[Swan] "Quick Mode message: perhaps peer likes no proposal"

Thu, 23 Feb 2017 10:55:17 -0800

I am attempting to setup an IPSec VPN with an openStack cloud provider [Catalyst].
I seem to get through Phase#1 [IKE] but no matter what I try in the config file I cannot get past Phase#2. 


What are the options to debug what proposal would be viable?   
ASE256+SHA1 with PFS group14 *IS* what is configured on the remote  
cloud provider side.


[root@ipsec ~]# ipsec auto --add mytunnel
002 added connection description "mytunnel"
[root@ipsec ~]# ipsec auto --up mytunnel
002 "mytunnel" #16: initiating Main Mode
104 "mytunnel" #16: STATE_MAIN_I1: initiate
003 "mytunnel" #16: ignoring Vendor ID payload [Openswan(project)]
003 "mytunnel" #16: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #16: received Vendor ID payload [RFC 3947]

002 "mytunnel" #16: enabling possible NAT-traversal with method RFC  
3947 (NAT-Traversal)

002 "mytunnel" #16: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "mytunnel" #16: STATE_MAIN_I2: sent MI2, expecting MR2

003 "mytunnel" #16: NAT-Traversal: Result using RFC 3947  
(NAT-Traversal) sender port 500: no NAT detected

002 "mytunnel" #16: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "mytunnel" #16: STATE_MAIN_I3: sent MI3, expecting MR3
002 "mytunnel" #16: Main mode peer ID is ID_IPV4_ADDR: '150.242.43.138'
002 "mytunnel" #16: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

004 "mytunnel" #16: STATE_MAIN_I4: ISAKMP SA established  
{auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
002 "mytunnel" #17: initiating Quick Mode  
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW  
{using isakmp#16 msgid:f8ee3322 proposal=AES(12)_256-SHA1(2)_000  
pfsgroup=OAKLEY_GROUP_MODP2048}

117 "mytunnel" #17: STATE_QUICK_I1: initiate

010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 500ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 1000ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 2000ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 4000ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 8000ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 16000ms  
for response
010 "mytunnel" #17: STATE_QUICK_I1: retransmission; will wait 32000ms  
for response
031 "mytunnel" #17: max number of retransmissions (8) reached  
STATE_QUICK_I1.  No acceptable response to our first Quick Mode  
message: perhaps peer likes no proposal

002 "mytunnel" #17: deleting state #17 (STATE_QUICK_I1)

[root@ipsec ~]# cat /etc/ipsec.d/catalyst.conf
config setup
    protostack=netkey

conn mysubnet
     also=mytunnel
     leftsubnet=172.31.50.0/24
     rightsubnet=172.31.7.0/24
     auto=start

conn mytunnel
    left=150.242.43.138
    right=216.120.174.230
    authby=secret
    pfs=yes
    phase2=esp
    phase2alg=aes256-sha1;modp2048
    nat_traversal=no


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to