[Openswan Users] Not passing the "STATE_QUICK_I1: initiate" /NO_PROPOSAL_CHOSEN
Peter McGill
petermcgill at goco.net
Tue Mar 11 10:17:05 EDT 2008
NO_PROPOSAL_CHOSEN means you have a configuration
mismatch between the two ipsec routers. So double
check all your settings, in particular:
Make sure your left/rightsubnet values match on both ends.
(They default to left/right, so your automatic leftsubnet
is 172.16.0.100/32.)
Make sure your phase 2 is using the same encryptions as
phase 1 in your remote router. Ie) 3DES SHA1.
Make sure your left/rightid values match on both ends.
Peter McGill
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of Pawel Osiczko
> Sent: March 11, 2008 12:46 AM
> To: users at openswan.org
> Subject: [Openswan Users] Not passing the "STATE_QUICK_I1:
> initiate" /NO_PROPOSAL_CHOSEN
>
> Hello,
>
> I'm trying to configure openswan client to a Sonicwall TZ
> firewall. I'm using
> openswan 4.12 with NATT patch
> (openswan-2.4.10.kernel-2.6.22-natt.patch)
> and klips ipsec module from 4.12 on a vanilla 2.6.22.19 kernel.
> With the configuration below, aggressive mode enabled being the only
> option working with Sonicwall, I verified that protocol/encryption
> specified for both phase 1 and 2 (3des-sha1), lifetime, and pfs in
> ipsec.conf match the Sonicwall firewall. Phase 1 and Xauth
> seems to work ok, but the
> pluto does not pass further than STATE_QUICK_I1 with
> NO_PROPOSAL_CHOSEN.
> Could anyone point me into the right direction? I tried to
> disable/enable
> compression as 4.12 seems to have the compression+aggressive
> patch included.
> I also tried various combinations of algorithm, to no avail.
> Any hints?
>
> Here is output of "ipsec auto --verbose --up group"
>
> 002 "group" #1: initiating Aggressive Mode #1, connection "group"
> 112 "group" #1: STATE_AGGR_I1: initiate
> 003 "group" #1: ignoring unknown Vendor ID payload [5b362bc820f70001]
> 003 "group" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
> 003 "group" #1: received Vendor ID payload [XAUTH]
> 002 "group" #1: Aggressive mode peer ID is ID_FQDN: '@0123456789AB'
> 002 "group" #1: Aggressive mode peer ID is ID_FQDN: '@0123456789AB'
> 002 "group" #1: transition from state STATE_AGGR_I1 to state
> STATE_AGGR_I2
> 004 "group" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA
> established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> 041 "group" #1: group prompt for Username:
> Name enter: user1
> 040 "group" #1: group prompt for Password:
> Enter secret:
> 002 "group" #1: XAUTH: Answering XAUTH challenge with user='user1'
> 002 "group" #1: transition from state STATE_XAUTH_I0 to state
> STATE_XAUTH_I1
> 004 "group" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> 002 "group" #1: XAUTH: Successfully Authenticated
> 002 "group" #1: transition from state STATE_XAUTH_I0 to state
> STATE_XAUTH_I1
> 004 "group" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> 002 "group" #2: initiating Quick Mode
> PSK+ENCRYPT+COMPRESS+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
> 117 "group" #2: STATE_QUICK_I1: initiate
> 010 "group" #2: STATE_QUICK_I1: retransmission; will wait 20s
> for response
> 010 "group" #2: STATE_QUICK_I1: retransmission; will wait 40s
> for response
> 031 "group" #2: max number of retransmissions (2) reached
> STATE_QUICK_I1. No acceptable response to our first Quick
> Mode message: perhaps peer likes no proposal
> 000 "group" #2: starting keying attempt 2 of an unlimited
> number, but releasing whack
>
> The log shows:
>
> Mar 10 20:34:07 chayka pluto[4445]: | processing packet with
> exchange type=ISAKMP_XCHG_INFO (5)
> Mar 10 20:34:07 chayka pluto[4445]: | ICOOKIE: 87 df a5 2e
> c2 c0 25 b9
> Mar 10 20:34:07 chayka pluto[4445]: | RCOOKIE: 3a 71 57 d5
> ac f4 3d 5d
> Mar 10 20:34:07 chayka pluto[4445]: | peer: 04 3a 7e 2a
> Mar 10 20:34:07 chayka pluto[4445]: | state hash entry 22
> Mar 10 20:34:07 chayka pluto[4445]: | peer and cookies match
> on #2, provided msgid 00000000 vs befb2828/00000000
> Mar 10 20:34:07 chayka pluto[4445]: | peer and cookies match
> on #1, provided msgid 00000000 vs 00000000/931a5ad0
> Mar 10 20:34:07 chayka pluto[4445]: | p15 state object #1
> found, in STATE_XAUTH_I1
> Mar 10 20:34:07 chayka pluto[4445]: | processing connection group
> Mar 10 20:34:07 chayka pluto[4445]: | last Phase 1 IV: 73 b8
> 92 76 23 a6 1e 7a
> Mar 10 20:34:07 chayka pluto[4445]: | current Phase 1 IV: c0
> 52 51 40 8d 2c ae 1a
> Mar 10 20:34:07 chayka pluto[4445]: | computed Phase 2 IV:
> Mar 10 20:34:07 chayka pluto[4445]: | 40 76 2b ea e0 df d8
> 26 2c 09 90 27 b0 77 1d 21
> Mar 10 20:34:07 chayka pluto[4445]: | 20 05 00 b6
> Mar 10 20:34:07 chayka pluto[4445]: | received encrypted
> packet from 4.58.126.42:500
> Mar 10 20:34:07 chayka pluto[4445]: | decrypting 80 bytes
> using algorithm OAKLEY_3DES_CBC
> Mar 10 20:34:07 chayka pluto[4445]: | decrypted:
> Mar 10 20:34:07 chayka pluto[4445]: | 0b 00 00 18 d0 c5 71
> b7 81 6d 87 1a e4 c0 11 46
> Mar 10 20:34:07 chayka pluto[4445]: | ba 4e 71 83 b3 10 9e
> cc 00 00 00 34 00 00 00 01
> Mar 10 20:34:07 chayka pluto[4445]: | 03 04 00 0e 8a 4d ca
> 64 00 06 00 04 be fb 28 28
> Mar 10 20:34:07 chayka pluto[4445]: | 00 04 00 18 00 00 00
> 4e 6f 20 70 72 6f 70 6f 73
> Mar 10 20:34:07 chayka pluto[4445]: | 61 6c 20 69 73 20 63
> 68 6f 73 65 6e 00 00 00 03
> Mar 10 20:34:07 chayka pluto[4445]: | next IV: fb 43 2b 02
> b2 d0 bf 75
> Mar 10 20:34:07 chayka pluto[4445]: | np=8 and sd=0x80f5770
> Mar 10 20:34:07 chayka pluto[4445]: | ***parse ISAKMP Hash Payload:
> Mar 10 20:34:07 chayka pluto[4445]: | next payload type:
> ISAKMP_NEXT_N
> Mar 10 20:34:07 chayka pluto[4445]: | length: 24
> Mar 10 20:34:07 chayka pluto[4445]: | np=11 and sd=0x80f5794
> Mar 10 20:34:07 chayka pluto[4445]: | ***parse ISAKMP
> Notification Payload:
> Mar 10 20:34:07 chayka pluto[4445]: | next payload type:
> ISAKMP_NEXT_NONE
> Mar 10 20:34:07 chayka pluto[4445]: | length: 52
> Mar 10 20:34:07 chayka pluto[4445]: | DOI: ISAKMP_DOI_IPSEC
> Mar 10 20:34:07 chayka pluto[4445]: | protocol ID: 3
> Mar 10 20:34:07 chayka pluto[4445]: | SPI size: 4
> Mar 10 20:34:07 chayka pluto[4445]: | Notify Message Type:
> NO_PROPOSAL_CHOSEN
> Mar 10 20:34:07 chayka pluto[4445]: | removing 4 bytes of padding
> Mar 10 20:34:07 chayka pluto[4445]: "group" #1: ignoring
> informational payload, type NO_PROPOSAL_CHOSEN
> Mar 10 20:34:07 chayka pluto[4445]: | info: 8a 4d ca 64 00
> 06 00 04 be fb 28 28 00 04 00 18
> Mar 10 20:34:07 chayka pluto[4445]: | 00 00 00 4e 6f 20 70
> 72 6f 70 6f 73 61 6c 20 69
> Mar 10 20:34:07 chayka pluto[4445]: | 73 20 63 68 6f 73 65 6e
> Mar 10 20:34:07 chayka pluto[4445]: | processing
> informational NO_PROPOSAL_CHOSEN (14)
> Mar 10 20:34:07 chayka pluto[4445]: "group" #1: received and
> ignored informational message
> Mar 10 20:34:07 chayka pluto[4445]: | complete state
> transition with STF_IGNORE
> Mar 10 20:34:07 chayka pluto[4445]: | next event
> EVENT_RETRANSMIT in 40 seconds for #2
> Mar 10 20:34:47 chayka pluto[4445]: |
> Mar 10 20:34:47 chayka pluto[4445]: | *time to handle event
> Mar 10 20:34:47 chayka pluto[4445]: | handling event EVENT_RETRANSMIT
> Mar 10 20:34:47 chayka pluto[4445]: | event after this is
> EVENT_SHUNT_SCAN in 30 seconds
> Mar 10 20:34:47 chayka pluto[4445]: | processing connection group
> Mar 10 20:34:47 chayka pluto[4445]: | handling event
> EVENT_RETRANSMIT for 4.58.126.42 "group" #2
> Mar 10 20:34:47 chayka pluto[4445]: "group" #2: max number of
> retransmissions (2) reached STATE_QUICK_I1. No acceptable
> response to our first Quick Mode message: perhaps
> peer likes no proposal
> Mar 10 20:34:47 chayka pluto[4445]: "group" #2: starting
> keying attempt 2 of an unlimited number, but releasing whack
>
>
> /etc/ipsec.secrets:
> @GroupVPN @0123456789AB : PSK "mysecret"
>
> /etc/ipsec.conf
> version 2
> config setup
> plutodebug="all"
> nat_traversal=yes
> nhelpers=0
> interfaces="ipsec0=eth0"
> plutoopts="--use-klips "
>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> nocrsend=yes
> uniqueids=no
>
> include /etc/ipsec.d/examples/no_oe.conf
>
> conn group
> type=tunnel
> left=172.16.0.100
> leftid=@GroupVPN
> leftxauthclient=yes
> leftsendcert=no
> right=1.2.3.4
> rightid=@0123456789AB
> rightxauthserver=yes
> rightsubnet=192.168.25.0/24
> pfs=no
> auto=add
> auth=esp
> esp=3des-sha1
> ike=3des-sha1-modp1024
> xauth=yes
> authby=secret
> aggrmode=yes
> keylife=8h
> ikelifetime=8h
> keyexchange=ike
> compress=yes
>
>
> tcpdump shows:
>
> 20:36:35.498441 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp:
> isakmp: phase 1 I agg
> 20:36:35.874170 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp:
> isakmp: phase 1 R agg
> 20:36:35.912059 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp:
> isakmp: phase 1 I agg[E]
> 20:36:36.076064 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp:
> isakmp: phase 2/others R #6[E]
> 20:36:46.972302 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp:
> isakmp: phase 2/others I #6[E]
> 20:36:47.166688 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp:
> isakmp: phase 2/others R #6[E]
> 20:36:47.208443 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp:
> isakmp: phase 2/others I #6[E]
> 20:36:47.229496 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp:
> isakmp: phase 2/others I oakley-quick[E]
> 20:36:47.442757 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp:
> isakmp: phase 2/others R inf[E]
> 20:36:57.463905 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp:
> isakmp: phase 2/others I oakley-quick[E]
> 20:37:17.464403 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp:
> isakmp: phase 2/others I oakley-quick[E]
> 20:37:17.595417 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp:
> isakmp: phase 2/others R inf[E]
> 20:37:57.624704 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp:
> isakmp: phase 1 I agg
> 20:37:57.870186 IP 1.2.3.4.47155 > 172.16.0.100.netbios-ns:
> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
> 20:37:57.870276 IP 172.16.0.100 > 1.2.3.4: ICMP 172.16.0.100
> udp port netbios-ns unreachable, length 86
>
> ipsec verify shows:
>
> Checking your system to see if IPsec got installed and
> started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan 2.4.12 (klips)
> Checking for IPsec support in kernel [OK]
> KLIPS detected, checking for NAT Traversal support [OK]
> Testing against enforced SElinux mode [OK]
> Checking for RSA private key (/etc/ipsec.secrets)
> [DISABLED]
> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing [N/A]
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support
> [DISABLED]
>
>
> Thanks in advance!
>
> --p
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
More information about the Users
mailing list