[Swan] RHEL7 Libreswan -> Google Cloud VPN
Paul Wouters
paul at nohats.ca
Thu Aug 27 13:34:03 UTC 2015
On Wed, 26 Aug 2015, Patrick Bakker wrote:
> I'm trying to setup a VPN between RHEL7 and Google Cloud VPN. I keep getting this cryptic error:
>
> "google-tunnel" #6: ignored CCM/GCM ESP proposal 1: integrity transform must be IKEv2_AUTH_NONE or absent
> ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_NO_PROPOSAL_CHOSEN"
It seems they are proposing AES_GCM which is an AEAD ciper, meaning that
it should not use an integrity algorithm. In libreswan configuration
terms this means:
esp=aes_gcm128-null
what they seem to be doing (without seeing the debug logs) look like:
esp=aes_gcm128-sha1
> This is with a barebones configuration like:
> conn google-tunnel
> authby=secret
> auto=start
> type=tunnel
> left=x.x.x.x
> leftid=x.x.x.x
> leftsourceip=x.x.x.x
> leftsubnet=x.x.x.x/24
> right=y.y.y.y
> rightsubnet=y.y.y.y/16
> rightsourceip=y.y.y.y
>
> As well as if I try to force some algorithm like:
> ike=aes-sha1
> ikev2=insist
> phase2=esp
> phase2alg=aes_gcm_c-128-null
What happens if you insist on not using GCM? eg
esp=aes128-sha2
> Anybody have any ideas?
It seems like a bug in their implementation. You can try and use
IKEv2 to see if that works around the bug:
ikev2=insist
When using IKEv2, you can also use aes_gcm for ike with libreswan, so
then you can also try:
ikev2=insist
ike=aes_gcm128-sha2
esp=aes_gcm128-null
Note that here the "sha2" on the ike line means the prf, not the
auth/integ algorithm.
If any of these hints help, please let me know so we can contact
google and write up a FAQ/interop issue on this.
Paul
More information about the Swan
mailing list