<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7653.38">
<TITLE>RE: [Openswan Users] perhaps peer likes no proposal</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Simon, its not a typo, its how you specify your Diffie Hellman group. It uses the same one as the ike, but you can specify. esp=aes256-sha1-modp1024 would report an error, leaving it blank would work exactly the same, getting stuck in the same place.<BR>
<BR>
No matter what I put in esp, it gets stuck in the same place. I change my ike, it complains "Informational Exchange message must be encrypted". Definitely having problems at a later stage. Phase1 and Phase2 protocols at the other end are identical.<BR>
<BR>
Could it be tunnel problems? Or would the tunnel cause it to fail at another stage? What exactly is STATE_AGGR_I2 trying to achieve?<BR>
<BR>
Cheers guys.<BR>
<BR>
-----Original Message-----<BR>
From: simon charles [<A HREF="mailto:charlessimon@hotmail.com">mailto:charlessimon@hotmail.com</A>]<BR>
Sent: Wed 11/26/2008 3:08 AM<BR>
To: Tudor Georgescu; bzhang@sonicwall.com; users-bounces@openswan.org<BR>
Subject: RE: [Openswan Users] perhaps peer likes no proposal<BR>
<BR>
<BR>
Tudor - is that a typo in esp parameter ? shouldn't it be esp=aes256-sha1-modp1024<BR>
<BR>
conn myvpn<BR>
<BR>
pfs=yes<BR>
<BR>
authby=secret<BR>
<BR>
type=tunnel<BR>
<BR>
aggrmode=yes<BR>
<BR>
keyexchange=ike<BR>
<BR>
auth=esp<BR>
<BR>
ike=aes256-sha1-modp1024<BR>
<BR>
esp=aes256-sha1;modp1024<BR>
<BR>
left=10.0.0.128<BR>
<BR>
leftsubnet=10.0.0.0/24<BR>
<BR>
leftnexthop=10.0.0.138<BR>
<BR>
leftid=my@id.com<BR>
<BR>
right=<vpn.public.ip><BR>
<BR>
#rightnexthop=a.b.c.d<BR>
<BR>
rightsubnet=w.x.y.z/24<BR>
<BR>
rightid=<vpn.public.ip><BR>
<BR>
auto=start<BR>
<BR>
<BR>
- Simon Charles -<BR>
<BR>
<BR>
<BR>
<BR>
Subject: RE: [Openswan Users] perhaps peer likes no proposal<BR>
Date: Wed, 26 Nov 2008 01:47:13 +0000<BR>
From: Tudor.Georgescu@aardman.com<BR>
To: bzhang@sonicwall.com; charlessimon@hotmail.com; users-bounces@openswan.org<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
RE: [Openswan Users] perhaps peer likes no proposal<BR>
<BR>
<BR>
<BR>
<BR>
Many thanks for the input.<BR>
<BR>
<BR>
<BR>
Aaron, the other end has pfs enabled, that is why it was=yes. Setting it to 'no' makes no difference to how far the connection gets.<BR>
<BR>
<BR>
<BR>
Simon, the other end is indeed expecting aggressive mode as this is a roadwarrior setup.<BR>
<BR>
<BR>
<BR>
Cheers folks,<BR>
<BR>
<BR>
<BR>
Tudor<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
<BR>
From: Aaron Zhang [<A HREF="mailto:bzhang@sonicwall.com">mailto:bzhang@sonicwall.com</A>]<BR>
<BR>
Sent: Wed 11/26/2008 1:24 AM<BR>
<BR>
To: simon charles; Tudor Georgescu; users@openswan.org<BR>
<BR>
Subject: RE: [Openswan Users] perhaps peer likes no proposal<BR>
<BR>
<BR>
<BR>
I think the phase1 has been established successfully , so it does not result from the aggressive mode.<BR>
<BR>
<BR>
<BR>
Could you disable the pfs=no and have a try ?<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
Thanks!<BR>
<BR>
<BR>
<BR>
Aaron (Bo) Zhang<BR>
<BR>
<BR>
<BR>
________________________________<BR>
<BR>
<BR>
<BR>
From: users-bounces@openswan.org [<A HREF="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</A>] On Behalf Of simon charles<BR>
<BR>
Sent: 2008?11?26? 3:28<BR>
<BR>
To: tudor.georgescu@aardman.com; users@openswan.org<BR>
<BR>
Subject: Re: [Openswan Users] perhaps peer likes no proposal<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
Hi !<BR>
<BR>
From the logs - openswan is trying to connect using 'aggressive mode' - is the watchguard expecting to connect using aggresive mode ?. Aggressive mode is less secure than main mode - unless you are using a roadwarrior configuration - i would recommend that you use main mode.<BR>
<BR>
Thanks !<BR>
<BR>
<BR>
<BR>
________________________________<BR>
<BR>
<BR>
<BR>
Date: Tue, 25 Nov 2008 17:33:16 +0000<BR>
<BR>
From: Tudor.Georgescu@aardman.com<BR>
<BR>
To: users@openswan.org<BR>
<BR>
Subject: [Openswan Users] perhaps peer likes no proposal<BR>
<BR>
<BR>
<BR>
Hey guys,<BR>
<BR>
I have been struggling with this for a few days now. I've become thoroughly stuck on this on what I believe may be phase2.<BR>
<BR>
<BR>
<BR>
I am trying to connect openswan-2.6.19 [left] (and openswan-2.6.19 upto the .19 release) to a WatchGuard Firebox [right].<BR>
<BR>
<BR>
<BR>
Many releases ago, this was once possible: <A HREF="http://wiki.openswan.org/index.php/Interop/InteroperatingWatchguard">http://wiki.openswan.org/index.php/Interop/InteroperatingWatchguard</A><BR>
<BR>
<BR>
<BR>
Unfortunately following many tutorials and the Paul and Ken book has still left me in the dark.<BR>
<BR>
<BR>
<BR>
I have been on the #openswan irc channel and they suggested that "perhaps peer likes no proposal" means I'm not matching IKE or ESP properly. I've checked, double checked, and thrice checked both ends, but I'm still getting stuck.<BR>
<BR>
<BR>
<BR>
Settings-wise what is still a mystery to me is the tunnel settings. On the Watchguard end, its configured to give me the virtual IP of a.b.c.d, which puts me on the network w.x.y.z/24. I've tried various rightnexthop/rightsubnet settings, but that does not appear to make any changes to the connection. Am I barking up the wrong tree? Does the tunnel have anything to do with "perhaps peer likes no proposal"?<BR>
<BR>
<BR>
<BR>
Any explinations of what the following means would also be much appreciated. I.e. what is STATE_AGGR_I2 trying to achieve?<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: retransmitting in response to duplicate packet; already STATE_AGGR_I2<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: discarding duplicate packet -- exhausted retransmission; already STATE_AGGR_I2<BR>
<BR>
<BR>
<BR>
Thank you in advance guys and gals.<BR>
<BR>
<BR>
<BR>
Tudor<BR>
<BR>
<BR>
<BR>
# /etc/ipsec.conf - Openswan IPsec configuration file<BR>
<BR>
version 2.0 # conforms to second version of ipsec.conf specification<BR>
<BR>
<BR>
<BR>
config setup<BR>
<BR>
interfaces=%defaultroute<BR>
<BR>
nat_traversal=yes<BR>
<BR>
OE=off<BR>
<BR>
protostack=netkey<BR>
<BR>
uniqueids=yes<BR>
<BR>
<BR>
<BR>
conn myvpn<BR>
<BR>
pfs=yes<BR>
<BR>
authby=secret<BR>
<BR>
type=tunnel<BR>
<BR>
aggrmode=yes<BR>
<BR>
keyexchange=ike<BR>
<BR>
auth=esp<BR>
<BR>
ike=aes256-sha1-modp1024<BR>
<BR>
esp=aes256-sha1;modp1024<BR>
<BR>
left=10.0.0.128<BR>
<BR>
leftsubnet=10.0.0.0/24<BR>
<BR>
leftnexthop=10.0.0.138<BR>
<BR>
leftid=my@id.com<BR>
<BR>
right=<vpn.public.ip><BR>
<BR>
#rightnexthop=a.b.c.d<BR>
<BR>
rightsubnet=w.x.y.z/24<BR>
<BR>
rightid=<vpn.public.ip><BR>
<BR>
auto=start<BR>
<BR>
<BR>
<BR>
The output was from rel 2.6.18, but I get the same from 2.6.19.<BR>
<BR>
<BR>
<BR>
/var/log/messages<BR>
<BR>
<BR>
<BR>
localhost pluto[26477]: shutting down<BR>
<BR>
localhost pluto[26477]: forgetting secrets<BR>
<BR>
localhost pluto[26477]: "myvpn": deleting connection<BR>
<BR>
localhost pluto[26477]: "myvpn" #1: deleting state (STATE_AGGR_I2)<BR>
<BR>
localhost pluto[26477]: "myvpn": request to delete a unrouted policy with netkey kernel --- experimental<BR>
<BR>
localhost pluto[26477]: shutting down interface lo/lo ::1:500<BR>
<BR>
localhost pluto[26477]: shutting down interface lo/lo 127.0.0.1:4500<BR>
<BR>
localhost pluto[26477]: shutting down interface lo/lo 127.0.0.1:500<BR>
<BR>
localhost pluto[26477]: shutting down interface eth0/eth0 10.0.0.128:4500<BR>
<BR>
localhost pluto[26477]: shutting down interface eth0/eth0 10.0.0.128:500<BR>
<BR>
localhost ipsec__plutorun: Starting Pluto subsystem...<BR>
<BR>
localhost pluto[27033]: Starting Pluto (Openswan Version 2.6.18; Vendor ID OE}ZvZ@M[OWD) pid:27033<BR>
<BR>
localhost pluto[27033]: Setting NAT-Traversal port-4500 floating to on<BR>
<BR>
localhost pluto[27033]: port floating activation criteria nat_t=1/port_float=1<BR>
<BR>
localhost pluto[27033]: including NAT-Traversal patch (Version 0.6c)<BR>
<BR>
localhost pluto[27033]: using /dev/urandom as source of random entropy<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<BR>
<BR>
localhost pluto[27033]: starting up 1 cryptographic helpers<BR>
<BR>
localhost pluto[27034]: using /dev/urandom as source of random entropy<BR>
<BR>
localhost pluto[27033]: started helper pid=27034 (fd:7)<BR>
<BR>
localhost pluto[27033]: Using Linux 2.6 IPsec interface code on 2.6.26.5-28.fc8 (experimental code)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
<BR>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
<BR>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
<BR>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
<BR>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
<BR>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<BR>
<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<BR>
<BR>
localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/cacerts'<BR>
<BR>
localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/aacerts'<BR>
<BR>
localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/ocspcerts'<BR>
<BR>
localhost pluto[27033]: Changing to directory '/etc/ipsec.d/crls'<BR>
<BR>
localhost pluto[27033]: Warning: empty directory<BR>
<BR>
localhost pluto[27033]: Changing back to directory '/tmp' failed - (2 No such file or directory)<BR>
<BR>
localhost pluto[27033]: Changing back to directory '/tmp' failed - (2 No such file or directory)<BR>
<BR>
localhost pluto[27033]: added connection description "myvpn"<BR>
<BR>
localhost pluto[27033]: listening for IKE messages<BR>
<BR>
localhost pluto[27033]: adding interface eth0/eth0 10.0.0.128:500<BR>
<BR>
localhost pluto[27033]: adding interface eth0/eth0 10.0.0.128:4500<BR>
<BR>
localhost pluto[27033]: adding interface lo/lo 127.0.0.1:500<BR>
<BR>
localhost pluto[27033]: adding interface lo/lo 127.0.0.1:4500<BR>
<BR>
localhost pluto[27033]: adding interface lo/lo ::1:500<BR>
<BR>
localhost pluto[27033]: loading secrets from "/etc/ipsec.secrets"<BR>
<BR>
localhost pluto[27033]: "myvpn": request to add a prospective erouted policy with netkey kernel --- experimental<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: initiating Aggressive Mode #1, connection "myvpn"<BR>
<BR>
localhost pluto[27033]: | setting sec: 1<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: received Vendor ID payload [Dead Peer Detection]<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '<vpn.public.ip>'<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '<vpn.public.ip>'<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}<BR>
<BR>
localhost pluto[27033]: "myvpn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 msgid:131f6317 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: retransmitting in response to duplicate packet; already STATE_AGGR_I2<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: retransmitting in response to duplicate packet; already STATE_AGGR_I2<BR>
<BR>
localhost pluto[27033]: "myvpn" #1: discarding duplicate packet -- exhausted retransmission; already STATE_AGGR_I2<BR>
<BR>
localhost pluto[27033]: "myvpn" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<BR>
<BR>
localhost pluto[27033]: "myvpn" #2: starting keying attempt 2 of at most 3<BR>
<BR>
Nov 21 18:02:42 localhost pluto[27033]: "myvpn" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #2 {using isakmp#1 msgid:bd4d55d2 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}<BR>
<BR>
localhost pluto[27033]: "myvpn" #3: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<BR>
<BR>
localhost pluto[27033]: "myvpn" #3: starting keying attempt 3 of at most 3<BR>
<BR>
localhost pluto[27033]: "myvpn" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #3 {using isakmp#1 msgid:947f04f5 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}<BR>
<BR>
localhost pluto[27033]: "myvpn" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<BR>
<BR>
<BR>
<BR>
- --------------------------------------------------------------------<BR>
<BR>
<A HREF="http://www.aardman.com">http://www.aardman.com</A><BR>
<BR>
<BR>
<BR>
______________________________________________________________________<BR>
<BR>
This message has been checked for all known viruses by the MessageLabs<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
__________________________________________________________________<BR>
<BR>
This message has been checked for all known viruses by MessageLabs<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
- --------------------------------------------------------------------<BR>
<BR>
<A HREF="http://www.aardman.com">http://www.aardman.com</A><BR>
<BR>
<BR>
<BR>
______________________________________________________________________<BR>
<BR>
This message has been checked for all known viruses by the MessageLabs<BR>
<BR>
__________________________________________________________________<BR>
This message has been checked for all known viruses by MessageLabs<BR>
<BR>
<BR>
</FONT>
</P>
<BR>
- --------------------------------------------------------------------<BR>
http://www.aardman.com<BR>
<BR>
______________________________________________________________________<BR>
This message has been checked for all known viruses by the MessageLabs<BR>
</BODY>
</HTML>