[Openswan Users] perhaps peer likes no proposal

simon charles charlessimon at hotmail.com
Wed Nov 26 13:01:38 EST 2008


Tudor , please check your esp parameters / {right|left}subnet / nat-traversal on the Watchguard. 

> localhost pluto[27033]: "myvpn" #3: max number of retransmissions (2)
reached STATE_QUICK_I1.  No acceptable > > response to our first Quick Mode
message: perhaps peer likes no proposal

  Your connection is failing at STATE_QUICK_I1 - which hints at dis-similar esp parameters / {right|left} subnets or nat traversal issues with some equipments

- Simon Charles - 




Date: Wed, 26 Nov 2008 08:01:30 +0000
From: Tudor.Georgescu at aardman.com
To: users at openswan.org
Subject: Re: [Openswan Users] perhaps peer likes no proposal

RE: [Openswan Users] perhaps peer likes no proposal











Simon, its not a typo, its how you specify your Diffie Hellman group. It uses the same one as the ike, but you can specify. esp=aes256-sha1-modp1024 would report an error, leaving it blank would work exactly the same, getting stuck in the same place.



No matter what I put in esp, it gets stuck in the same place. I change my ike, it complains "Informational Exchange message must be encrypted". Definitely having problems at a later stage. Phase1 and Phase2 protocols at the other end are identical.



Could it be tunnel problems? Or would the tunnel cause it to fail at another stage? What exactly is STATE_AGGR_I2 trying to achieve?



Cheers guys.



-----Original Message-----

From: simon charles [mailto:charlessimon at hotmail.com]

Sent: Wed 11/26/2008 3:08 AM

To: Tudor Georgescu; bzhang at sonicwall.com; users-bounces at openswan.org

Subject: RE: [Openswan Users] perhaps peer likes no proposal





Tudor - is that a typo in esp parameter ? shouldn't it be esp=aes256-sha1-modp1024



conn myvpn



        pfs=yes



        authby=secret



        type=tunnel



        aggrmode=yes



        keyexchange=ike



        auth=esp



        ike=aes256-sha1-modp1024



        esp=aes256-sha1;modp1024



        left=10.0.0.128



        leftsubnet=10.0.0.0/24



        leftnexthop=10.0.0.138



        leftid=my at id.com



        right=<vpn.public.ip>



        #rightnexthop=a.b.c.d



        rightsubnet=w.x.y.z/24



        rightid=<vpn.public.ip>



        auto=start





- Simon Charles -









Subject: RE: [Openswan Users] perhaps peer likes no proposal

Date: Wed, 26 Nov 2008 01:47:13 +0000

From: Tudor.Georgescu at aardman.com

To: bzhang at sonicwall.com; charlessimon at hotmail.com; users-bounces at openswan.org

















RE: [Openswan Users] perhaps peer likes no proposal









Many thanks for the input.







Aaron, the other end has pfs enabled, that is why it was=yes. Setting it to 'no' makes no difference to how far the connection gets.







Simon, the other end is indeed expecting aggressive mode as this is a roadwarrior setup.







Cheers folks,







Tudor











-----Original Message-----



From: Aaron Zhang [mailto:bzhang at sonicwall.com]



Sent: Wed 11/26/2008 1:24 AM



To: simon charles; Tudor Georgescu; users at openswan.org



Subject: RE: [Openswan Users] perhaps peer likes no proposal







I  think the phase1 has been established successfully , so it  does not result from the aggressive mode.







Could you disable the pfs=no and have a try ?















Thanks!







Aaron (Bo) Zhang







________________________________







From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of simon charles



Sent: 2008?11?26? 3:28



To: tudor.georgescu at aardman.com; users at openswan.org



Subject: Re: [Openswan Users] perhaps peer likes no proposal















Hi !



    From the logs - openswan is trying to connect using 'aggressive mode' - is the watchguard expecting to connect using aggresive mode ?. Aggressive mode is less secure than main mode - unless you are using a roadwarrior configuration - i would recommend that you use main mode.



      Thanks !







________________________________







Date: Tue, 25 Nov 2008 17:33:16 +0000



From: Tudor.Georgescu at aardman.com



To: users at openswan.org



Subject: [Openswan Users] perhaps peer likes no proposal







Hey guys,



I have been struggling with this for a few days now. I've become thoroughly stuck on this on what I believe may be phase2.







I am trying to connect openswan-2.6.19 [left] (and openswan-2.6.19 upto the .19 release) to a WatchGuard Firebox [right].







Many releases ago, this was once possible: http://wiki.openswan.org/index.php/Interop/InteroperatingWatchguard







Unfortunately following many tutorials and the Paul and Ken book has still left me in the dark.







I have been on the #openswan irc channel and they suggested that "perhaps peer likes no proposal" means I'm not matching IKE or ESP properly. I've checked, double checked, and thrice checked both ends, but I'm still getting stuck.







Settings-wise what is still a mystery to me is the tunnel settings. On the Watchguard end, its configured to give me the virtual IP of a.b.c.d, which puts me on the network w.x.y.z/24. I've tried various rightnexthop/rightsubnet settings, but that does not appear to make any changes to the connection. Am I barking up the wrong tree? Does the tunnel have anything to do with "perhaps peer likes no proposal"?







Any explinations of what the following means would also be much appreciated. I.e. what is STATE_AGGR_I2 trying to achieve?



localhost pluto[27033]: "myvpn" #1: retransmitting in response to duplicate packet; already STATE_AGGR_I2



localhost pluto[27033]: "myvpn" #1: discarding duplicate packet -- exhausted retransmission; already STATE_AGGR_I2







Thank you in advance guys and gals.







Tudor







# /etc/ipsec.conf - Openswan IPsec configuration file



version 2.0     # conforms to second version of ipsec.conf specification







config setup



        interfaces=%defaultroute



        nat_traversal=yes



        OE=off



        protostack=netkey



        uniqueids=yes







conn myvpn



        pfs=yes



        authby=secret



        type=tunnel



        aggrmode=yes



        keyexchange=ike



        auth=esp



        ike=aes256-sha1-modp1024



        esp=aes256-sha1;modp1024



        left=10.0.0.128



        leftsubnet=10.0.0.0/24



        leftnexthop=10.0.0.138



        leftid=my at id.com



        right=<vpn.public.ip>



        #rightnexthop=a.b.c.d



        rightsubnet=w.x.y.z/24



        rightid=<vpn.public.ip>



        auto=start







The output was from rel 2.6.18, but I get the same from 2.6.19.







/var/log/messages







localhost pluto[26477]: shutting down



localhost pluto[26477]: forgetting secrets



localhost pluto[26477]: "myvpn": deleting connection



localhost pluto[26477]: "myvpn" #1: deleting state (STATE_AGGR_I2)



localhost pluto[26477]: "myvpn": request to delete a unrouted policy with netkey kernel --- experimental



localhost pluto[26477]: shutting down interface lo/lo ::1:500



localhost pluto[26477]: shutting down interface lo/lo 127.0.0.1:4500



localhost pluto[26477]: shutting down interface lo/lo 127.0.0.1:500



localhost pluto[26477]: shutting down interface eth0/eth0 10.0.0.128:4500



localhost pluto[26477]: shutting down interface eth0/eth0 10.0.0.128:500



localhost ipsec__plutorun: Starting Pluto subsystem...



localhost pluto[27033]: Starting Pluto (Openswan Version 2.6.18; Vendor ID OE}ZvZ at M[OWD) pid:27033



localhost pluto[27033]: Setting NAT-Traversal port-4500 floating to on



localhost pluto[27033]:    port floating activation criteria nat_t=1/port_float=1



localhost pluto[27033]:    including NAT-Traversal patch (Version 0.6c)



localhost pluto[27033]: using /dev/urandom as source of random entropy



localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)



localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)



localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)



localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)



localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)



localhost pluto[27033]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)



localhost pluto[27033]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)



localhost pluto[27033]: starting up 1 cryptographic helpers



localhost pluto[27034]: using /dev/urandom as source of random entropy



localhost pluto[27033]: started helper pid=27034 (fd:7)



localhost pluto[27033]: Using Linux 2.6 IPsec interface code on 2.6.26.5-28.fc8 (experimental code)



localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names



localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)



localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names



localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists



localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)



localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names



localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists



localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)



localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names



localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists



localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)



localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names



localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists



localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)



localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names



localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists



localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)



localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/cacerts'



localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/aacerts'



localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/ocspcerts'



localhost pluto[27033]: Changing to directory '/etc/ipsec.d/crls'



localhost pluto[27033]:   Warning: empty directory



localhost pluto[27033]: Changing back to directory '/tmp' failed - (2 No such file or directory)



localhost pluto[27033]: Changing back to directory '/tmp' failed - (2 No such file or directory)



localhost pluto[27033]: added connection description "myvpn"



localhost pluto[27033]: listening for IKE messages



localhost pluto[27033]: adding interface eth0/eth0 10.0.0.128:500



localhost pluto[27033]: adding interface eth0/eth0 10.0.0.128:4500



localhost pluto[27033]: adding interface lo/lo 127.0.0.1:500



localhost pluto[27033]: adding interface lo/lo 127.0.0.1:4500



localhost pluto[27033]: adding interface lo/lo ::1:500



localhost pluto[27033]: loading secrets from "/etc/ipsec.secrets"



localhost pluto[27033]: "myvpn": request to add a prospective erouted policy with netkey kernel --- experimental



localhost pluto[27033]: "myvpn" #1: initiating Aggressive Mode #1, connection "myvpn"



localhost pluto[27033]: | setting sec: 1



localhost pluto[27033]: "myvpn" #1: received Vendor ID payload [Dead Peer Detection]



localhost pluto[27033]: "myvpn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106



localhost pluto[27033]: "myvpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '<vpn.public.ip>'



localhost pluto[27033]: "myvpn" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed



localhost pluto[27033]: "myvpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '<vpn.public.ip>'



localhost pluto[27033]: "myvpn" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2



localhost pluto[27033]: "myvpn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established  {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}



localhost pluto[27033]: "myvpn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 msgid:131f6317 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}



localhost pluto[27033]: "myvpn" #1: retransmitting in response to duplicate packet; already STATE_AGGR_I2



localhost pluto[27033]: "myvpn" #1: retransmitting in response to duplicate packet; already STATE_AGGR_I2



localhost pluto[27033]: "myvpn" #1: discarding duplicate packet -- exhausted retransmission; already STATE_AGGR_I2



localhost pluto[27033]: "myvpn" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal



localhost pluto[27033]: "myvpn" #2: starting keying attempt 2 of at most 3



Nov 21 18:02:42 localhost pluto[27033]: "myvpn" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #2 {using isakmp#1 msgid:bd4d55d2 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}



localhost pluto[27033]: "myvpn" #3: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal



localhost pluto[27033]: "myvpn" #3: starting keying attempt 3 of at most 3



localhost pluto[27033]: "myvpn" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #3 {using isakmp#1 msgid:947f04f5 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}



localhost pluto[27033]: "myvpn" #4: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal







- --------------------------------------------------------------------



http://www.aardman.com







______________________________________________________________________



This message has been checked for all known viruses by the MessageLabs











__________________________________________________________________



This message has been checked for all known viruses by MessageLabs























- --------------------------------------------------------------------



http://www.aardman.com







______________________________________________________________________



This message has been checked for all known viruses by the MessageLabs



__________________________________________________________________

This message has been checked for all known viruses by MessageLabs











- --------------------------------------------------------------------

http://www.aardman.com



______________________________________________________________________

This message has been checked for all known viruses by the MessageLabs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081126/46fffd2c/attachment-0001.html 


More information about the Users mailing list