[Openswan Users] Max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

Peter McGill petermcgill at goco.net
Wed Feb 1 09:46:04 EST 2012


You're getting NO_PROPOSAL_CHOSEN, which means your openswan and cisco
configs don't match, check your encryption algs and subnets match on both
ends.

 

Here's my working Openswan/Cisco config for example:

Note: Cisco doesn't support RSA without certificates so I used PSK, as you
have also done.

Note: All indents in openswan should be a single tab not multiple spaces,
multiple spaces can cause problems.

 

Openswan ipsec.conf:

version 2.0

 

config setup

        protostack=netkey

        oe=no

        nhelpers=0

 

conn stmarys-london # you can put all parameters in single conn definition,
I used multiple with also= to make changing multiple connection easier.

        also=goco

        also=london

        leftsubnet=172.21.0.0/20

        also=stmarys

        rightsubnet=172.21.1.0/24

        auto=start

 

conn london

        left=207.x.y.18

        leftsourceip=172.21.3.65

        leftrsasigkey=0sAQ. # you can ignore this line it's there to connect
to other openswan sites, it's ignored by stmarys cisco connection.

 

conn stmarys

        right=207.x.y.245

        authby=secret

 

conn goco

        ike=aes128-sha1;modp2048 # I also have a lower model cisco switch
conn which uses modp1536, since it doesn't support modp2048.

        phase2=esp

        phase2alg=aes128-sha1;modp2048

        ikev2=no

        dpddelay=30

        dpdtimeout=120

        dpdaction=restart

 

Openswan ipsec.secrets:

207.x.y.18 207.x.y.245 : PSK "TG."

 

Cisco config:

version 15.1 # for reference

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 14

lifetime 3600

crypto isakmp key TG. address 207.x.y.18 no-xauth

crypto isakmp aggressive-mode disable

!

crypto ipsec transform-set aesset esp-aes esp-sha-hmac

!

crypto map static-map 15 ipsec-isakmp

set peer 207.x.y.18

set security-association lifetime seconds 28800

set transform-set aesset

set pfs group14

match address 133

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip access-group 104 in

crypto map static-map

!

access-list 104 permit udp any host 207.x.y.245 eq isakmp

access-list 104 permit esp any host 207.x.y.245

access-list 104 permit udp host 207.x.y.18 host 207.x.y.245 eq non500-isakmp

access-list 104 permit ip host 207.x.y.18 host 207.x.y.245

access-list 133 permit ip 172.21.1.0 0.0.0.255 172.21.0.0 0.0.15.255

 

 

Peter McGill

Systems Analyst and Administrator

Gra Ham Energy Limited

 

 

From: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org] On Behalf Of Sam
Sent: February-01-12 5:21 AM
To: users at openswan.org; users at lists.openswan.org
Subject: [Openswan Users] Max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal

 

Hi,

 

I have successfully installed Openswan but there seem to an issue with the
connection to the Cisco VPN. From the logs am seeing something like "No
acceptable response to our first Quick Mode message: perhaps peer likes no
proposal".

 

Below is the full log and my config. I will really appreciate your help.

 

###################### CONFIG #############################

config setup     

        interfaces=%defaultroute

        plutoopts="--perpeerlog"

        protostack=netkey

 

 

conn VPNCon

        type=tunnel

        authby=secret

        Ikelifetime=86400s

        phase2=esp

        Phase2alg=3des-md5;modp1536

        lifetime=3600s

        forceencaps=yes

        pfs=no

        keyexchange=ike

        left=1.2.3.4

        leftnexthop=%defaultroute

        right=5.6.7.8

        rightnexthop=%defaultroute

        rekey=yes

        remote_peer_type=cisco

        auto=start

###################################################

 

 

###################### CONFIG #############################

Feb  1 10:55:16 box1 ipsec__plutorun: Starting Pluto subsystem...

Feb  1 10:55:16 box1 pluto[12241]: Starting Pluto (Openswan Version 2.6.37;
Vendor ID OEu\134d\134jy\134\134ap) pid:12241

Feb  1 10:55:16 box1 pluto[12241]: LEAK_DETECTIVE support [disabled]

Feb  1 10:55:16 box1 pluto[12241]: OCF support for IKE [disabled]

Feb  1 10:55:16 box1 pluto[12241]: SAref support [disabled]: Protocol not
available

Feb  1 10:55:16 box1 pluto[12241]: SAbind support [disabled]: Protocol not
available

Feb  1 10:55:16 box1 pluto[12241]: NSS support [disabled]

Feb  1 10:55:16 box1 pluto[12241]: HAVE_STATSD notification support not
compiled in

Feb  1 10:55:16 box1 pluto[12241]: Setting NAT-Traversal port-4500 floating
to on

Feb  1 10:55:16 box1 pluto[12241]:    port floating activation criteria
nat_t=1/port_float=1

Feb  1 10:55:16 box1 pluto[12241]:    NAT-Traversal support  [enabled]

Feb  1 10:55:16 box1 pluto[12241]: using /dev/urandom as source of random
entropy

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)

Feb  1 10:55:16 box1 pluto[12241]: starting up 1 cryptographic helpers

Feb  1 10:55:16 box1 pluto[12248]: using /dev/urandom as source of random
entropy

Feb  1 10:55:16 box1 pluto[12241]: started helper pid=12248 (fd:6)

Feb  1 10:55:16 box1 pluto[12241]: Using Linux 2.6 IPsec interface code on
2.6.18-194.17.1.el5 (experimental code)

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_ccm_16: FAILED (ret=-17)

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_gcm_8: FAILED (ret=-17)

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_gcm_12: FAILED (ret=-17)

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists

Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)

Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory
'/etc/ipsec.d/cacerts'

Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory
'/etc/ipsec.d/aacerts'

Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory
'/etc/ipsec.d/ocspcerts'

Feb  1 10:55:16 box1 pluto[12241]: Changing to directory '/etc/ipsec.d/crls'

Feb  1 10:55:16 box1 pluto[12241]:   Warning: empty directory

Feb  1 10:55:16 box1 pluto[12241]: added connection description "VPNCon"

Feb  1 10:55:17 box1 pluto[12241]: listening for IKE messages

Feb  1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0 1.2.3.4.5:500

Feb  1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0 1.2.3.4.5:4500

Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo 127.0.0.1:500

Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo 127.0.0.1:4500

Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo ::1:500

Feb  1 10:55:17 box1 pluto[12241]: loading secrets from "/etc/ipsec.secrets"

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: initiating Main Mode

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108 

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: enabling possible
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I2: sent MI2,
expecting MR2

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[Cisco-Unity]

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[Dead Peer Detection]

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: ignoring unknown Vendor ID
payload [3c1f79790ca4ddd867fa2623b80ac34b]

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[XAUTH]

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3

Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I3: sent MI3,
expecting MR3

Feb  1 10:55:18 box1 pluto[12241]: | protocol/port in Phase 1 ID Payload is
17/0. accepted with port_floating NAT-T

Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: Main mode peer ID is
ID_IPV4_ADDR: '5.6.7.8'

Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4

Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}

Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:6ca6f49a
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}

Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000

Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: received and ignored
informational message

Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #2: max number of
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our
first Quick Mode message: perhaps peer likes no proposal

Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #2: starting keying attempt 2 of
an unlimited number

Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #2 {using isakmp#1
msgid:91d29c32 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}

Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000

Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #1: received and ignored
informational message

Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #3: max number of
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our
first Quick Mode message: perhaps peer likes no proposal

Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #3: starting keying attempt 3 of
an unlimited number

Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3 {using isakmp#1
msgid:fd01f2eb proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}

Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000

Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #1: received and ignored
informational message

 

###################################################

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120201/6341b7b4/attachment-0001.html>


More information about the Users mailing list