[Openswan Users] Not passing the "STATE_QUICK_I1: initiate" /NO_PROPOSAL_CHOSEN

Peter McGill petermcgill at goco.net
Tue Mar 11 10:17:05 EDT 2008


NO_PROPOSAL_CHOSEN means you have a configuration
mismatch between the two ipsec routers. So double
check all your settings, in particular:

Make sure your left/rightsubnet values match on both ends.
(They default to left/right, so your automatic leftsubnet
is 172.16.0.100/32.)
Make sure your phase 2 is using the same encryptions as
phase 1 in your remote router. Ie) 3DES SHA1.
Make sure your left/rightid values match on both ends.


Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Pawel Osiczko
> Sent: March 11, 2008 12:46 AM
> To: users at openswan.org
> Subject: [Openswan Users] Not passing the "STATE_QUICK_I1: 
> initiate" /NO_PROPOSAL_CHOSEN
> 
> Hello,
> 
> I'm trying to configure openswan client to a Sonicwall TZ 
> firewall. I'm using
> openswan 4.12 with NATT patch 
> (openswan-2.4.10.kernel-2.6.22-natt.patch)
> and klips ipsec module from 4.12 on a vanilla 2.6.22.19 kernel.
> With the configuration below, aggressive mode enabled being the only
> option working with Sonicwall, I verified that protocol/encryption
> specified for both phase 1 and 2 (3des-sha1), lifetime, and pfs in
> ipsec.conf match the Sonicwall firewall. Phase 1 and Xauth 
> seems to work ok, but the
> pluto does not pass further than STATE_QUICK_I1 with 
> NO_PROPOSAL_CHOSEN.
> Could anyone point me into the right direction? I tried to 
> disable/enable
> compression as 4.12 seems to have the compression+aggressive 
> patch included.
> I also tried various combinations of algorithm, to no avail. 
> Any hints?
> 
> Here is output of "ipsec auto --verbose --up group"
> 
> 002 "group" #1: initiating Aggressive Mode #1, connection "group"
> 112 "group" #1: STATE_AGGR_I1: initiate
> 003 "group" #1: ignoring unknown Vendor ID payload [5b362bc820f70001]
> 003 "group" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
> 003 "group" #1: received Vendor ID payload [XAUTH]
> 002 "group" #1: Aggressive mode peer ID is ID_FQDN: '@0123456789AB'
> 002 "group" #1: Aggressive mode peer ID is ID_FQDN: '@0123456789AB'
> 002 "group" #1: transition from state STATE_AGGR_I1 to state 
> STATE_AGGR_I2
> 004 "group" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA 
> established {auth=OAKLEY_PRESHARED_KEY 
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> 041 "group" #1: group prompt for Username:
> Name enter:   user1
> 040 "group" #1: group prompt for Password:
> Enter secret:
> 002 "group" #1: XAUTH: Answering XAUTH challenge with user='user1'
> 002 "group" #1: transition from state STATE_XAUTH_I0 to state 
> STATE_XAUTH_I1
> 004 "group" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> 002 "group" #1: XAUTH: Successfully Authenticated
> 002 "group" #1: transition from state STATE_XAUTH_I0 to state 
> STATE_XAUTH_I1
> 004 "group" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> 002 "group" #2: initiating Quick Mode 
> PSK+ENCRYPT+COMPRESS+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
> 117 "group" #2: STATE_QUICK_I1: initiate
> 010 "group" #2: STATE_QUICK_I1: retransmission; will wait 20s 
> for response
> 010 "group" #2: STATE_QUICK_I1: retransmission; will wait 40s 
> for response
> 031 "group" #2: max number of retransmissions (2) reached 
> STATE_QUICK_I1.  No acceptable response to our first Quick 
> Mode message: perhaps peer likes no proposal
> 000 "group" #2: starting keying attempt 2 of an unlimited 
> number, but releasing whack
> 
> The log shows:
> 
> Mar 10 20:34:07 chayka pluto[4445]: |  processing packet with 
> exchange type=ISAKMP_XCHG_INFO (5)
> Mar 10 20:34:07 chayka pluto[4445]: | ICOOKIE:  87 df a5 2e  
> c2 c0 25 b9
> Mar 10 20:34:07 chayka pluto[4445]: | RCOOKIE:  3a 71 57 d5  
> ac f4 3d 5d
> Mar 10 20:34:07 chayka pluto[4445]: | peer:  04 3a 7e 2a
> Mar 10 20:34:07 chayka pluto[4445]: | state hash entry 22
> Mar 10 20:34:07 chayka pluto[4445]: | peer and cookies match 
> on #2, provided msgid 00000000 vs befb2828/00000000
> Mar 10 20:34:07 chayka pluto[4445]: | peer and cookies match 
> on #1, provided msgid 00000000 vs 00000000/931a5ad0
> Mar 10 20:34:07 chayka pluto[4445]: | p15 state object #1 
> found, in STATE_XAUTH_I1
> Mar 10 20:34:07 chayka pluto[4445]: | processing connection group
> Mar 10 20:34:07 chayka pluto[4445]: | last Phase 1 IV:  73 b8 
> 92 76  23 a6 1e 7a
> Mar 10 20:34:07 chayka pluto[4445]: | current Phase 1 IV:  c0 
> 52 51 40  8d 2c ae 1a
> Mar 10 20:34:07 chayka pluto[4445]: | computed Phase 2 IV:
> Mar 10 20:34:07 chayka pluto[4445]: |   40 76 2b ea  e0 df d8 
> 26  2c 09 90 27  b0 77 1d 21
> Mar 10 20:34:07 chayka pluto[4445]: |   20 05 00 b6
> Mar 10 20:34:07 chayka pluto[4445]: | received encrypted 
> packet from 4.58.126.42:500
> Mar 10 20:34:07 chayka pluto[4445]: | decrypting 80 bytes 
> using algorithm OAKLEY_3DES_CBC
> Mar 10 20:34:07 chayka pluto[4445]: | decrypted:
> Mar 10 20:34:07 chayka pluto[4445]: |   0b 00 00 18  d0 c5 71 
> b7  81 6d 87 1a  e4 c0 11 46
> Mar 10 20:34:07 chayka pluto[4445]: |   ba 4e 71 83  b3 10 9e 
> cc  00 00 00 34  00 00 00 01
> Mar 10 20:34:07 chayka pluto[4445]: |   03 04 00 0e  8a 4d ca 
> 64  00 06 00 04  be fb 28 28
> Mar 10 20:34:07 chayka pluto[4445]: |   00 04 00 18  00 00 00 
> 4e  6f 20 70 72  6f 70 6f 73
> Mar 10 20:34:07 chayka pluto[4445]: |   61 6c 20 69  73 20 63 
> 68  6f 73 65 6e  00 00 00 03
> Mar 10 20:34:07 chayka pluto[4445]: | next IV:  fb 43 2b 02  
> b2 d0 bf 75
> Mar 10 20:34:07 chayka pluto[4445]: | np=8 and sd=0x80f5770
> Mar 10 20:34:07 chayka pluto[4445]: | ***parse ISAKMP Hash Payload:
> Mar 10 20:34:07 chayka pluto[4445]: |    next payload type: 
> ISAKMP_NEXT_N
> Mar 10 20:34:07 chayka pluto[4445]: |    length: 24
> Mar 10 20:34:07 chayka pluto[4445]: | np=11 and sd=0x80f5794
> Mar 10 20:34:07 chayka pluto[4445]: | ***parse ISAKMP 
> Notification Payload:
> Mar 10 20:34:07 chayka pluto[4445]: |    next payload type: 
> ISAKMP_NEXT_NONE
> Mar 10 20:34:07 chayka pluto[4445]: |    length: 52
> Mar 10 20:34:07 chayka pluto[4445]: |    DOI: ISAKMP_DOI_IPSEC
> Mar 10 20:34:07 chayka pluto[4445]: |    protocol ID: 3
> Mar 10 20:34:07 chayka pluto[4445]: |    SPI size: 4
> Mar 10 20:34:07 chayka pluto[4445]: |    Notify Message Type: 
> NO_PROPOSAL_CHOSEN
> Mar 10 20:34:07 chayka pluto[4445]: | removing 4 bytes of padding
> Mar 10 20:34:07 chayka pluto[4445]: "group" #1: ignoring 
> informational payload, type NO_PROPOSAL_CHOSEN
> Mar 10 20:34:07 chayka pluto[4445]: | info:  8a 4d ca 64  00 
> 06 00 04  be fb 28 28  00 04 00 18
> Mar 10 20:34:07 chayka pluto[4445]: |   00 00 00 4e  6f 20 70 
> 72  6f 70 6f 73  61 6c 20 69
> Mar 10 20:34:07 chayka pluto[4445]: |   73 20 63 68  6f 73 65 6e
> Mar 10 20:34:07 chayka pluto[4445]: | processing 
> informational NO_PROPOSAL_CHOSEN (14)
> Mar 10 20:34:07 chayka pluto[4445]: "group" #1: received and 
> ignored informational message
> Mar 10 20:34:07 chayka pluto[4445]: | complete state 
> transition with STF_IGNORE
> Mar 10 20:34:07 chayka pluto[4445]: | next event 
> EVENT_RETRANSMIT in 40 seconds for #2
> Mar 10 20:34:47 chayka pluto[4445]: |
> Mar 10 20:34:47 chayka pluto[4445]: | *time to handle event
> Mar 10 20:34:47 chayka pluto[4445]: | handling event EVENT_RETRANSMIT
> Mar 10 20:34:47 chayka pluto[4445]: | event after this is 
> EVENT_SHUNT_SCAN in 30 seconds
> Mar 10 20:34:47 chayka pluto[4445]: | processing connection group
> Mar 10 20:34:47 chayka pluto[4445]: | handling event 
> EVENT_RETRANSMIT for 4.58.126.42 "group" #2
> Mar 10 20:34:47 chayka pluto[4445]: "group" #2: max number of 
> retransmissions (2) reached STATE_QUICK_I1.  No acceptable 
> response to our first Quick Mode message: perhaps 
> peer likes no proposal
> Mar 10 20:34:47 chayka pluto[4445]: "group" #2: starting 
> keying attempt 2 of an unlimited number, but releasing whack
> 
> 
> /etc/ipsec.secrets:
> @GroupVPN @0123456789AB : PSK "mysecret"
> 
> /etc/ipsec.conf
> version 2
> config setup
>          plutodebug="all"
>          nat_traversal=yes
>          nhelpers=0
>          interfaces="ipsec0=eth0"
>          plutoopts="--use-klips "
>          
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>          nocrsend=yes
>          uniqueids=no
> 
> include /etc/ipsec.d/examples/no_oe.conf
> 
> conn group
>    type=tunnel
>    left=172.16.0.100
>    leftid=@GroupVPN
>    leftxauthclient=yes
>    leftsendcert=no
>    right=1.2.3.4
>    rightid=@0123456789AB
>    rightxauthserver=yes
>    rightsubnet=192.168.25.0/24
>    pfs=no
>    auto=add
>    auth=esp
>    esp=3des-sha1
>    ike=3des-sha1-modp1024
>    xauth=yes
>    authby=secret
>    aggrmode=yes
>    keylife=8h
>    ikelifetime=8h
>    keyexchange=ike
>    compress=yes
> 
> 
> tcpdump shows:
> 
> 20:36:35.498441 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: 
> isakmp: phase 1 I agg
> 20:36:35.874170 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: 
> isakmp: phase 1 R agg
> 20:36:35.912059 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: 
> isakmp: phase 1 I agg[E]
> 20:36:36.076064 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: 
> isakmp: phase 2/others R #6[E]
> 20:36:46.972302 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: 
> isakmp: phase 2/others I #6[E]
> 20:36:47.166688 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: 
> isakmp: phase 2/others R #6[E]
> 20:36:47.208443 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: 
> isakmp: phase 2/others I #6[E]
> 20:36:47.229496 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: 
> isakmp: phase 2/others I oakley-quick[E]
> 20:36:47.442757 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: 
> isakmp: phase 2/others R inf[E]
> 20:36:57.463905 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: 
> isakmp: phase 2/others I oakley-quick[E]
> 20:37:17.464403 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: 
> isakmp: phase 2/others I oakley-quick[E]
> 20:37:17.595417 IP 1.2.3.4.isakmp > 172.16.0.100.isakmp: 
> isakmp: phase 2/others R inf[E]
> 20:37:57.624704 IP 172.16.0.100.isakmp > 1.2.3.4.isakmp: 
> isakmp: phase 1 I agg
> 20:37:57.870186 IP 1.2.3.4.47155 > 172.16.0.100.netbios-ns: 
> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
> 20:37:57.870276 IP 172.16.0.100 > 1.2.3.4: ICMP 172.16.0.100 
> udp port netbios-ns unreachable, length 86
> 
> ipsec verify shows:
> 
> Checking your system to see if IPsec got installed and 
> started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan 2.4.12 (klips)
> Checking for IPsec support in kernel                            [OK]
> KLIPS detected, checking for NAT Traversal support              [OK]
> Testing against enforced SElinux mode                           [OK]
> Checking for RSA private key (/etc/ipsec.secrets)             
>   [DISABLED]
>    ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                                  [N/A]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                              
>   [DISABLED]
> 
> 
> Thanks in advance!
> 
> --p
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155



More information about the Users mailing list