<div dir="ltr"><div>Thanks for your suggestions Paul!</div><div><br></div>The bottom suggestion:<div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px"> ikev2=insist</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"> ike=aes_gcm128-sha2</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"> esp=aes_gcm128-null</span><br><div><br></div><div>got me to a different message:</div></div><div><br></div><div>sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to y.y.y.y:500<br></div><div>initial parent SA message received on x.x.x.x:500 but no connection has been authorized with policy=IKEV2_ALLOW<br></div><div><br></div><div>Changing the last line to <span style="font-size:12.8000001907349px">esp=aes_gcm128-sha1 results in the same log message.</span></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 27, 2015 at 6:34 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, 26 Aug 2015, Patrick Bakker wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm trying to setup a VPN between RHEL7 and Google Cloud VPN. I keep getting this cryptic error:<br>
<br>
"google-tunnel" #6: ignored CCM/GCM ESP proposal 1: integrity transform must be IKEv2_AUTH_NONE or absent<br>
ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_NO_PROPOSAL_CHOSEN"<br>
</blockquote>
<br></span>
It seems they are proposing AES_GCM which is an AEAD ciper, meaning that<br>
it should not use an integrity algorithm. In libreswan configuration<br>
terms this means:<br>
<br>
esp=aes_gcm128-null<br>
<br>
what they seem to be doing (without seeing the debug logs) look like:<br>
<br>
esp=aes_gcm128-sha1<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This is with a barebones configuration like:<br>
conn google-tunnel<br>
authby=secret<br>
auto=start<br>
type=tunnel<br>
left=x.x.x.x<br>
leftid=x.x.x.x<br>
leftsourceip=x.x.x.x<br>
leftsubnet=x.x.x.x/24<br>
right=y.y.y.y<br>
rightsubnet=y.y.y.y/16<br>
rightsourceip=y.y.y.y<br>
<br>
As well as if I try to force some algorithm like:<br>
ike=aes-sha1<br>
ikev2=insist<br>
phase2=esp<br>
phase2alg=aes_gcm_c-128-null<br>
</blockquote>
<br></span>
What happens if you insist on not using GCM? eg<br>
<br>
esp=aes128-sha2<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Anybody have any ideas?<br>
</blockquote>
<br>
It seems like a bug in their implementation. You can try and use<br>
IKEv2 to see if that works around the bug:<br>
<br>
ikev2=insist<br>
<br>
When using IKEv2, you can also use aes_gcm for ike with libreswan, so<br>
then you can also try:<br>
<br>
ikev2=insist<br>
ike=aes_gcm128-sha2<br>
esp=aes_gcm128-null<br>
<br>
Note that here the "sha2" on the ike line means the prf, not the<br>
auth/integ algorithm.<br>
<br>
If any of these hints help, please let me know so we can contact<br>
google and write up a FAQ/interop issue on this.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Patrick Bakker<br><i>IT Manager</i><div><span>Van Belle Nursery | </span><a href="http://www.vanbelle.com/" target="_blank">vanbelle.com</a><br><span>T: </span><a value="+18888262355">1-888-826-2355</a><span> | F: </span><a value="+16048536282">604-853-6282</a><br><br><div>Find us on <a href="http://facebook.com/vanbellenursery" style="color:rgb(17,85,204)" target="_blank">Facebook</a> • <a href="http://twitter.com/vanbellenursery" style="color:rgb(17,85,204)" target="_blank">Twitter</a> • <a href="http://gplus.to/vanbellenursery" style="color:rgb(17,85,204)" target="_blank">Google+</a></div></div></div></div>
</div>