On Wed, 26 Aug 2015, Patrick Bakker wrote:
I'm trying to setup a VPN between RHEL7 and Google Cloud VPN. I keep getting
this cryptic error:
"google-tunnel" #6: ignored CCM/GCM ESP proposal 1: integrity transform must be
IKEv2_AUTH_NONE or absent
ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_NO_PROPOSAL_CHOSEN"
It seems they are proposing AES_GCM which is an AEAD ciper, meaning that
it should not use an integrity algorithm. In libreswan configuration
terms this means:
esp=aes_gcm128-null
what they seem to be doing (without seeing the debug logs) look like:
esp=aes_gcm128-sha1
This is with a barebones configuration like:
conn google-tunnel
authby=secret
auto=start
type=tunnel
left=x.x.x.x
leftid=x.x.x.x
leftsourceip=x.x.x.x
leftsubnet=x.x.x.x/24
right=y.y.y.y
rightsubnet=y.y.y.y/16
rightsourceip=y.y.y.y
As well as if I try to force some algorithm like:
ike=aes-sha1
ikev2=insist
phase2=esp
phase2alg=aes_gcm_c-128-null
What happens if you insist on not using GCM? eg
esp=aes128-sha2
Anybody have any ideas?
It seems like a bug in their implementation. You can try and use
IKEv2 to see if that works around the bug:
ikev2=insist
When using IKEv2, you can also use aes_gcm for ike with libreswan, so
then you can also try:
ikev2=insist
ike=aes_gcm128-sha2
esp=aes_gcm128-null
Note that here the "sha2" on the ike line means the prf, not the
auth/integ algorithm.
If any of these hints help, please let me know so we can contact
google and write up a FAQ/interop issue on this.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
