[Swan] "Quick Mode message: perhaps peer likes no proposal"

Adam Tauno Williams awilliam at whitemice.org
Thu Feb 23 18:34:25 UTC 2017


I am attempting to setup an IPSec VPN with an openStack cloud provider  
[Catalyst].

I seem to get through Phase#1 [IKE] but no matter what I try in the  
config file I cannot get past Phase#2.

What are the options to debug what proposal would be viable?   
ASE256+SHA1 with PFS group14 *IS* what is configured on the remote  
cloud provider side.

[root at ipsec ~]# ipsec auto --add mytunnel
002 added connection description "mytunnel"
[root at ipsec ~]# ipsec auto --up mytunnel
002 "mytunnel" #16: initiating Main Mode
104 "mytunnel" #16: STATE_MAIN_I1: initiate
003 "mytunnel" #16: ignoring Vendor ID payload [Openswan(project)]
003 "mytunnel" #16: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #16: received Vendor ID payload [RFC 3947]
002 "mytunnel" #16: enabling possible NAT-traversal with method RFC  
3947 (NAT-Traversal)
002 "mytunnel" #16: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "mytunnel" #16: STATE_MAIN_I2: sent MI2, expecting MR2
003 "mytunnel" #16: NAT-Traversal: Result using RFC 3947  
(NAT-Traversal) sender port 500: no NAT detected
002 "mytunnel" #16: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "mytunnel" #16: STATE_MAIN_I3: sent MI3, expecting MR3
002 "mytunnel" #16: Main mode peer ID is ID_IPV4_ADDR: '150.242.43.138'
002 "mytunnel" #16: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "mytunnel" #16: STATE_MAIN_I4: ISAKMP SA established  
{auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
002 "mytunnel" #17: initiating Quick Mode  
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW  
{using isakmp#16 msgid:f8ee3322 proposal=AES(12)_256-SHA1(2)_000  
pfsgroup=OAKLEY_GROUP_MODP2048}
117 "mytunnel" #17: STATE_QUICK_I1: initiate
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 500ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 1000ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 2000ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 4000ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 8000ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 16000ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 32000ms  
for response
031 "mytunnel" #17: max number of retransmissions (8) reached  
STATE_QUICK_I1.  No acceptable response to our first Quick Mode  
message: perhaps peer likes no proposal
002 "mytunnel" #17: deleting state #17 (STATE_QUICK_I1)

[root at ipsec ~]# cat /etc/ipsec.d/catalyst.conf
config setup
     protostack=netkey

conn mysubnet
      also=mytunnel
      leftsubnet=172.31.50.0/24
      rightsubnet=172.31.7.0/24
      auto=start

conn mytunnel
     left=150.242.43.138
     right=216.120.174.230
     authby=secret
     pfs=yes
     phase2=esp
     phase2alg=aes256-sha1;modp2048
     nat_traversal=no




More information about the Swan mailing list