] added child to existing configuration 'vpn001-1'
    2020-05-29 08:31:51 07[CFG] received stroke: initiate 'vpn001-4'
    2020-05-29 08:31:51 07[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:31:51 07[IKE] <vpn001-1|42> delaying task initiation, IKE_SA_INIT exchange in progress
    2020-05-29 08:31:51 03[NET] received packet: from b.b.b.b[500] to a.a.a.a[500] on Port2
    2020-05-29 08:31:51 03[NET] waiting for data on sockets
    2020-05-29 08:31:51 08[NET] <vpn001-1|42> received packet: from b.b.b.b[500] to a.a.a.a[500] (446 bytes)
    2020-05-29 08:31:51 08[ENC] <vpn001-1|42> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]
    2020-05-29 08:31:51 08[IKE] <vpn001-1|42> received Cisco Delete Reason vendor ID
    2020-05-29 08:31:51 08[IKE] <vpn001-1|42> received Cisco Copyright (c) 2009 vendor ID
    2020-05-29 08:31:51 08[IKE] <vpn001-1|42> received FRAGMENTATION vendor ID
    2020-05-29 08:31:51 08[IKE] <vpn001-1|42> received FRAGMENTATION_SUPPORTED notify
    2020-05-29 08:31:51 08[CFG] <vpn001-1|42> selecting proposal:
    2020-05-29 08:31:51 08[CFG] <vpn001-1|42> proposal matches
    2020-05-29 08:31:51 08[CFG] <vpn001-1|42> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    2020-05-29 08:31:51 08[CFG] <vpn001-1|42> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048
    2020-05-29 08:31:51 08[CFG] <vpn001-1|42> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    2020-05-29 08:31:51 08[IKE] <vpn001-1|42> local host is behind NAT, sending keep alives
    2020-05-29 08:31:51 08[IKE] <vpn001-1|42> reinitiating already active tasks
    2020-05-29 08:31:51 08[IKE] <vpn001-1|42> IKE_CERT_PRE task
    2020-05-29 08:31:51 08[IKE] <vpn001-1|42> IKE_AUTH task
    2020-05-29 08:31:51 08[IKE] <vpn001-1|42> authentication of 'a.a.a.a' (myself) with pre-shared key
    2020-05-29 08:31:51 08[IKE] <vpn001-1|42> successfully created shared key MAC
    2020-05-29 08:31:51 08[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-1
    2020-05-29 08:31:51 08[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 08[ENC] <vpn001-1|42> generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    2020-05-29 08:31:51 08[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (316 bytes)
    2020-05-29 08:31:51 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:31:51 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:31:51 03[NET] waiting for data on sockets
    2020-05-29 08:31:51 13[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (140 bytes)
    2020-05-29 08:31:51 13[ENC] <vpn001-1|42> parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> authentication of 'b.b.b.b' with pre-shared key successful
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> IKE_SA vpn001-1[42] established between a.a.a.a[a.a.a.a]...b.b.b.b[b.b.b.b]
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> IKE_SA vpn001-1[42] state change: CONNECTING => ESTABLISHED
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> scheduling rekeying in 85935s
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> maximum IKE_SA lifetime 86295s
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:31:51 13[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 13[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 70 seconds
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 70s)
    2020-05-29 08:31:51 13[CHD] <vpn001-1|42> CHILD_SA vpn001-1{14524} state change: CREATED => DESTROYING
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:31:51 13[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-2
    2020-05-29 08:31:51 13[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 13[ENC] <vpn001-1|42> generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
    2020-05-29 08:31:51 13[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
    2020-05-29 08:31:51 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:31:51 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:31:51 03[NET] waiting for data on sockets
    2020-05-29 08:31:51 31[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
    2020-05-29 08:31:51 31[ENC] <vpn001-1|42> parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
    2020-05-29 08:31:51 31[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:31:51 31[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 31[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 31[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 64 seconds
    2020-05-29 08:31:51 31[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 64s)
    2020-05-29 08:31:51 31[CHD] <vpn001-1|42> CHILD_SA vpn001-2{14525} state change: CREATED => DESTROYING
    2020-05-29 08:31:51 31[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:31:51 31[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:31:51 31[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-3
    2020-05-29 08:31:51 31[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 31[ENC] <vpn001-1|42> generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
    2020-05-29 08:31:51 31[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
    2020-05-29 08:31:51 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:31:51 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:31:51 03[NET] waiting for data on sockets
    2020-05-29 08:31:51 12[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
    2020-05-29 08:31:51 12[ENC] <vpn001-1|42> parsed CREATE_CHILD_SA response 3 [ N(NO_PROP) ]
    2020-05-29 08:31:51 12[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:31:51 12[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 12[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 12[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 69 seconds
    2020-05-29 08:31:51 12[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 69s)
    2020-05-29 08:31:51 12[CHD] <vpn001-1|42> CHILD_SA vpn001-3{14526} state change: CREATED => DESTROYING
    2020-05-29 08:31:51 12[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:31:51 12[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:31:51 12[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-4
    2020-05-29 08:31:51 12[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 12[ENC] <vpn001-1|42> generating CREATE_CHILD_SA request 4 [ SA No TSi TSr ]
    2020-05-29 08:31:51 12[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
    2020-05-29 08:31:51 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:31:51 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:31:51 03[NET] waiting for data on sockets
    2020-05-29 08:31:51 27[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
    2020-05-29 08:31:51 27[ENC] <vpn001-1|42> parsed CREATE_CHILD_SA response 4 [ N(NO_PROP) ]
    2020-05-29 08:31:51 27[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:31:51 27[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 27[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:31:51 27[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 68 seconds
    2020-05-29 08:31:51 27[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 68s)
    2020-05-29 08:31:51 27[CHD] <vpn001-1|42> CHILD_SA vpn001-4{14527} state change: CREATED => DESTROYING
    2020-05-29 08:31:51 27[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:31:51 27[IKE] <vpn001-1|42> nothing to initiate
    2020-05-29 08:32:04 14[MGR] <vpn001-1|42> Initiating CHILD_SA with configuration vpn001-1
    2020-05-29 08:32:04 14[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:32:04 14[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:04 14[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:32:04 14[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-1
    2020-05-29 08:32:04 14[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 14[ENC] <vpn001-1|42> generating CREATE_CHILD_SA request 5 [ SA No TSi TSr ]
    2020-05-29 08:32:04 14[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
    2020-05-29 08:32:04 14[MGR] <vpn001-1|42> Initiating CHILD_SA with configuration vpn001-2
    2020-05-29 08:32:04 14[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:32:04 14[IKE] <vpn001-1|42> delaying task initiation, CREATE_CHILD_SA exchange in progress
    2020-05-29 08:32:04 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:32:04 14[MGR] <vpn001-1|42> Initiating CHILD_SA with configuration vpn001-3
    2020-05-29 08:32:04 14[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:32:04 14[IKE] <vpn001-1|42> delaying task initiation, CREATE_CHILD_SA exchange in progress
    2020-05-29 08:32:04 14[MGR] <vpn001-1|42> Initiating CHILD_SA with configuration vpn001-4
    2020-05-29 08:32:04 14[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:32:04 14[IKE] <vpn001-1|42> delaying task initiation, CREATE_CHILD_SA exchange in progress
    2020-05-29 08:32:04 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:32:04 03[NET] waiting for data on sockets
    2020-05-29 08:32:04 11[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
    2020-05-29 08:32:04 11[ENC] <vpn001-1|42> parsed CREATE_CHILD_SA response 5 [ N(NO_PROP) ]
    2020-05-29 08:32:04 11[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:32:04 11[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 11[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 11[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 65 seconds
    2020-05-29 08:32:04 11[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 65s)
    2020-05-29 08:32:04 11[CHD] <vpn001-1|42> CHILD_SA vpn001-1{14528} state change: CREATED => DESTROYING
    2020-05-29 08:32:04 11[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:04 11[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:32:04 11[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-2
    2020-05-29 08:32:04 11[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 11[ENC] <vpn001-1|42> generating CREATE_CHILD_SA request 6 [ SA No TSi TSr ]
    2020-05-29 08:32:04 11[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
    2020-05-29 08:32:04 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:32:04 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:32:04 03[NET] waiting for data on sockets
    2020-05-29 08:32:04 23[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
    2020-05-29 08:32:04 23[ENC] <vpn001-1|42> parsed CREATE_CHILD_SA response 6 [ N(NO_PROP) ]
    2020-05-29 08:32:04 23[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:32:04 23[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 23[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 23[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 65 seconds
    2020-05-29 08:32:04 23[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 65s)
    2020-05-29 08:32:04 23[CHD] <vpn001-1|42> CHILD_SA vpn001-2{14529} state change: CREATED => DESTROYING
    2020-05-29 08:32:04 23[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:04 23[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:32:04 23[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-3
    2020-05-29 08:32:04 23[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 23[ENC] <vpn001-1|42> generating CREATE_CHILD_SA request 7 [ SA No TSi TSr ]
    2020-05-29 08:32:04 23[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
    2020-05-29 08:32:04 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:32:04 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:32:04 03[NET] waiting for data on sockets
    2020-05-29 08:32:04 30[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
    2020-05-29 08:32:04 30[ENC] <vpn001-1|42> parsed CREATE_CHILD_SA response 7 [ N(NO_PROP) ]
    2020-05-29 08:32:04 30[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:32:04 30[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 30[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 30[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 69 seconds
    2020-05-29 08:32:04 30[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 69s)
    2020-05-29 08:32:04 30[CHD] <vpn001-1|42> CHILD_SA vpn001-3{14530} state change: CREATED => DESTROYING
    2020-05-29 08:32:04 30[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:04 30[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:32:04 30[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-4
    2020-05-29 08:32:04 30[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 30[ENC] <vpn001-1|42> generating CREATE_CHILD_SA request 8 [ SA No TSi TSr ]
    2020-05-29 08:32:04 30[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
    2020-05-29 08:32:04 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:32:04 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:32:04 03[NET] waiting for data on sockets
    2020-05-29 08:32:04 05[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
    2020-05-29 08:32:04 05[ENC] <vpn001-1|42> parsed CREATE_CHILD_SA response 8 [ N(NO_PROP) ]
    2020-05-29 08:32:04 05[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:32:04 05[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 05[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:04 05[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 67 seconds
    2020-05-29 08:32:04 05[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 67s)
    2020-05-29 08:32:04 05[CHD] <vpn001-1|42> CHILD_SA vpn001-4{14531} state change: CREATED => DESTROYING
    2020-05-29 08:32:04 05[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:04 05[IKE] <vpn001-1|42> nothing to initiate
    2020-05-29 08:32:06 29[APP] [COP-UPDOWN][STATUS] (db_status_update) conn_name: vpn001 count: 0
    2020-05-29 08:32:10 24[CFG] rereading secrets
    2020-05-29 08:32:10 24[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
    2020-05-29 08:32:10 24[CFG] loading secrets from '/_conf/ipsec/connections/vpn001.secrets'
    2020-05-29 08:32:10 24[CFG] loaded IKE secret for a.a.a.a b.b.b.b
    2020-05-29 08:32:11 31[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-05-29 08:32:11 21[CFG] vici initiate 'vpn001-4'
    2020-05-29 08:32:11 26[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:32:11 26[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:11 26[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:32:11 26[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-4
    2020-05-29 08:32:11 26[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:11 26[ENC] <vpn001-1|42> generating CREATE_CHILD_SA request 9 [ SA No TSi TSr ]
    2020-05-29 08:32:11 26[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
    2020-05-29 08:32:11 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:32:11 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:32:11 03[NET] waiting for data on sockets
    2020-05-29 08:32:11 28[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
    2020-05-29 08:32:11 28[ENC] <vpn001-1|42> parsed CREATE_CHILD_SA response 9 [ N(NO_PROP) ]
    2020-05-29 08:32:11 28[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:32:11 28[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:11 28[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:11 28[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 70 seconds
    2020-05-29 08:32:11 28[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 70s)
    2020-05-29 08:32:11 28[CHD] <vpn001-1|42> CHILD_SA vpn001-4{14532} state change: CREATED => DESTROYING
    2020-05-29 08:32:11 28[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:11 28[IKE] <vpn001-1|42> nothing to initiate
    2020-05-29 08:32:11 06[CFG] vici initiate 'vpn001-3'
    2020-05-29 08:32:11 32[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:32:11 32[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:11 32[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:32:11 32[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-3
    2020-05-29 08:32:11 32[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:11 32[ENC] <vpn001-1|42> generating CREATE_CHILD_SA request 10 [ SA No TSi TSr ]
    2020-05-29 08:32:11 32[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
    2020-05-29 08:32:11 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:32:11 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:32:11 03[NET] waiting for data on sockets
    2020-05-29 08:32:11 23[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
    2020-05-29 08:32:11 23[ENC] <vpn001-1|42> parsed CREATE_CHILD_SA response 10 [ N(NO_PROP) ]
    2020-05-29 08:32:11 23[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:32:11 23[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:11 23[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:11 23[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 65 seconds
    2020-05-29 08:32:11 23[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 65s)
    2020-05-29 08:32:11 23[CHD] <vpn001-1|42> CHILD_SA vpn001-3{14533} state change: CREATED => DESTROYING
    2020-05-29 08:32:11 23[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:11 23[IKE] <vpn001-1|42> nothing to initiate
    2020-05-29 08:32:12 20[CFG] vici initiate 'vpn001-2'
    2020-05-29 08:32:12 25[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:32:12 25[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:12 25[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:32:12 25[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-2
    2020-05-29 08:32:12 25[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:12 25[ENC] <vpn001-1|42> generating CREATE_CHILD_SA request 11 [ SA No TSi TSr ]
    2020-05-29 08:32:12 25[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
    2020-05-29 08:32:12 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:32:12 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:32:12 03[NET] waiting for data on sockets
    2020-05-29 08:32:12 24[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
    2020-05-29 08:32:12 24[ENC] <vpn001-1|42> parsed CREATE_CHILD_SA response 11 [ N(NO_PROP) ]
    2020-05-29 08:32:12 24[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:32:12 24[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:12 24[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:12 24[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 65 seconds
    2020-05-29 08:32:12 24[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 65s)
    2020-05-29 08:32:12 24[CHD] <vpn001-1|42> CHILD_SA vpn001-2{14534} state change: CREATED => DESTROYING
    2020-05-29 08:32:12 24[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:12 24[IKE] <vpn001-1|42> nothing to initiate
    2020-05-29 08:32:12 09[CFG] vici initiate 'vpn001-1'
    2020-05-29 08:32:12 19[IKE] <vpn001-1|42> queueing CHILD_CREATE task
    2020-05-29 08:32:12 19[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:12 19[IKE] <vpn001-1|42> activating CHILD_CREATE task
    2020-05-29 08:32:12 19[IKE] <vpn001-1|42> establishing CHILD_SA vpn001-1
    2020-05-29 08:32:12 19[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:12 19[ENC] <vpn001-1|42> generating CREATE_CHILD_SA request 12 [ SA No TSi TSr ]
    2020-05-29 08:32:12 19[NET] <vpn001-1|42> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
    2020-05-29 08:32:12 04[NET] sending packet: from a.a.a.a[4500] to b.b.b.b[4500]
    2020-05-29 08:32:12 03[NET] received packet: from b.b.b.b[4500] to a.a.a.a[4500] on Port2
    2020-05-29 08:32:12 03[NET] waiting for data on sockets
    2020-05-29 08:32:12 11[NET] <vpn001-1|42> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
    2020-05-29 08:32:12 11[ENC] <vpn001-1|42> parsed CREATE_CHILD_SA response 12 [ N(NO_PROP) ]
    2020-05-29 08:32:12 11[IKE] <vpn001-1|42> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    2020-05-29 08:32:12 11[CFG] <vpn001-1|42> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:12 11[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
    2020-05-29 08:32:12 11[IKE] <vpn001-1|42> creating CHILD_SA failed, trying again in 63 seconds
    2020-05-29 08:32:12 11[IKE] <vpn001-1|42> queueing CHILD_CREATE task (delayed by 63s)
    2020-05-29 08:32:12 11[CHD] <vpn001-1|42> CHILD_SA vpn001-1{14535} state change: CREATED => DESTROYING
    2020-05-29 08:32:12 11[IKE] <vpn001-1|42> activating new tasks
    2020-05-29 08:32:12 11[IKE] <vpn001-1|42> nothing to initiate

     

    ---------------------------------------------

    I am trying to get the cisco config to share here as well. Please advise if anything stands out from the debug

  • 0 in reply to M@rik

    Hello M@rik,

    Please ask for the configuration of the Cisco ASA.

    This is what stands out more. 

    2020-05-29 08:31:51 12[DMN] <vpn001-1|42> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ

    What happens if you change to IKEv1 in both devices?

    Regards,

  • 0 in reply to emmosophos

    For anyone else that faces a similar issue, @emmosophos  was correct.

     

    Also note that for connecting to ASA, they need to ensure their ACLs on their end on their end are properly configured. The subnets we specify on our end also need to be identical to what the ASA is configured