[Swan] "Quick Mode message: perhaps peer likes no proposal"
Adam Tauno Williams
awilliam at whitemice.org
Thu Feb 23 18:34:25 UTC 2017
I am attempting to setup an IPSec VPN with an openStack cloud provider
[Catalyst].
I seem to get through Phase#1 [IKE] but no matter what I try in the
config file I cannot get past Phase#2.
What are the options to debug what proposal would be viable?
ASE256+SHA1 with PFS group14 *IS* what is configured on the remote
cloud provider side.
[root at ipsec ~]# ipsec auto --add mytunnel
002 added connection description "mytunnel"
[root at ipsec ~]# ipsec auto --up mytunnel
002 "mytunnel" #16: initiating Main Mode
104 "mytunnel" #16: STATE_MAIN_I1: initiate
003 "mytunnel" #16: ignoring Vendor ID payload [Openswan(project)]
003 "mytunnel" #16: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #16: received Vendor ID payload [RFC 3947]
002 "mytunnel" #16: enabling possible NAT-traversal with method RFC
3947 (NAT-Traversal)
002 "mytunnel" #16: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "mytunnel" #16: STATE_MAIN_I2: sent MI2, expecting MR2
003 "mytunnel" #16: NAT-Traversal: Result using RFC 3947
(NAT-Traversal) sender port 500: no NAT detected
002 "mytunnel" #16: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "mytunnel" #16: STATE_MAIN_I3: sent MI3, expecting MR3
002 "mytunnel" #16: Main mode peer ID is ID_IPV4_ADDR: '150.242.43.138'
002 "mytunnel" #16: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "mytunnel" #16: STATE_MAIN_I4: ISAKMP SA established
{auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
002 "mytunnel" #17: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
{using isakmp#16 msgid:f8ee3322 proposal=AES(12)_256-SHA1(2)_000
pfsgroup=OAKLEY_GROUP_MODP2048}
117 "mytunnel" #17: STATE_QUICK_I1: initiate
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 500ms
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 1000ms
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 2000ms
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 4000ms
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 8000ms
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 16000ms
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 32000ms
for response
031 "mytunnel" #17: max number of retransmissions (8) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal
002 "mytunnel" #17: deleting state #17 (STATE_QUICK_I1)
[root at ipsec ~]# cat /etc/ipsec.d/catalyst.conf
config setup
protostack=netkey
conn mysubnet
also=mytunnel
leftsubnet=172.31.50.0/24
rightsubnet=172.31.7.0/24
auto=start
conn mytunnel
left=150.242.43.138
right=216.120.174.230
authby=secret
pfs=yes
phase2=esp
phase2alg=aes256-sha1;modp2048
nat_traversal=no
More information about the Swan
mailing list