[Openswan Users] Max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

Sam nu.ecsa at gmail.com
Sun Feb 12 13:51:53 EST 2012


Hi Peter,

I appreciate your support. Now am able to get it working but there seem to
be another issue. Pluto constantly crashes and restarts with an infinite
loop. Below is the log which goes on in this format.

###############################################################################################
Feb 12 18:33:13 box1 ipsec_setup: Starting Openswan IPsec
U2.6.37/K2.6.18-194.17.1.el5...
Feb 12 18:33:13 box1 ipsec_setup: Using NETKEY(XFRM) stack
Feb 12 18:33:14 box1 ipsec_setup: multiple ip addresses, using  1.2.3.4 on
eth0
Feb 12 18:33:14 box1 ipsec_setup: ...Openswan IPsec started
Feb 12 18:33:14 box1 pluto: adjusting ipsec.d to /etc/ipsec.d
Feb 12 18:33:14 box1 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Feb 12 18:33:14 box1 ipsec__plutorun: 002 added connection description
"VPN_CLIENT"
Feb 12 18:33:14 box1 ipsec__plutorun: 104 "VPN_CLIENT" #1: STATE_MAIN_I1:
initiate
Feb 12 18:33:15 box1 kernel: pluto[22765]: *segfault* at 0000000000000288
rip 0000000000435a11 rsp 00007fff3a5314a0 error 4
Feb 12 18:33:15 box1 ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line
246: 22765 *Segmentation fault *     /usr/local/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d
--perpeerlog --use-netkey --uniqueids --nat_traversal --nhelpers 0
*Feb 12 18:33:15 box1 ipsec__plutorun: !pluto failure!:  exited with error
status 139 (signal 11)*
Feb 12 18:33:15 box1 ipsec__plutorun: restarting IPsec after pause...
Feb 12 18:33:25 box1 ipsec_setup: Stopping Openswan IPsec...
Feb 12 18:33:25 box1 ipsec_setup: Removing orphaned
/var/run/pluto/pluto.pid:
Feb 12 18:33:25 box1 kernel: NET: Unregistered protocol family 15
Feb 12 18:33:25 box1 ipsec_setup: ...Openswan IPsec stopped
Feb 12 18:33:25 box1 kernel: NET: Registered protocol family 15
Feb 12 18:33:25 box1 ipsec_setup: Starting Openswan IPsec
U2.6.37/K2.6.18-194.17.1.el5...
Feb 12 18:33:25 box1 ipsec_setup: Using NETKEY(XFRM) stack
Feb 12 18:33:26 box1 ipsec_setup: multiple ip addresses, using  1.2.3.4 on
eth0
Feb 12 18:33:26 box1 ipsec_setup: ...Openswan IPsec started
Feb 12 18:33:26 box1 pluto: adjusting ipsec.d to /etc/ipsec.d
Feb 12 18:33:26 box1 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Feb 12 18:33:26 box1 ipsec__plutorun: 002 added connection description
"VPN_CLIENT"
Feb 12 18:33:26 box1 ipsec__plutorun: 104 "VPN_CLIENT" #1: STATE_MAIN_I1:
initiate
Feb 12 18:33:27 box1 kernel: pluto[23114]: segfault at 0000000000000288 rip
0000000000435a11 rsp 00007fff4f7c88c0 error 4
Feb 12 18:33:27 box1 ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line
246: 23114 Segmentation fault      /usr/local/libexec/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --perpeerlog
--use-netkey --uniqueids --nat_traversal --nhelpers 0
Feb 12 18:33:27 box1 ipsec__plutorun: !pluto failure!:  exited with error
status 139 (signal 11)
Feb 12 18:33:27 box1 ipsec__plutorun: restarting IPsec after pause...
Feb 12 18:33:37 box1 ipsec_setup: Stopping Openswan IPsec...
Feb 12 18:33:37 box1 ipsec_setup: Removing orphaned
/var/run/pluto/pluto.pid:
Feb 12 18:33:38 box1 kernel: NET: Unregistered protocol family 15
Feb 12 18:33:38 box1 ipsec_setup: ...Openswan IPsec stopped
Feb 12 18:33:38 box1 kernel: NET: Registered protocol family 15
###############################################################################################


On Wed, Feb 1, 2012 at 3:46 PM, Peter McGill <petermcgill at goco.net> wrote:

> You’re getting NO_PROPOSAL_CHOSEN, which means your openswan and cisco
> configs don’t match, check your encryption algs and subnets match on both
> ends.****
>
> ** **
>
> Here’s my working Openswan/Cisco config for example:****
>
> Note: Cisco doesn’t support RSA without certificates so I used PSK, as you
> have also done.****
>
> Note: All indents in openswan should be a single tab not multiple spaces,
> multiple spaces can cause problems.****
>
> ** **
>
> Openswan ipsec.conf:****
>
> version 2.0****
>
> ** **
>
> config setup****
>
>         protostack=netkey****
>
>         oe=no****
>
>         nhelpers=0****
>
> ** **
>
> conn stmarys-london # you can put all parameters in single conn
> definition, I used multiple with also= to make changing multiple connection
> easier.****
>
>         also=goco****
>
>         also=london****
>
>         leftsubnet=172.21.0.0/20****
>
>         also=stmarys****
>
>         rightsubnet=172.21.1.0/24****
>
>         auto=start****
>
> ** **
>
> conn london****
>
>         left=207.x.y.18****
>
>         leftsourceip=172.21.3.65****
>
>         leftrsasigkey=0sAQ… # you can ignore this line it’s there to
> connect to other openswan sites, it’s ignored by stmarys cisco connection.
> ****
>
> ** **
>
> conn stmarys****
>
>         right=207.x.y.245****
>
>         authby=secret****
>
> ** **
>
> conn goco****
>
>         ike=aes128-sha1;modp2048 # I also have a lower model cisco switch
> conn which uses modp1536, since it doesn’t support modp2048.****
>
>         phase2=esp****
>
>         phase2alg=aes128-sha1;modp2048****
>
>         ikev2=no****
>
>         dpddelay=30****
>
>         dpdtimeout=120****
>
>         dpdaction=restart****
>
> ** **
>
> Openswan ipsec.secrets:****
>
> 207.x.y.18 207.x.y.245 : PSK "TG…"****
>
> ** **
>
> Cisco config:****
>
> version 15.1 # for reference****
>
> !****
>
> crypto isakmp policy 10****
>
> encr aes****
>
> authentication pre-share****
>
> group 14****
>
> lifetime 3600****
>
> crypto isakmp key TG… address 207.x.y.18 no-xauth****
>
> crypto isakmp aggressive-mode disable****
>
> !****
>
> crypto ipsec transform-set aesset esp-aes esp-sha-hmac****
>
> !****
>
> crypto map static-map 15 ipsec-isakmp****
>
> set peer 207.x.y.18****
>
> set security-association lifetime seconds 28800****
>
> set transform-set aesset****
>
> set pfs group14****
>
> match address 133****
>
> !****
>
> interface Dialer0****
>
> description $FW_OUTSIDE$****
>
> ip address negotiated****
>
> ip access-group 104 in****
>
> crypto map static-map****
>
> !****
>
> access-list 104 permit udp any host 207.x.y.245 eq isakmp****
>
> access-list 104 permit esp any host 207.x.y.245****
>
> access-list 104 permit udp host 207.x.y.18 host 207.x.y.245 eq
> non500-isakmp****
>
> access-list 104 permit ip host 207.x.y.18 host 207.x.y.245****
>
> access-list 133 permit ip 172.21.1.0 0.0.0.255 172.21.0.0 0.0.15.255****
>
> ** **
>
> ** **
>
> Peter McGill****
>
> Systems Analyst and Administrator****
>
> Gra Ham Energy Limited****
>
> ** **
>
> ** **
>
> *From:* users-bounces at lists.openswan.org [mailto:
> users-bounces at lists.openswan.org] *On Behalf Of *Sam
> *Sent:* February-01-12 5:21 AM
> *To:* users at openswan.org; users at lists.openswan.org
> *Subject:* [Openswan Users] Max number of retransmissions (2) reached
> STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
> perhaps peer likes no proposal****
>
> ** **
>
> Hi,****
>
> ** **
>
> I have successfully installed Openswan but there seem to an issue with the
> connection to the Cisco VPN. From the logs am seeing something like "*No
> acceptable response to our first Quick Mode message: perhaps peer likes no
> proposal*".****
>
> ** **
>
> Below is the full log and my config. I will really appreciate your help.**
> **
>
> ** **
>
> ###################### CONFIG #############################****
>
> config setup     ****
>
>         interfaces=%defaultroute****
>
>         plutoopts="--perpeerlog"****
>
>         protostack=netkey****
>
> ** **
>
> ** **
>
> conn VPNCon****
>
>         type=tunnel****
>
>         authby=secret****
>
>         Ikelifetime=86400s****
>
>         phase2=esp****
>
>         Phase2alg=3des-md5;modp1536****
>
>         lifetime=3600s****
>
>         forceencaps=yes****
>
>         pfs=no****
>
>         keyexchange=ike****
>
>         left=1.2.3.4****
>
>         leftnexthop=%defaultroute****
>
>         right=5.6.7.8****
>
>         rightnexthop=%defaultroute****
>
>         rekey=yes****
>
>         remote_peer_type=cisco****
>
>         auto=start****
>
> ###################################################****
>
> ** **
>
> ** **
>
> ###################### CONFIG #############################****
>
> Feb  1 10:55:16 box1 ipsec__plutorun: Starting Pluto subsystem...****
>
> Feb  1 10:55:16 box1 pluto[12241]: Starting Pluto (Openswan Version
> 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:12241****
>
> Feb  1 10:55:16 box1 pluto[12241]: LEAK_DETECTIVE support [disabled]****
>
> Feb  1 10:55:16 box1 pluto[12241]: OCF support for IKE [disabled]****
>
> Feb  1 10:55:16 box1 pluto[12241]: SAref support [disabled]: Protocol not
> available****
>
> Feb  1 10:55:16 box1 pluto[12241]: SAbind support [disabled]: Protocol not
> available****
>
> Feb  1 10:55:16 box1 pluto[12241]: NSS support [disabled]****
>
> Feb  1 10:55:16 box1 pluto[12241]: HAVE_STATSD notification support not
> compiled in****
>
> Feb  1 10:55:16 box1 pluto[12241]: Setting NAT-Traversal port-4500
> floating to on****
>
> Feb  1 10:55:16 box1 pluto[12241]:    port floating activation criteria
> nat_t=1/port_float=1****
>
> Feb  1 10:55:16 box1 pluto[12241]:    NAT-Traversal support  [enabled]****
>
> Feb  1 10:55:16 box1 pluto[12241]: using /dev/urandom as source of random
> entropy****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)****
>
> Feb  1 10:55:16 box1 pluto[12241]: starting up 1 cryptographic helpers****
>
> Feb  1 10:55:16 box1 pluto[12248]: using /dev/urandom as source of random
> entropy****
>
> Feb  1 10:55:16 box1 pluto[12241]: started helper pid=12248 (fd:6)****
>
> Feb  1 10:55:16 box1 pluto[12241]: Using Linux 2.6 IPsec interface code on
> 2.6.18-194.17.1.el5 (experimental code)****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
> aes_ccm_8: Ok (ret=0)****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
> exists****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
> aes_ccm_12: FAILED (ret=-17)****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
> exists****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
> aes_ccm_16: FAILED (ret=-17)****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
> exists****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
> aes_gcm_8: FAILED (ret=-17)****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
> exists****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
> aes_gcm_12: FAILED (ret=-17)****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
> exists****
>
> Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
> aes_gcm_16: FAILED (ret=-17)****
>
> Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory
> '/etc/ipsec.d/cacerts'****
>
> Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory
> '/etc/ipsec.d/aacerts'****
>
> Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory
> '/etc/ipsec.d/ocspcerts'****
>
> Feb  1 10:55:16 box1 pluto[12241]: Changing to directory
> '/etc/ipsec.d/crls'****
>
> Feb  1 10:55:16 box1 pluto[12241]:   Warning: empty directory****
>
> Feb  1 10:55:16 box1 pluto[12241]: added connection description "VPNCon"**
> **
>
> Feb  1 10:55:17 box1 pluto[12241]: listening for IKE messages****
>
> Feb  1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0 1.2.3.4.5:500
> ****
>
> Feb  1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0
> 1.2.3.4.5:4500****
>
> Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo 127.0.0.1:500***
> *
>
> Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo 127.0.0.1:4500**
> **
>
> Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo ::1:500****
>
> Feb  1 10:55:17 box1 pluto[12241]: loading secrets from
> "/etc/ipsec.secrets"****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: initiating Main Mode****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] method set to=108 ****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: enabling possible
> NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I2: sent MI2,
> expecting MR2****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
> [Cisco-Unity]****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
> [Dead Peer Detection]****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: ignoring unknown Vendor ID
> payload [3c1f79790ca4ddd867fa2623b80ac34b]****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
> [XAUTH]****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: NAT-Traversal: Result
> using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3****
>
> Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I3: sent MI3,
> expecting MR3****
>
> Feb  1 10:55:18 box1 pluto[12241]: | protocol/port in Phase 1 ID Payload
> is 17/0. accepted with port_floating NAT-T****
>
> Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: Main mode peer ID is
> ID_IPV4_ADDR: '5.6.7.8'****
>
> Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4****
>
> Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I4: ISAKMP SA
> established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
> prf=oakley_sha group=modp1024}****
>
> Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:6ca6f49a
> proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}****
>
> Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: ignoring informational
> payload, type NO_PROPOSAL_CHOSEN msgid=00000000****
>
> Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: received and ignored
> informational message****
>
> Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #2: max number of
> retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our
> first Quick Mode message: perhaps peer likes no proposal****
>
> Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #2: starting keying attempt 2
> of an unlimited number****
>
> Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #3: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #2 {using isakmp#1
> msgid:91d29c32 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}****
>
> Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #1: ignoring informational
> payload, type NO_PROPOSAL_CHOSEN msgid=00000000****
>
> Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #1: received and ignored
> informational message****
>
> Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #3: max number of
> retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our
> first Quick Mode message: perhaps peer likes no proposal****
>
> Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #3: starting keying attempt 3
> of an unlimited number****
>
> Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #4: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3 {using isakmp#1
> msgid:fd01f2eb proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}****
>
> Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #1: ignoring informational
> payload, type NO_PROPOSAL_CHOSEN msgid=00000000****
>
> Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #1: received and ignored
> informational message****
>
> ** **
>
> ###################################################****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120212/0875edad/attachment-0001.html>


More information about the Users mailing list