We trying to setup tonnel between our Debian host and Cisco ASA 5585X.
The phase 1 passed well and we have established connection.
Howewer, we have error on phase 2
Mar 11 20:04:34 host charon[15239]: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Mar 11 20:04:34 host charon[15239]: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
We know that is wrong esp config - but can't solve it.
Mar 11 20:04:31 host ipsec_starter[14586]: ipsec starter stopped
Mar 11 20:04:33 host ipsec_starter[15215]: Starting strongSwan 5.7.2 IPsec [starter]...
Mar 11 20:04:33 host ipsec_starter[15215]: !! Your strongswan.conf contains manual plugin load options for charon.
Mar 11 20:04:33 host ipsec_starter[15215]: !! This is recommended for experts only, see
Mar 11 20:04:33 host ipsec_starter[15215]: !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Mar 11 20:04:34 host charon[15239]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64)
Mar 11 20:04:34 host charon[15239]: 00[NET] could not open socket: Address family not supported by protocol
Mar 11 20:04:34 host charon[15239]: 00[NET] could not open IPv6 socket, IPv6 disabled
Mar 11 20:04:34 host charon[15239]: 00[KNL] received netlink error: Address family not supported by protocol (97)
Mar 11 20:04:34 host charon[15239]: 00[KNL] unable to create IPv6 routing table rule
Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded 0 RADIUS server configurations
Mar 11 20:04:34 host charon[15239]: 00[CFG] HA config misses local/remote address
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded IKE secret for 1.0.0.42 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 00[CFG] loaded IKE secret for 1.0.0.42
Mar 11 20:04:34 host charon[15239]: 00[LIB] loaded plugins: charon addrblock agent attr certexpire connmark constraints counters dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gmp led lookip md5 mgf1 openssl pem pgp pkcs1 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation sshkey tnc-tnccs unity vici x509 xauth-eap xauth-generic xauth-pam xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown
Mar 11 20:04:34 host charon[15239]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Mar 11 20:04:34 host charon[15239]: 00[JOB] spawning 16 worker threads
Mar 11 20:04:34 host ipsec_starter[15238]: charon (15239) started after 40 ms
Mar 11 20:04:34 host charon[15239]: 05[CFG] received stroke: add connection 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 05[CFG] added configuration 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 07[CFG] received stroke: initiate 'Host-to-ASA'
Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 07[IKE] initiating IKE_SA Host-to-ASA[1] to 5.0.0.90
Mar 11 20:04:34 host charon[15239]: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 20:04:34 host charon[15239]: 07[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (464 bytes)
Mar 11 20:04:34 host charon[15239]: 10[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (574 bytes)
Mar 11 20:04:34 host charon[15239]: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]
Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Delete Reason vendor ID
Mar 11 20:04:34 host charon[15239]: 10[IKE] received Cisco Copyright (c) 2009 vendor ID
Mar 11 20:04:34 host charon[15239]: 10[IKE] received FRAGMENTATION vendor ID
Mar 11 20:04:34 host charon[15239]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 11 20:04:34 host charon[15239]: 10[IKE] authentication of '1.0.0.42' (myself) with pre-shared key
Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1}
Mar 11 20:04:34 host charon[15239]: 10[IKE] establishing CHILD_SA Host-to-ASA{1}
Mar 11 20:04:34 host charon[15239]: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 11 20:04:34 host charon[15239]: 10[NET] sending packet: from 1.0.0.42[500] to 5.0.0.90[500] (256 bytes)
Mar 11 20:04:34 host charon[15239]: 09[NET] received packet: from 5.0.0.90[500] to 1.0.0.42[500] (160 bytes)
Mar 11 20:04:34 host charon[15239]: 09[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
Mar 11 20:04:34 host charon[15239]: 09[IKE] authentication of '5.0.0.90' with pre-shared key successful
Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90]
Mar 11 20:04:34 host charon[15239]: 09[IKE] IKE_SA Host-to-ASA[1] established between 1.0.0.42[1.0.0.42]...5.0.0.90[5.0.0.90]
Mar 11 20:04:34 host charon[15239]: 09[IKE] scheduling reauthentication in 10176s
Mar 11 20:04:34 host charon[15239]: 09[IKE] maximum IKE_SA lifetime 10716s
Mar 11 20:04:34 host charon[15239]: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Mar 11 20:04:34 host charon[15239]: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
Log from ASA
4 Mar 11 2020 15:33:25 750003 Local:5.0.0.90:500 Remote:1.0.0.42:500 Username:91.215.139.42 IKEv2 Negotiation aborted due to ERROR: Failed to find a matching policy
Verify that your IPsec settings are matching on both sides. If that is done and still doesn't work, i would lower the security level (like disable PFS or use a lower group number, use 3des instead of aes, and MD5 instead of SHA), sometimes, the most secure algorithms are supported to be configured but may fail to work.
@Sheraz.Salim The recommendation to lower down the security level, was only temporary for testing purposes, to avoid available features that don't actually work. In my experience, it happened a lot that whenever i was an early adopter of some new technology (maybe not that new, but nobody was using it to detect bugs, like for example using the strongest DH groups, or EH), that it didn't work, due to bugs.
