<div dir="ltr"><div>Hi, I'm trying to create site-to-site connection </div><div><br></div><div><br></div><div>My provider sent me the following settings:</div><div><br></div><div>>VPN server address – 2.2.2.2 </div>
<div>>Client subnet <a href="http://10.128.139.0/24">10.128.139.0/24</a></div><div>>Destiantion subnet - <a href="http://10.128.0.0/24">10.128.0.0/24</a></div><div>>PSK: – XXXXXXXXX</div><div>>VPN mode: – tunnel, PSK, 3DES encryption, hash: SHA1, UDP encapsulation</div>
<div><br></div><div>I configured it accordingly, but it doesn't want to connect:</div><div><br></div><div>It fails with "NO_PROPOSAL_CHOSEN"</div><div><br></div><div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:cccf4cf7 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received and ignored informational message</div>
<div><br></div><div><br></div><div>Openswan version: Linux Openswan U2.6.38/K3.1.0-1.2-xen (netkey)</div><div><br></div><div><br></div><div>1.1.1.123 is my local address</div><div>1.1.1.1 is my default gateway</div><div>2.2.2.2 is remote server address</div>
<div><br></div><div><br></div><div>Thanks, Slava</div><div><br></div><div><br></div><div>See all logs and configs below:</div><div><br></div><div><br></div><div>ipsec.conf start</div><div><br></div><div><br></div><div># /etc/ipsec.conf - Openswan IPsec configuration file</div>
<div><br></div><div># This file: /usr/share/doc/openswan/ipsec.conf-sample</div><div>#</div><div># Manual: ipsec.conf.5</div><div><br></div><div><br></div><div>version<span class="" style="white-space:pre">        </span>2.0<span class="" style="white-space:pre">        </span># conforms to second version of ipsec.conf specification</div>
<div><br></div><div># basic configuration</div><div>config setup</div><div> #interfaces="%defaultroute"</div><div><span class="" style="white-space:pre">        </span># Do not set debug options to debug configuration issues!</div>
<div><span class="" style="white-space:pre">        </span># plutodebug / klipsdebug = "all", "none" or a combation from below:</div><div><span class="" style="white-space:pre">        </span># "raw crypt parsing emitting control klips pfkey natt x509 dpd private"</div>
<div><span class="" style="white-space:pre">        </span># eg:</div><div><span class="" style="white-space:pre">        </span># plutodebug="control parsing"</div><div><span class="" style="white-space:pre">        </span># Again: only enable plutodebug or klipsdebug when asked by a developer</div>
<div><span class="" style="white-space:pre">        </span>#</div><div><span class="" style="white-space:pre">        </span># enable to get logs per-peer</div><div><span class="" style="white-space:pre">        </span># plutoopts="--perpeerlog"</div>
<div><span class="" style="white-space:pre">        </span>#</div><div><span class="" style="white-space:pre">        </span># Enable core dumps (might require system changes, like ulimit -C)</div><div><span class="" style="white-space:pre">        </span># This is required for abrtd to work properly</div>
<div><span class="" style="white-space:pre">        </span># Note: incorrect SElinux policies might prevent pluto writing the core</div><div><span class="" style="white-space:pre">        </span>dumpdir=/var/run/pluto/</div><div><span class="" style="white-space:pre">        </span>#</div>
<div><span class="" style="white-space:pre">        </span># NAT-TRAVERSAL support, see README.NAT-Traversal</div><div><span class="" style="white-space:pre">        </span>nat_traversal=no</div><div><span class="" style="white-space:pre">        </span># exclude networks used on server side by adding %v4:!a.b.c.0/24</div>
<div><span class="" style="white-space:pre">        </span># It seems that T-Mobile in the US and Rogers/Fido in Canada are</div><div><span class="" style="white-space:pre">        </span># using 25/8 as "private" address space on their 3G network.</div>
<div><span class="" style="white-space:pre">        </span># This range has not been announced via BGP (at least upto 2010-12-21)</div><div><span class="" style="white-space:pre">        </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div>
<div><span class="" style="white-space:pre">        </span># OE is now off by default. Uncomment and change to on, to enable.</div><div><span class="" style="white-space:pre">        </span>oe=off</div><div><span class="" style="white-space:pre">        </span># which IPsec stack to use. auto will try netkey, then klips then mast</div>
<div><span class="" style="white-space:pre">        </span>protostack=netkey</div><div><span class="" style="white-space:pre">        </span># Use this to log to a file, or disable logging on embedded systems (like openwrt)</div><div><span class="" style="white-space:pre">        </span>#plutostderrlog=/dev/null</div>
<div> </div><div><br></div><div># Add connections here</div><div><br></div><div># sample VPN connection</div><div># for more examples, see /etc/ipsec.d/examples/</div><div>#conn sample</div><div>#<span class="" style="white-space:pre">                </span># Left security gateway, subnet behind it, nexthop toward right.</div>
<div>#<span class="" style="white-space:pre">                </span>left=10.0.0.1</div><div>#<span class="" style="white-space:pre">                </span>leftsubnet=<a href="http://172.16.0.0/24">172.16.0.0/24</a></div><div>#<span class="" style="white-space:pre">                </span>leftnexthop=10.22.33.44</div>
<div>#<span class="" style="white-space:pre">                </span># Right security gateway, subnet behind it, nexthop toward left.</div><div>#<span class="" style="white-space:pre">                </span>right=10.12.12.1</div><div>#<span class="" style="white-space:pre">                </span>rightsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a></div>
<div>#<span class="" style="white-space:pre">                </span>rightnexthop=10.101.102.103</div><div>#<span class="" style="white-space:pre">                </span># To authorize this connection, but not actually start it, </div><div>#<span class="" style="white-space:pre">                </span># at startup, uncomment this.</div>
<div>#<span class="" style="white-space:pre">                </span>#auto=add</div><div><br></div><div><br></div><div>conn telphin</div><div> left=1.1.1.123 # left for local</div><div> leftsubnet=<a href="http://10.128.139.0/24">10.128.139.0/24</a></div>
<div> leftnexthop=%defaultroute</div><div> right=2.2.2.2 # right for remote</div><div> rightsubnet=<a href="http://10.128.0.0/24">10.128.0.0/24</a></div><div> rightnexthop=%defaultroute</div>
<div> type=tunnel</div><div> authby=secret</div><div> auto=start</div><div> auth=esp</div><div> keyexchange=ike</div><div> ike=3des-sha1-modp1024!</div>
<div> esp=3des-sha1!</div><div> pfs=yes</div><div> </div><div>ipsec.conf end</div><div><br></div><div><br></div><div>status start</div><div><br></div><div>ipsec auto --status</div><div>
000 using kernel interface: netkey</div><div>000 interface lo/lo ::1</div><div>000 interface lo/lo 127.0.0.1</div><div>000 interface eth0/eth0 1.1.1.123</div><div>000 interface tun0/tun0 10.128.139.1</div><div>000 %myid = (none)</div>
<div>000 debug none</div><div>000 </div><div>000 virtual_private (%priv):</div><div>000 - allowed 6 subnets: <a href="http://10.0.0.0/8">10.0.0.0/8</a>, <a href="http://192.168.0.0/16">192.168.0.0/16</a>, <a href="http://172.16.0.0/12">172.16.0.0/12</a>, <a href="http://25.0.0.0/8">25.0.0.0/8</a>, fd00::/8, fe80::/10</div>
<div>000 - disallowed 0 subnets: </div><div>000 WARNING: Disallowed subnets in virtual_private= is empty. If you have </div><div>000 private address space in internal use, it should be excluded!</div><div>000 </div>
<div>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64</div><div>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192</div><div>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128</div>
<div>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448</div><div>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0</div><div>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288</div><div>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</div>
<div>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256</div><div>000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384</div>
<div>000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512</div><div>000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160</div><div>
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0</div><div>000 </div>
<div>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131</div><div>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192</div><div>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128</div>
<div>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16</div><div>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20</div><div>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32</div><div>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64</div>
<div>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024</div><div>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536</div><div>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048</div>
<div>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072</div><div>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096</div><div>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144</div>
<div>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192</div><div>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024</div><div>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048</div>
<div>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048</div><div>000 </div><div>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,1536} attrs={0,2,2048} </div><div>000 </div>
<div>000 "telphin": <a href="http://10.128.139.0/24===1.1.1.123">10.128.139.0/24===1.1.1.123</a><1.1.1.123>---1.1.1.1...1.1.1.1---2.2.2.2<2.2.2.2>===<a href="http://10.128.0.0/24">10.128.0.0/24</a>; prospective erouted; eroute owner: #0</div>
<div>000 "telphin": myip=unset; hisip=unset;</div><div>000 "telphin": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 </div><div>000 "telphin": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0; </div>
<div>000 "telphin": newest ISAKMP SA: #1; newest IPsec SA: #0; </div><div>000 "telphin": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=strict</div><div>000 "telphin": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)</div>
<div>000 "telphin": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024</div><div>000 "telphin": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; flags=strict</div><div>000 "telphin": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160</div>
<div>000 </div><div>000 #2: "telphin":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 33s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div><div>000 #1: "telphin":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2792s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div>
<div>000 </div><div><br></div><div>status end</div><div><br></div><div><br></div><div>log file start</div><div><br></div><div>Apr 15 18:34:38 vm12202 ipsec__plutorun: Starting Pluto subsystem...</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:4039</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: LEAK_DETECTIVE support [disabled]</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: OCF support for IKE [disabled]</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: SAref support [disabled]: Protocol not available</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: SAbind support [disabled]: Protocol not available</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: NSS support [disabled]</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: HAVE_STATSD notification support not compiled in</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: Setting NAT-Traversal port-4500 floating to off</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: port floating activation criteria nat_t=0/port_float=1</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: NAT-Traversal support [disabled]</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: using /dev/urandom as source of random entropy</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: starting up 1 cryptographic helpers</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: started helper pid=4041 (fd:6)</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: Using Linux 2.6 IPsec interface code on 3.1.0-1.2-xen (experimental code)</div><div>Apr 15 18:34:38 vm12202 pluto[4041]: using /dev/urandom as source of random entropy</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: added connection description "telphin"</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: listening for IKE messages</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: adding interface tun0/tun0 <a href="http://10.128.139.1:500">10.128.139.1:500</a></div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: adding interface eth0/eth0 <a href="http://1.1.1.123:500">1.1.1.123:500</a></div><div>Apr 15 18:34:38 vm12202 pluto[4039]: adding interface lo/lo <a href="http://127.0.0.1:500">127.0.0.1:500</a></div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: adding interface lo/lo ::1:500</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: loading secrets from "/etc/ipsec.secrets"</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: initiating Main Mode</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I2: sent MI2, expecting MR2</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID payload [Cisco-Unity]</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID payload [Dead Peer Detection]</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring unknown Vendor ID payload [24f71717df62d1ed92fbaa8e988a9af6]</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID payload [XAUTH]</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: Main mode peer ID is ID_IPV4_ADDR: '2.2.2.2'</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:cccf4cf7 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}</div>
<div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000</div><div>Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received and ignored informational message</div>
<div><br></div><div>log file end</div></div>