On Thu, 23 Feb 2017, Adam Tauno Williams wrote:
I am attempting to setup an IPSec VPN with an openStack cloud provider
[Catalyst].
I seem to get through Phase#1 [IKE] but no matter what I try in the config
file I cannot get past Phase#2.
Usually that means a configuration mismatch in either the esp=/phase2alg=
options or in the left/rightsubnet or left/rightprotoport= options
What are the options to debug what proposal would be viable? ASE256+SHA1
with PFS group14 *IS* what is configured on the remote cloud provider side.
Without seeing logs of the other side, that's hard to tell. Especially
since you are not even getting an answer instead of receiving some error
like NO_PROPOSAL_CHOSEN.
004 "mytunnel" #16: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY
cipher=aes_256 integ=sha group=MODP2048}
So ike= line is good and you authenticated. So it is now all about the
IPsec SA options.
031 "mytunnel" #17: max number of retransmissions (8) reached STATE_QUICK_I1.
No acceptable response to our first Quick Mode message: perhaps peer likes no
proposal
[root@ipsec ~]# cat /etc/ipsec.d/catalyst.conf
config setup
protostack=netkey
conn mysubnet
also=mytunnel
leftsubnet=172.31.50.0/24
rightsubnet=172.31.7.0/24
auto=start
conn mytunnel
left=150.242.43.138
right=216.120.174.230
authby=secret
pfs=yes
phase2=esp
phase2alg=aes256-sha1;modp2048
nat_traversal=no
It could be that the remote does not allow the host-to-host
configuration and only allows the subnet-to-subnet configuration,
so you can try:
ipsec auto --delete mytunnel
ipsec auto --add mysubnet
ipsec auto --up mysubnet
Paul
ps. interesting to see: ignoring Vendor ID payload [Openswan(project)]
which means they are running a very old openswan release (2.6.38 or so)
from around the time of the libreswan split.
pps. usually people dont change the default of not sending the Vendor ID.
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
