[Swan] newb confusion
Brendan Kearney
bpk678 at gmail.com
Sun Mar 12 15:53:12 UTC 2017
list members,
i am looking to setup ipsec and have read a lot about what i am trying
to do, but still come up short. ultimately, i would like to have
site-to-site tunnels along with road warrior tunnels. i am not sure if
this config will run on a single libreswan instance, but have not found
anything indicating it will not work. can this be confirmed, as
something that will work?
i have an android device (running 4.4.2 kitkat), and libreswan 3.13.1 on
fedora 20 (soon to be updated), and cannot get a road warrior config
working. i have NAT-T setup, and there does not seem to be any issues
with getting the traffic to the ipsec instance. it seem that i cannot
get tunnel parameters agreed upon, and phase 1 never completes. with
the below in "android.conf", i attempt to connect from my android device
conn android
#ikev2=insist
left=0.0.0.0
leftprotoport=17/%any
right=192.168.184.1
rightprotoport=17/1701
authby=secret
pfs=no
# use auto=start when done testing the tunnel
auto=add
in my logs, i see the below entries:
"android"[10] 192.168.24.133 #10: transition from state
STATE_IKEv2_START to state STATE_PARENT_R1
"android"[10] 192.168.24.133 #10: STATE_PARENT_R1: received v2I1, sent
v2R1 {auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=sha group=MODP1024}
"android"[10] 192.168.24.133 #10: new NAT mapping for #10, was
192.168.24.133:500, now 192.168.24.133:60500
"android"[10] 192.168.24.133 #10: new NAT mapping for #10, was
192.168.24.133:60500, now 192.168.24.133:64500
"android"[10] 192.168.24.133 #10: IKEv2 mode peer ID is ID_USER_FQDN:
'brendan at bpk2.com' | CHILD SA proposals received |
ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_NO_PROPOSAL_CHOSEN
"android"[10] 192.168.24.133 #10: sending unencrypted notification
v2N_NO_PROPOSAL_CHOSEN to 192.168.24.133:64500
packet from 192.168.24.133:64500: sending unencrypted notification
v2N_INVALID_MESSAGE_ID to 192.168.24.133:64500
packet from 192.168.24.133:64500: sending unencrypted notification
v2N_INVALID_MESSAGE_ID to 192.168.24.133:64500
packet from 192.168.24.133:64500: sending unencrypted notification
v2N_INVALID_MESSAGE_ID to 192.168.24.133:64500
i think the age of my android client could be contributing factor, but
dont know how to tell what is going wrong. do i need to specify
different or older keys? any help would be appreciated.
thanks in advance,
brendan
More information about the Swan
mailing list