Re: [Swan] "Quick Mode message: perhaps peer likes no proposal"

Fri, 24 Feb 2017 00:59:49 -0800 

On 2017-02-23 21:40, Paul Wouters wrote:

On Thu, 23 Feb 2017, Adam Tauno Williams wrote:
I am attempting to setup an IPSec VPN with an openStack cloud provider [Catalyst].
I seem to get through Phase#1 [IKE] but no matter what I try in the config file I cannot get past Phase#2.
Usually that means a configuration mismatch in either the esp=/phase2alg= 
options or in the left/rightsubnet or left/rightprotoport= options
What are the options to debug what proposal would be viable? ASE256+SHA1 with PFS group14 *IS* what is configured on the remote cloud provider side. 

Without seeing logs of the other side, that's hard to tell. Especially
since you are not even getting an answer instead of receiving some error 
like NO_PROPOSAL_CHOSEN.
004 "mytunnel" #16: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048} 

So ike= line is good and you authenticated. So it is now all about the
IPsec SA options.
031 "mytunnel" #17: max number of retransmissions (8) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal 



[root@ipsec ~]# cat /etc/ipsec.d/catalyst.conf
config setup
   protostack=netkey

conn mysubnet
    also=mytunnel
    leftsubnet=172.31.50.0/24
    rightsubnet=172.31.7.0/24
    auto=start

conn mytunnel
   left=150.242.43.138
   right=216.120.174.230
   authby=secret
   pfs=yes
   phase2=esp
   phase2alg=aes256-sha1;modp2048
   nat_traversal=no


It could be that the remote does not allow the host-to-host
configuration and only allows the subnet-to-subnet configuration,
so you can try:

ipsec auto --delete mytunnel
ipsec auto --add mysubnet
ipsec auto --up mysubnet
A while back there used to be problems if you specified an modp in phase2alg. Is it worth reducing it to just aes256-sha1?
BTW, to me this does look like a subnet-to-subnet configuration because of conn subnet. 



Paul
ps. interesting to see: ignoring Vendor ID payload [Openswan(project)]
which means they are running a very old openswan release (2.6.38 or so)
from around the time of the libreswan split.
pps. usually people dont change the default of not sending the Vendor ID. 


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to