Replicated in both vyos and Amazon Linux using Opennhrp - theres an off chance
I'm doing something a little stupid, but I'm having issues connecting from a
client behind a 1-1 NAT in the Amazon Cloud - to a DMVPN hub on a public IP
(Cisco 1800).
Specifically the error is that the Cisco is rejecting phase 2. Negotiation.
*Jan 8 11:18:43.773 ACST: IPSEC(ipsec_process_proposal): proxy identities not
supported
*Jan 8 11:18:43.773 ACST: ISAKMP:(3076): IPSec policy invalidated proposal
with error 32
Any ideas on what to fix this?
>From the Router:
*Jan 8 11:18:43.773 ACST: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 203.3.x.x, remote= 54.66.239.229,
local_proxy= 203.3.x.x/255.255.255.255/47/0 (type=1),
remote_proxy= 172.31.8.67/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jan 8 11:18:43.773 ACST: map_db_find_best did not find matching map
*Jan 8 11:18:43.773 ACST: IPSEC(ipsec_process_proposal): proxy identities not
supported
*Jan 8 11:18:43.773 ACST: ISAKMP:(3076): IPSec policy invalidated proposal
with error 32
*Jan 8 11:18:43.773 ACST: IPSEC(validate_proposal_request): proposal part #1
*Jan 8 11:18:43.773 ACST: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 203.3.x.x, remote= 54.66.239.229,
local_proxy= 203.3.x.x/255.255.255.255/47/0 (type=1),
remote_proxy= 172.31.8.67/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jan 8 11:18:43.773 ACST: map_db_find_best did not find matching map
*Jan 8 11:18:43.773 ACST: IPSEC(ipsec_process_proposal): proxy identities not
supported
*Jan 8 11:18:43.773 ACST: ISAKMP:(3076): IPSec policy invalidated proposal
with error 32
*Jan 8 11:18:43.773 ACST: ISAKMP:(3076): phase 2 SA policy not acceptable!
(local 203.3.x.x remote 54.66.239.229)
>From oepnnprh:
Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: OpenNHRP 0.14.1 starting
Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface lo: configured UP,
mtu=0
Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface eth0: configured UP,
mtu=9001
Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gre0: config change,
mtu=1476
Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gretap0: config
change, mtu=1462
Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gre1: configured UP,
mtu=8973
Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gre1: GRE
configuration changed. Purged 1 peers.
Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Filter code installed (20
opcodes)
Jan 8 04:17:32 ip-172-31-8-67 racoon: INFO: initiate new phase 2 negotiation:
172.31.8.67[500]<=>203.3.x.x[500]
Jan 8 04:17:32 ip-172-31-8-67 racoon: [203.3.x.x] ERROR: notification
NO-PROPOSAL-CHOSEN received in informational exchange.
Jan 8 04:17:32 ip-172-31-8-67 racoon: [203.3.x.x] ERROR: error message: 'X '.
Jan 8 04:18:02 ip-172-31-8-67 racoon: INFO: IPsec-SA expired: ESP/Transport
203.3.x.x[500]->172.31.8.67[500] spi=121444521(0x73d18a9)
Jan 8 04:18:02 ip-172-31-8-67 racoon: WARNING: PF_KEY EXPIRE message received
from kernel for SA being negotiated. Stopping negotiation.
Jan 8 04:18:02 ip-172-31-8-67 opennhrp[6760]: [192.168.201.1] Peer up script
failed: exitstatus 1
[root@ip-172-31-8-67 ec2-user]# ip tunnel show
gre0: gre/ip remote any local any ttl 64 tos inherit
gre1: gre/ip remote 203.3.x.x local 172.31.8.67 dev eth0 ttl 64 key 0
[root@ip-172-31-8-67 ec2-user]# cat /etc/opennhrp/opennhrp.conf
interface gre1
map 192.168.201.1/24 203.3.x.x register
cisco-authentication secret
shortcut
redirect
non-caching
interface lo
shortcut-destination
[root@ip-172-31-8-67 ec2-user]# cat /etc/racoon/racoon.conf
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
listen {
adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 24 hour ;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
remote anonymous {
exchange_mode main,aggressive;
lifetime time 24 hour;
# nat_traversal on;
script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
[root@ip-172-31-8-67 ec2-user]# uname -a
Linux ip-172-31-8-67 3.14.26-24.46.amzn1.x86_64 #1 SMP Wed Dec 10 10:02:43 UTC
2014 x86_64 x86_64 x86_64 GNU/Linux
[root@ip-172-31-8-67 ec2-user]# rpm -q ipsec-tools
ipsec-tools-0.8.0-5.16.amzn1.x86_64
Relevant parts of the cisco config:
crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key secret address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec profile cisco
set security-association lifetime seconds 30000
set transform-set strong
!
!
interface Tunnel0
ip address 192.168.201.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication secret2
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp redirect
ip tcp adjust-mss 1360
no ip mroute-cache
tunnel source Loopback10
tunnel mode gre multipoint
tunnel key 5000
tunnel protection ipsec profile cisco
!
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
