[Swan] "Quick Mode message: perhaps peer likes no proposal"

Paul Wouters paul at nohats.ca
Thu Feb 23 21:40:48 UTC 2017


On Thu, 23 Feb 2017, Adam Tauno Williams wrote:

> I am attempting to setup an IPSec VPN with an openStack cloud provider 
> [Catalyst].
>
> I seem to get through Phase#1 [IKE] but no matter what I try in the config 
> file I cannot get past Phase#2.

Usually that means a configuration mismatch in either the esp=/phase2alg=
options or in the left/rightsubnet or left/rightprotoport= options

> What are the options to debug what proposal would be viable?  ASE256+SHA1 
> with PFS group14 *IS* what is configured on the remote cloud provider side.

Without seeing logs of the other side, that's hard to tell. Especially
since you are not even getting an answer instead of receiving some error
like NO_PROPOSAL_CHOSEN.

> 004 "mytunnel" #16: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY 
> cipher=aes_256 integ=sha group=MODP2048}

So ike= line is good and you authenticated. So it is now all about the
IPsec SA options.

> 031 "mytunnel" #17: max number of retransmissions (8) reached STATE_QUICK_I1. 
> No acceptable response to our first Quick Mode message: perhaps peer likes no 
> proposal

>
> [root at ipsec ~]# cat /etc/ipsec.d/catalyst.conf
> config setup
>    protostack=netkey
>
> conn mysubnet
>     also=mytunnel
>     leftsubnet=172.31.50.0/24
>     rightsubnet=172.31.7.0/24
>     auto=start
>
> conn mytunnel
>    left=150.242.43.138
>    right=216.120.174.230
>    authby=secret
>    pfs=yes
>    phase2=esp
>    phase2alg=aes256-sha1;modp2048
>    nat_traversal=no

It could be that the remote does not allow the host-to-host
configuration and only allows the subnet-to-subnet configuration,
so you can try:

ipsec auto --delete mytunnel
ipsec auto --add mysubnet
ipsec auto --up mysubnet

Paul
ps. interesting to see: ignoring Vendor ID payload [Openswan(project)]
which means they are running a very old openswan release (2.6.38 or so)
from around the time of the libreswan split.
pps. usually people dont change the default of not sending the Vendor ID.




More information about the Swan mailing list