[Swan] "Quick Mode message: perhaps peer likes no proposal"

Nick Howitt nick at howitts.co.uk
Fri Feb 24 08:58:25 UTC 2017


On 2017-02-23 21:40, Paul Wouters wrote:
> On Thu, 23 Feb 2017, Adam Tauno Williams wrote:
> 
>> I am attempting to setup an IPSec VPN with an openStack cloud provider 
>> [Catalyst].
>> 
>> I seem to get through Phase#1 [IKE] but no matter what I try in the 
>> config file I cannot get past Phase#2.
> 
> Usually that means a configuration mismatch in either the 
> esp=/phase2alg=
> options or in the left/rightsubnet or left/rightprotoport= options
> 
>> What are the options to debug what proposal would be viable?  
>> ASE256+SHA1 with PFS group14 *IS* what is configured on the remote 
>> cloud provider side.
> 
> Without seeing logs of the other side, that's hard to tell. Especially
> since you are not even getting an answer instead of receiving some 
> error
> like NO_PROPOSAL_CHOSEN.
> 
>> 004 "mytunnel" #16: STATE_MAIN_I4: ISAKMP SA established 
>> {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
> 
> So ike= line is good and you authenticated. So it is now all about the
> IPsec SA options.
> 
>> 031 "mytunnel" #17: max number of retransmissions (8) reached 
>> STATE_QUICK_I1. No acceptable response to our first Quick Mode 
>> message: perhaps peer likes no proposal
> 
>> 
>> [root at ipsec ~]# cat /etc/ipsec.d/catalyst.conf
>> config setup
>>    protostack=netkey
>> 
>> conn mysubnet
>>     also=mytunnel
>>     leftsubnet=172.31.50.0/24
>>     rightsubnet=172.31.7.0/24
>>     auto=start
>> 
>> conn mytunnel
>>    left=150.242.43.138
>>    right=216.120.174.230
>>    authby=secret
>>    pfs=yes
>>    phase2=esp
>>    phase2alg=aes256-sha1;modp2048
>>    nat_traversal=no
> 
> It could be that the remote does not allow the host-to-host
> configuration and only allows the subnet-to-subnet configuration,
> so you can try:
> 
> ipsec auto --delete mytunnel
> ipsec auto --add mysubnet
> ipsec auto --up mysubnet

A while back there used to be problems if you specified an modp in 
phase2alg. Is it worth reducing it to just aes256-sha1?

BTW, to me this does look like a subnet-to-subnet configuration because 
of conn subnet.

> 
> Paul
> ps. interesting to see: ignoring Vendor ID payload [Openswan(project)]
> which means they are running a very old openswan release (2.6.38 or so)
> from around the time of the libreswan split.
> pps. usually people dont change the default of not sending the Vendor 
> ID.
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan


More information about the Swan mailing list