[Openswan Users] Not passing the "STATE_QUICK_I1: initiate" / NO_PROPOSAL_CHOSEN
Pawel Osiczko
p.osiczko at tetrapyloctomy.org
Tue Mar 11 00:46:09 EDT 2008
Hello,
I'm trying to configure openswan client to a Sonicwall TZ firewall. I'm using
openswan 4.12 with NATT patch (openswan-2.4.10.kernel-2.6.22-natt.patch)
and klips ipsec module from 4.12 on a vanilla 2.6.22.19 kernel.
With the configuration below, aggressive mode enabled being the only
option working with Sonicwall, I verified that protocol/encryption
specified for both phase 1 and 2 (3des-sha1), lifetime, and pfs in
ipsec.conf match the Sonicwall firewall. Phase 1 and Xauth seems to work ok, but the
pluto does not pass further than STATE_QUICK_I1 with NO_PROPOSAL_CHOSEN.
Could anyone point me into the right direction? I tried to disable/enable
compression as 4.12 seems to have the compression+aggressive patch included.
I also tried various combinations of algorithm, to no avail. Any hints?
Here is output of "ipsec auto --verbose --up group"
002 "group" #1: initiating Aggressive Mode #1, connection "group"
112 "group" #1: STATE_AGGR_I1: initiate
003 "group" #1: ignoring unknown Vendor ID payload [5b362bc820f70001]
003 "group" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "group" #1: received Vendor ID payload [XAUTH]
002 "group" #1: Aggressive mode peer ID is ID_FQDN: '@0123456789AB'
002 "group" #1: Aggressive mode peer ID is ID_FQDN: '@0123456789AB'
002 "group" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
004 "group" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
041 "group" #1: group prompt for Username:
Name enter: user1
040 "group" #1: group prompt for Password:
Enter secret:
002 "group" #1: XAUTH: Answering XAUTH challenge with user='user1'
002 "group" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "group" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "group" #1: XAUTH: Successfully Authenticated
002 "group" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "group" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "group" #2: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
117 "group" #2: STATE_QUICK_I1: initiate
010 "group" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "group" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "group" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "group" #2: starting keying attempt 2 of an unlimited number, but releasing whack
The log shows:
Mar 10 20:34:07 chayka pluto[4445]: | processing packet with exchange type=ISAKMP_XCHG_INFO (5)
Mar 10 20:34:07 chayka pluto[4445]: | ICOOKIE: 87 df a5 2e c2 c0 25 b9
Mar 10 20:34:07 chayka pluto[4445]: | RCOOKIE: 3a 71 57 d5 ac f4 3d 5d
Mar 10 20:34:07 chayka pluto[4445]: | peer: 04 3a 7e 2a
Mar 10 20:34:07 chayka pluto[4445]: | state hash entry 22
Mar 10 20:34:07 chayka pluto[4445]: | peer and cookies match on #2, provided msgid 00000000 vs befb2828/00000000
Mar 10 20:34:07 chayka pluto[4445]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000/931a5ad0
Mar 10 20:34:07 chayka pluto[4445]: | p15 state object #1 found, in STATE_XAUTH_I1
Mar 10 20:34:07 chayka pluto[4445]: | processing connection group
Mar 10 20:34:07 chayka pluto[4445]: | last Phase 1 IV: 73 b8 92 76 23 a6 1e 7a
Mar 10 20:34:07 chayka pluto[4445]: | current Phase 1 IV: c0 52 51 40 8d 2c ae 1a
Mar 10 20:34:07 chayka pluto[4445]: | computed Phase 2 IV:
Mar 10 20:34:07 chayka pluto[4445]: | 40 76 2b ea e0 df d8 26 2c 09 90 27 b0 77 1d 21
Mar 10 20:34:07 chayka pluto[4445]: | 20 05 00 b6
Mar 10 20:34:07 chayka pluto[4445]: | received encrypted packet from 4.58.126.42:500
Mar 10 20:34:07 chayka pluto[4445]: | decrypting 80 bytes using algorithm OAKLEY_3DES_CBC
Mar 10 20:34:07 chayka pluto[4445]: | decrypted:
Mar 10 20:34:07 chayka pluto[4445]: | 0b 00 00 18 d0 c5 71 b7 81 6d 87 1a e4 c0 11 46
Mar 10 20:34:07 chayka pluto[4445]: | ba 4e 71 83 b3 10 9e cc 00 00 00 34 00 00 00 01
Mar 10 20:34:07 chayka pluto[4445]: | 03 04 00 0e 8a 4d ca 64 00 06 00 04 be fb 28 28
Mar 10 20:34:07 chayka pluto[4445]: | 00 04 00 18 00 00 00 4e 6f 20 70 72 6f 70 6f 73
Mar 10 20:34:07 chayka pluto[4445]: | 61 6c 20 69 73 20 63 68 6f 73 65 6e 00 00 00 03
Mar 10 20:34:07 chayka pluto[4445]: | next IV: fb 43 2b 02 b2 d0 bf 75
Mar 10 20:34:07 chayka pluto[4445]: | np=8 and sd=0x80f5770
Mar 10 20:34:07 chayka pluto[4445]: | ***parse ISAKMP Hash Payload:
Mar 10 20:34:07 chayka pluto[4445]: | next payload type: ISAKMP_NEXT_N
Mar 10 20:34:07 chayka pluto[4445]: | length: 24
Mar 10 20:34:07 chayka pluto[4445]: | np=11 and sd=0x80f5794
Mar 10 20:34:07 chayka pluto[4445]: | ***parse ISAKMP Notification Payload:
Mar 10 20:34:07 chayka pluto[4445]: | next payload type: ISAKMP_NEXT_NONE
Mar 10 20:34:07 chayka pluto[4445]: | length: 52
Mar 10 20:34:07 chayka pluto[4445]: | DOI: ISAKMP_DOI_IPSEC
Mar 10 20:34:07 chayka pluto[4445]: | protocol ID: 3
Mar 10 20:34:07 chayka pluto[4445]: | SPI size: 4
Mar 10 20:34:07 chayka pluto[4445]: | Notify Message Type: NO_PROPOSAL_CHOSEN
Mar 10 20:34:07 chayka pluto[4445]: | removing 4 bytes of padding
Mar 10 20:34:07 chayka pluto[4445]: "group" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Mar 10 20:34:07 chayka pluto[4445]: | info: 8a 4d ca 64 00 06 00 04 be fb 28 28 00 04 00 18
Mar 10 20:34:07 chayka pluto[4445]: | 00 00 00 4e 6f 20 70 72 6f 70 6f 73 61 6c 20 69
Mar 10 20:34:07 chayka pluto[4445]: | 73 20 63 68 6f 73 65 6e
Mar 10 20:34:07 chayka pluto[4445]: | processing informational NO_PROPOSAL_CHOSEN (14)
Mar 10 20:34:07 chayka pluto[4445]: "group" #1: received and ignored informational message
Mar 10 20:34:07 chayka pluto[4445]: | complete state transition with STF_IGNORE
Mar 10 20:34:07 chayka pluto[4445]: | next event EVENT_RETRANSMIT in 40 seconds for #2
Mar 10 20:34:47 chayka pluto[4445]: |
Mar 10 20:34:47 chayka pluto[4445]: | *time to handle event
Mar 10 20:34:47 chayka pluto[4445]: | handling event EVENT_RETRANSMIT
Mar 10 20:34:47 chayka pluto[4445]: | event after this is EVENT_SHUNT_SCAN in 30 seconds
Mar 10 20:34:47 chayka pluto[4445]: | processing connection group
Mar 10 20:34:47 chayka pluto[4445]: | handling event EVENT_RETRANSMIT for 4.58.126.42 "group" #2
Mar 10 20:34:47 chayka pluto[4445]: "group" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps
peer likes no proposal
Mar 10 20:34:47 chayka pluto[4445]: "group" #2: starting keying attempt 2 of an unlimited number, but releasing whack
/etc/ipsec.secrets:
@GroupVPN @0123456789AB : PSK "mysecret"
/etc/ipsec.conf
version 2
config setup
plutodebug="all"
nat_traversal=yes
nhelpers=0
interfaces="ipsec0=eth0"
plutoopts="--use-klips "
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
nocrsend=yes
uniqueids=no
include /etc/ipsec.d/examples/no_oe.conf
conn group
type=tunnel
left=172.16.0.100
leftid=@GroupVPN
leftxauthclient=yes
leftsendcert=no
right=1.2.3.4
rightid=@0123456789AB
rightxauthserver=yes
rightsubnet=192.168.25.0/24
pfs=no
auto=add
auth=esp
esp=3des-sha1
ike=3des-sha1-modp1024
xauth=yes
authby=secret
aggrmode=yes
keylife=8h
ikelifetime=8h
keyexchange=ike
compress=yes
tcpdump shows:
20:36:35.498441 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 1 I agg
20:36:35.874170 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: isakmp: phase 1 R agg
20:36:35.912059 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 1 I agg[E]
20:36:36.076064 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: isakmp: phase 2/others R #6[E]
20:36:46.972302 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I #6[E]
20:36:47.166688 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: isakmp: phase 2/others R #6[E]
20:36:47.208443 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I #6[E]
20:36:47.229496 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I oakley-quick[E]
20:36:47.442757 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: isakmp: phase 2/others R inf[E]
20:36:57.463905 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I oakley-quick[E]
20:37:17.464403 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I oakley-quick[E]
20:37:17.595417 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: isakmp: phase 2/others R inf[E]
20:37:57.624704 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: isakmp: phase 1 I agg
20:37:57.870186 IP 1.2.3.4.47155 > 172.16.0.100.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
20:37:57.870276 IP 172.16.0.100 > 1.2.3.4: ICMP 172.16.0.100 udp port netbios-ns unreachable, length 86
ipsec verify shows:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.4.12 (klips)
Checking for IPsec support in kernel [OK]
KLIPS detected, checking for NAT Traversal support [OK]
Testing against enforced SElinux mode [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Thanks in advance!
--p
More information about the Users
mailing list