[Swan] newb confusion

Sun, 12 Mar 2017 08:54:06 -0700 

list members,
i am looking to setup ipsec and have read a lot about what i am trying to do, but still come up short. ultimately, i would like to have site-to-site tunnels along with road warrior tunnels. i am not sure if this config will run on a single libreswan instance, but have not found anything indicating it will not work. can this be confirmed, as something that will work? 


i have an android device (running 4.4.2 kitkat), and libreswan 3.13.1 on 
fedora 20 (soon to be updated), and cannot get a road warrior config 
working.  i have NAT-T setup, and there does not seem to be any issues 
with getting the traffic to the ipsec instance.  it seem that i cannot 
get tunnel parameters agreed upon, and phase 1 never completes.  with 
the below in "android.conf", i attempt to connect from my android device


conn android
    #ikev2=insist
    left=0.0.0.0
    leftprotoport=17/%any
    right=192.168.184.1
    rightprotoport=17/1701
    authby=secret
    pfs=no
    # use auto=start when done testing the tunnel
    auto=add

in my logs, i see the below entries:


"android"[10] 192.168.24.133 #10: transition from state 
STATE_IKEv2_START to state STATE_PARENT_R1
 "android"[10] 192.168.24.133 #10: STATE_PARENT_R1: received v2I1, sent 
v2R1 {auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=sha group=MODP1024}
 "android"[10] 192.168.24.133 #10: new NAT mapping for #10, was 
192.168.24.133:500, now 192.168.24.133:60500
 "android"[10] 192.168.24.133 #10: new NAT mapping for #10, was 
192.168.24.133:60500, now 192.168.24.133:64500
 "android"[10] 192.168.24.133 #10: IKEv2 mode peer ID is ID_USER_FQDN: 
'[email protected]' | CHILD SA proposals received | 
ikev2_parent_inI2outR2_tail returned STF_FAIL with v2N_NO_PROPOSAL_CHOSEN
 "android"[10] 192.168.24.133 #10: sending unencrypted notification 
v2N_NO_PROPOSAL_CHOSEN to 192.168.24.133:64500
 packet from 192.168.24.133:64500: sending unencrypted notification 
v2N_INVALID_MESSAGE_ID to 192.168.24.133:64500
 packet from 192.168.24.133:64500: sending unencrypted notification 
v2N_INVALID_MESSAGE_ID to 192.168.24.133:64500
 packet from 192.168.24.133:64500: sending unencrypted notification 
v2N_INVALID_MESSAGE_ID to 192.168.24.133:64500



i think the age of my android client could be contributing factor, but 
dont know how to tell what is going wrong.  do i need to specify 
different or older keys?  any help would be appreciated.


thanks in advance,

brendan

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to