[Openswan Users] "no acceptable Proposal in IPsec SA" for roadwarrior conn between ASL 5.0 and Openswanb 2.4.0rc5

Rodrigo Weymar Fonseca r.weymar at tu-bs.de
Tue May 16 13:01:33 CEST 2006 

Hello all,

I am trying to create a roadwarrior VPN conn between a Suse 10 Linux machine and
Astaro Security Linux version 5.0 (ASL V5).

So far the ISAKMP SA is established. But the IPSec SA can not be established.

The client machine (called suse10) is behind a NAT device. The ASL VPN server is
not. It uses a real IP address listed here as xxx.yyy.16.19. Please note that
both machines are in the same domain. It is a test VPN connection.

I am not sure if the problem is due to a potential right/left subnets
misconfiguration in the ipsec.conf or if it is a NAT-T problem. I also adjusted
the IPSec policies in the ASL V5 server to match those of the client. One
limitation of ASL Version 5.0 is the IKE algorithm. It does not support
3DES_CBC_192 as used by the client, but 3DES-CBC 168 bits. Could it be a problem?

It is important to note that I was able to establish a similar roadwarrior conn
to the ASL server from a Debian Sarge machine in the same subnet/domain.

Below are the logs of both ASL server and the client machine, as well as another
relevant info:

suse10:~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.0rc5/K2.6.13-15-smp (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                [DISABLED]


suse10:~ # ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.122
000 interface eth0/eth0 192.168.1.122
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}
attrs={0,0,0}
000
000 "road":
192.168.1.122[@suse10.domain.de]...xxx.yyy.16.19[@firewall.domain.de]; unrouted;
eroute owner: #0
000 "road":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "road":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "road":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth0;
000 "road":   newest ISAKMP SA: #5; newest IPsec SA: #0;
000 "road":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #10: "road":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT
in 8s; nodpd
000 #5: "road":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
2080s; newest ISAKMP; nodpd
000


Below the ipsec log on the ASL server:


2006:05:16-09:59:14 firewall pluto[23491]: added connection description
"D_suse10__vpn__test_0"
2006:05:16-10:22:37 firewall pluto[23491]: packet from 192.168.1.122:500:
ignoring Vendor ID payload [4f45677750767f66...]
2006:05:16-10:22:37 firewall pluto[23491]: packet from 192.168.1.122:500:
received Vendor ID payload [Dead Peer Detection]
2006:05:16-10:22:37 firewall pluto[23491]: packet from 192.168.1.122:500:
ignoring Vendor ID payload [4a131c8107035845...]
2006:05:16-10:22:37 firewall pluto[23491]: packet from 192.168.1.122:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2006:05:16-10:22:37 firewall pluto[23491]: packet from 192.168.1.122:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2006:05:16-10:22:37 firewall pluto[23491]: packet from 192.168.1.122:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2006:05:16-10:22:37 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122 #194: responding to Main Mode from unknown peer 192.168.1.122
2006:05:16-10:22:37 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122 #194: transition from state (null) to state STATE_MAIN_R1
2006:05:16-10:22:37 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122 #194: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
2006:05:16-10:22:37 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122 #194: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2006:05:16-10:22:37 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122 #194: Main mode peer ID is ID_FQDN: '@suse10.domain.de'
2006:05:16-10:22:37 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122 #194: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
2006:05:16-10:22:37 firewall pluto[23491]: | NAT-T: new mapping
192.168.1.122:500/4500)
2006:05:16-10:22:37 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122:4500 #194: sent MR3, ISAKMP SA established
2006:05:16-10:22:37 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122:4500 #195: IPsec Transform [ESP_AES (128),
AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag
2006:05:16-10:22:37 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122:4500 #195: no acceptable Proposal in IPsec SA
2006:05:16-10:22:37 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122:4500 #195: sending encrypted notification NO_PROPOSAL_CHOSEN to
192.168.1.122:4500
2006:05:16-10:22:47 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122:4500 #194: Quick Mode I1 message is unacceptable because it uses a
previously used Message ID 0x28bde6eb (perhaps this is a duplicated packet)
2006:05:16-10:22:47 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122:4500 #194: sending encrypted notification INVALID_MESSAGE_ID to
192.168.1.122:4500
2006:05:16-10:23:07 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122:4500 #194: Quick Mode I1 message is unacceptable because it uses a
previously used Message ID 0x28bde6eb (perhaps this is a duplicated packet)
2006:05:16-10:23:07 firewall pluto[23491]: "D_suse10__vpn__test_0"[1]
192.168.1.122:4500 #194: sending encrypted notification INVALID_MESSAGE_ID to
192.168.1.122:4500


Below the ipsec.conf of the client machine (suse10)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
         #plutodebug="control parsing"
         #interfaces=%defaultroute
         interfaces="ipsec0=eth0"
         klipsdebug=none
         plutodebug=none
         #forwardcontrol=yes
         nat_traversal=yes
         plutowait=yes
         #overridemtu=1420
         uniqueids=yes
         #virtual_private=%v4:192.168.1.0/24

conn %default
         keyingtries=3
         forceencaps=yes

conn road
         left=192.168.1.122             # Picks up our dynamic IP
         #leftsubnet=192.168.1.0/24
         #leftnexthop=192.168.1.1
         leftid=@suse10.domain.de       # Local information
         leftrsasigkey=0sAQ...
         #rightnexthop=192.168.1.1
         right=xxx.yyy.16.19            # Remote information
         rightid=@firewall.domain.de
         rightrsasigkey=0sAQN7...
         auto=add                       # authorizes but doesn't start this
                                       # connection at startup

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Could someone help please ?

Thanks in advance!

Rodrigo

More information about the Users mailing list