[Openswan Users] Not passing the "STATE_QUICK_I1: initiate" / NO_PROPOSAL_CHOSEN

Pawel Osiczko p.osiczko at tetrapyloctomy.org
Tue Mar 11 00:46:09 EDT 2008


Hello,

I'm trying to configure openswan client to a Sonicwall TZ firewall. I'm using
openswan 4.12 with NATT patch (openswan-2.4.10.kernel-2.6.22-natt.patch)
and klips ipsec module from 4.12 on a vanilla 2.6.22.19 kernel.
With the configuration below, aggressive mode enabled being the only
option working with Sonicwall, I verified that protocol/encryption
specified for both phase 1 and 2 (3des-sha1), lifetime, and pfs in
ipsec.conf match the Sonicwall firewall. Phase 1 and Xauth seems to work ok, but the
pluto does not pass further than STATE_QUICK_I1 with NO_PROPOSAL_CHOSEN.
Could anyone point me into the right direction? I tried to disable/enable
compression as 4.12 seems to have the compression+aggressive patch included.
I also tried various combinations of algorithm, to no avail. Any hints?

Here is output of "ipsec auto --verbose --up group"

002 "group" #1: initiating Aggressive Mode #1, connection "group"
112 "group" #1: STATE_AGGR_I1: initiate
003 "group" #1: ignoring unknown Vendor ID payload [5b362bc820f70001]
003 "group" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "group" #1: received Vendor ID payload [XAUTH]
002 "group" #1: Aggressive mode peer ID is ID_FQDN: '@0123456789AB'
002 "group" #1: Aggressive mode peer ID is ID_FQDN: '@0123456789AB'
002 "group" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
004 "group" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
041 "group" #1: group prompt for Username:
Name enter:   user1
040 "group" #1: group prompt for Password:
Enter secret:
002 "group" #1: XAUTH: Answering XAUTH challenge with user='user1'
002 "group" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "group" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "group" #1: XAUTH: Successfully Authenticated
002 "group" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "group" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "group" #2: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
117 "group" #2: STATE_QUICK_I1: initiate
010 "group" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "group" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "group" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "group" #2: starting keying attempt 2 of an unlimited number, but releasing whack

The log shows:

Mar 10 20:34:07 chayka pluto[4445]: |  processing packet with exchange type=ISAKMP_XCHG_INFO (5)
Mar 10 20:34:07 chayka pluto[4445]: | ICOOKIE:  87 df a5 2e  c2 c0 25 b9
Mar 10 20:34:07 chayka pluto[4445]: | RCOOKIE:  3a 71 57 d5  ac f4 3d 5d
Mar 10 20:34:07 chayka pluto[4445]: | peer:  04 3a 7e 2a
Mar 10 20:34:07 chayka pluto[4445]: | state hash entry 22
Mar 10 20:34:07 chayka pluto[4445]: | peer and cookies match on #2, provided msgid 00000000 vs befb2828/00000000
Mar 10 20:34:07 chayka pluto[4445]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000/931a5ad0
Mar 10 20:34:07 chayka pluto[4445]: | p15 state object #1 found, in STATE_XAUTH_I1
Mar 10 20:34:07 chayka pluto[4445]: | processing connection group
Mar 10 20:34:07 chayka pluto[4445]: | last Phase 1 IV:  73 b8 92 76  23 a6 1e 7a
Mar 10 20:34:07 chayka pluto[4445]: | current Phase 1 IV:  c0 52 51 40  8d 2c ae 1a
Mar 10 20:34:07 chayka pluto[4445]: | computed Phase 2 IV:
Mar 10 20:34:07 chayka pluto[4445]: |   40 76 2b ea  e0 df d8 26  2c 09 90 27  b0 77 1d 21
Mar 10 20:34:07 chayka pluto[4445]: |   20 05 00 b6
Mar 10 20:34:07 chayka pluto[4445]: | received encrypted packet from 4.58.126.42:500
Mar 10 20:34:07 chayka pluto[4445]: | decrypting 80 bytes using algorithm OAKLEY_3DES_CBC
Mar 10 20:34:07 chayka pluto[4445]: | decrypted:
Mar 10 20:34:07 chayka pluto[4445]: |   0b 00 00 18  d0 c5 71 b7  81 6d 87 1a  e4 c0 11 46
Mar 10 20:34:07 chayka pluto[4445]: |   ba 4e 71 83  b3 10 9e cc  00 00 00 34  00 00 00 01
Mar 10 20:34:07 chayka pluto[4445]: |   03 04 00 0e  8a 4d ca 64  00 06 00 04  be fb 28 28
Mar 10 20:34:07 chayka pluto[4445]: |   00 04 00 18  00 00 00 4e  6f 20 70 72  6f 70 6f 73
Mar 10 20:34:07 chayka pluto[4445]: |   61 6c 20 69  73 20 63 68  6f 73 65 6e  00 00 00 03
Mar 10 20:34:07 chayka pluto[4445]: | next IV:  fb 43 2b 02  b2 d0 bf 75
Mar 10 20:34:07 chayka pluto[4445]: | np=8 and sd=0x80f5770
Mar 10 20:34:07 chayka pluto[4445]: | ***parse ISAKMP Hash Payload:
Mar 10 20:34:07 chayka pluto[4445]: |    next payload type: ISAKMP_NEXT_N
Mar 10 20:34:07 chayka pluto[4445]: |    length: 24
Mar 10 20:34:07 chayka pluto[4445]: | np=11 and sd=0x80f5794
Mar 10 20:34:07 chayka pluto[4445]: | ***parse ISAKMP Notification Payload:
Mar 10 20:34:07 chayka pluto[4445]: |    next payload type: ISAKMP_NEXT_NONE
Mar 10 20:34:07 chayka pluto[4445]: |    length: 52
Mar 10 20:34:07 chayka pluto[4445]: |    DOI: ISAKMP_DOI_IPSEC
Mar 10 20:34:07 chayka pluto[4445]: |    protocol ID: 3
Mar 10 20:34:07 chayka pluto[4445]: |    SPI size: 4
Mar 10 20:34:07 chayka pluto[4445]: |    Notify Message Type: NO_PROPOSAL_CHOSEN
Mar 10 20:34:07 chayka pluto[4445]: | removing 4 bytes of padding
Mar 10 20:34:07 chayka pluto[4445]: "group" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Mar 10 20:34:07 chayka pluto[4445]: | info:  8a 4d ca 64  00 06 00 04  be fb 28 28  00 04 00 18
Mar 10 20:34:07 chayka pluto[4445]: |   00 00 00 4e  6f 20 70 72  6f 70 6f 73  61 6c 20 69
Mar 10 20:34:07 chayka pluto[4445]: |   73 20 63 68  6f 73 65 6e
Mar 10 20:34:07 chayka pluto[4445]: | processing informational NO_PROPOSAL_CHOSEN (14)
Mar 10 20:34:07 chayka pluto[4445]: "group" #1: received and ignored informational message
Mar 10 20:34:07 chayka pluto[4445]: | complete state transition with STF_IGNORE
Mar 10 20:34:07 chayka pluto[4445]: | next event EVENT_RETRANSMIT in 40 seconds for #2
Mar 10 20:34:47 chayka pluto[4445]: |
Mar 10 20:34:47 chayka pluto[4445]: | *time to handle event
Mar 10 20:34:47 chayka pluto[4445]: | handling event EVENT_RETRANSMIT
Mar 10 20:34:47 chayka pluto[4445]: | event after this is EVENT_SHUNT_SCAN in 30 seconds
Mar 10 20:34:47 chayka pluto[4445]: | processing connection group
Mar 10 20:34:47 chayka pluto[4445]: | handling event EVENT_RETRANSMIT for 4.58.126.42 "group" #2
Mar 10 20:34:47 chayka pluto[4445]: "group" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps 
peer likes no proposal
Mar 10 20:34:47 chayka pluto[4445]: "group" #2: starting keying attempt 2 of an unlimited number, but releasing whack


/etc/ipsec.secrets:
@GroupVPN @0123456789AB : PSK "mysecret"

/etc/ipsec.conf
version 2
config setup
         plutodebug="all"
         nat_traversal=yes
         nhelpers=0
         interfaces="ipsec0=eth0"
         plutoopts="--use-klips "
         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
         nocrsend=yes
         uniqueids=no

include /etc/ipsec.d/examples/no_oe.conf

conn group
   type=tunnel
   left=172.16.0.100
   leftid=@GroupVPN
   leftxauthclient=yes
   leftsendcert=no
   right=1.2.3.4
   rightid=@0123456789AB
   rightxauthserver=yes
   rightsubnet=192.168.25.0/24
   pfs=no
   auto=add
   auth=esp
   esp=3des-sha1
   ike=3des-sha1-modp1024
   xauth=yes
   authby=secret
   aggrmode=yes
   keylife=8h
   ikelifetime=8h
   keyexchange=ike
   compress=yes


tcpdump shows:

20:36:35.498441 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 1 I agg
20:36:35.874170 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: isakmp: phase 1 R agg
20:36:35.912059 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 1 I agg[E]
20:36:36.076064 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: isakmp: phase 2/others R #6[E]
20:36:46.972302 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I #6[E]
20:36:47.166688 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: isakmp: phase 2/others R #6[E]
20:36:47.208443 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I #6[E]
20:36:47.229496 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I oakley-quick[E]
20:36:47.442757 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: isakmp: phase 2/others R inf[E]
20:36:57.463905 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I oakley-quick[E]
20:37:17.464403 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I oakley-quick[E]
20:37:17.595417 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: isakmp: phase 2/others R inf[E]
20:37:57.624704 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 1 I agg
20:37:57.870186 IP 1.2.3.4.47155 > 172.16.0.100.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
20:37:57.870276 IP 172.16.0.100 > 1.2.3.4: ICMP 172.16.0.100 udp port netbios-ns unreachable, length 86

ipsec verify shows:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.4.12 (klips)
Checking for IPsec support in kernel                            [OK]
KLIPS detected, checking for NAT Traversal support              [OK]
Testing against enforced SElinux mode                           [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


Thanks in advance!

--p


More information about the Users mailing list