TS_UNACCEPTABLE means the traffic selectors are not matching. Check left/rightsubnet and left/rightprotoports
Sent from mobile device > On Aug 12, 2019, at 04:03, Computerisms Corporation <[email protected]> > wrote: > > Hi Paul, > > you are correct, the NO_PROPOSAL_CHOSEN message did show up immediately after > the algorithms are listed in the log. In the past when I have seen that it > is because the security paramaters are not correct, but I haven't seen it > between two versions of libreswan before, I don't think. The local side was > running .22, so I upgraded that to .29 as well. > > That fixed the proposal error and broke connections with all the older > builds, but something still not right. Enough for tonight, will tackle it > again in the morning. But here are the remote logs: > > Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc": constructed local > IKE proposals for computerisms2rrdc (IKE SA initiator selecting KE): > 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 > > 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 > > 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 > > 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 > (default) > Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #1: STATE_PARENT_I1: > sent v2I1, expected v2R1 > Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc": constructed local > ESP/AH proposals for computerisms2rrdc (IKE SA initiator emitting ESP/AH > proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED > 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED > 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED > 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED > 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default) > Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #2: STATE_PARENT_I2: > sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a > prf=HMAC_SHA2_512 group=MODP2048} > > Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #2: IKE_AUTH > response contained the error notification TS_UNACCEPTABLE > >> On 2019-08-11 7:44 p.m., Paul Wouters wrote: >> Seems a misconfiguration. The Notify you receive should contain an >> indicator, eg NO PROPOSAL CHOSEN or AUTH FAILED >> Sent from mobile device >>> On Aug 11, 2019, at 21:45, Computerisms Corporation <[email protected]> >>> wrote: >>> >>> quick follow up; didn't notice that .29 was available, just tried upgrading >>> it, but getting the same error. >>> >>>> On 2019-08-11 6:09 p.m., Computerisms Corporation wrote: >>>> Hi, >>>> I setup a net to net tunnel, following the procedure I normally follow (at >>>> least presuming I didn't make a mistake that I can't find), using 3.28. I >>>> have patched the code as per >>>> https://github.com/libreswan/libreswan/commit/716f4b712724c6698469563e531dea3667507ceb >>>> Which so far has worked in at least 3 other places without issue (that >>>> said the barf.in needs to be done manually, the patch does not apply >>>> cleanly to that file). >>>> I am getting this in the logs: >>>> Aug 11 17:59:37 rrwall pluto[26346]: "computerisms2rrdc" #1: no useful >>>> state microcode entry found for incoming packet >>>> Aug 11 17:59:37 rrwall pluto[26346]: "computerisms2rrdc" #1: dropping >>>> unexpected IKE_AUTH message containing INVALID_IKE_SPI notification; >>>> message payloads: N; missing payloads: SK >>>> Apart from the github page with the code that uses this text, I get no >>>> hits on google. I have read the comment in the code and understand that >>>> something is messed up, but I am not really clear what this is indicating. >>>> Is it a configuration issue? a portion of the code not properly >>>> compiled? a certificate problem? The remote end is a very slow DSL >>>> connection, maybe that is part of the problem? been going through my >>>> regular list of things to try, but not meeting any success yet. >>>> Any clues on a direction for me to go with this? >>> _______________________________________________ >>> Swan mailing list >>> [email protected] >>> https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
