[Swan] newb confusion

Brendan Kearney bpk678 at gmail.com
Sun Mar 12 15:53:12 UTC 2017 

list members,

i am looking to setup ipsec and have read a lot about what i am trying 
to do, but still come up short.  ultimately, i would like to have 
site-to-site tunnels along with road warrior tunnels.  i am not sure if 
this config will run on a single libreswan instance, but have not found 
anything indicating it will not work.  can this be confirmed, as 
something that will work?

i have an android device (running 4.4.2 kitkat), and libreswan 3.13.1 on 
fedora 20 (soon to be updated), and cannot get a road warrior config 
working.  i have NAT-T setup, and there does not seem to be any issues 
with getting the traffic to the ipsec instance.  it seem that i cannot 
get tunnel parameters agreed upon, and phase 1 never completes.  with 
the below in "android.conf", i attempt to connect from my android device

conn android
     #ikev2=insist
     left=0.0.0.0
     leftprotoport=17/%any
     right=192.168.184.1
     rightprotoport=17/1701
     authby=secret
     pfs=no
     # use auto=start when done testing the tunnel
     auto=add

in my logs, i see the below entries:

"android"[10] 192.168.24.133 #10: transition from state 
STATE_IKEv2_START to state STATE_PARENT_R1
  "android"[10] 192.168.24.133 #10: STATE_PARENT_R1: received v2I1, sent 
v2R1 {auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=sha group=MODP1024}
  "android"[10] 192.168.24.133 #10: new NAT mapping for #10, was 
192.168.24.133:500, now 192.168.24.133:60500
  "android"[10] 192.168.24.133 #10: new NAT mapping for #10, was 
192.168.24.133:60500, now 192.168.24.133:64500
  "android"[10] 192.168.24.133 #10: IKEv2 mode peer ID is ID_USER_FQDN: 
'brendan at bpk2.com' | CHILD SA proposals received | 
ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_NO_PROPOSAL_CHOSEN
  "android"[10] 192.168.24.133 #10: sending unencrypted notification 
v2N_NO_PROPOSAL_CHOSEN to 192.168.24.133:64500
  packet from 192.168.24.133:64500: sending unencrypted notification 
v2N_INVALID_MESSAGE_ID to 192.168.24.133:64500
  packet from 192.168.24.133:64500: sending unencrypted notification 
v2N_INVALID_MESSAGE_ID to 192.168.24.133:64500
  packet from 192.168.24.133:64500: sending unencrypted notification 
v2N_INVALID_MESSAGE_ID to 192.168.24.133:64500

i think the age of my android client could be contributing factor, but 
dont know how to tell what is going wrong.  do i need to specify 
different or older keys?  any help would be appreciated.

thanks in advance,

brendan

More information about the Swan mailing list