[Swan] "Quick Mode message: perhaps peer likes no proposal"
Nick Howitt
nick at howitts.co.uk
Fri Feb 24 08:58:25 UTC 2017
On 2017-02-23 21:40, Paul Wouters wrote:
> On Thu, 23 Feb 2017, Adam Tauno Williams wrote:
>
>> I am attempting to setup an IPSec VPN with an openStack cloud provider
>> [Catalyst].
>>
>> I seem to get through Phase#1 [IKE] but no matter what I try in the
>> config file I cannot get past Phase#2.
>
> Usually that means a configuration mismatch in either the
> esp=/phase2alg=
> options or in the left/rightsubnet or left/rightprotoport= options
>
>> What are the options to debug what proposal would be viable?
>> ASE256+SHA1 with PFS group14 *IS* what is configured on the remote
>> cloud provider side.
>
> Without seeing logs of the other side, that's hard to tell. Especially
> since you are not even getting an answer instead of receiving some
> error
> like NO_PROPOSAL_CHOSEN.
>
>> 004 "mytunnel" #16: STATE_MAIN_I4: ISAKMP SA established
>> {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
>
> So ike= line is good and you authenticated. So it is now all about the
> IPsec SA options.
>
>> 031 "mytunnel" #17: max number of retransmissions (8) reached
>> STATE_QUICK_I1. No acceptable response to our first Quick Mode
>> message: perhaps peer likes no proposal
>
>>
>> [root at ipsec ~]# cat /etc/ipsec.d/catalyst.conf
>> config setup
>> protostack=netkey
>>
>> conn mysubnet
>> also=mytunnel
>> leftsubnet=172.31.50.0/24
>> rightsubnet=172.31.7.0/24
>> auto=start
>>
>> conn mytunnel
>> left=150.242.43.138
>> right=216.120.174.230
>> authby=secret
>> pfs=yes
>> phase2=esp
>> phase2alg=aes256-sha1;modp2048
>> nat_traversal=no
>
> It could be that the remote does not allow the host-to-host
> configuration and only allows the subnet-to-subnet configuration,
> so you can try:
>
> ipsec auto --delete mytunnel
> ipsec auto --add mysubnet
> ipsec auto --up mysubnet
A while back there used to be problems if you specified an modp in
phase2alg. Is it worth reducing it to just aes256-sha1?
BTW, to me this does look like a subnet-to-subnet configuration because
of conn subnet.
>
> Paul
> ps. interesting to see: ignoring Vendor ID payload [Openswan(project)]
> which means they are running a very old openswan release (2.6.38 or so)
> from around the time of the libreswan split.
> pps. usually people dont change the default of not sending the Vendor
> ID.
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list