[Openswan Users] NO_PROPOSAL_CHOSEN error while connecting
Viacheslav Dushin
slava333 at gmail.com
Mon Apr 15 14:59:40 UTC 2013
Hi, I'm trying to create site-to-site connection
My provider sent me the following settings:
>VPN server address – 2.2.2.2
>Client subnet 10.128.139.0/24
>Destiantion subnet - 10.128.0.0/24
>PSK: – XXXXXXXXX
>VPN mode: – tunnel, PSK, 3DES encryption, hash: SHA1, UDP encapsulation
I configured it accordingly, but it doesn't want to connect:
It fails with "NO_PROPOSAL_CHOSEN"
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
msgid:cccf4cf7 proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=OAKLEY_GROUP_MODP1024}
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received and ignored
informational message
Openswan version: Linux Openswan U2.6.38/K3.1.0-1.2-xen (netkey)
1.1.1.123 is my local address
1.1.1.1 is my default gateway
2.2.2.2 is remote server address
Thanks, Slava
See all logs and configs below:
ipsec.conf start
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
#interfaces="%defaultroute"
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=no
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like
openwrt)
#plutostderrlog=/dev/null
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=add
conn telphin
left=1.1.1.123 # left for local
leftsubnet=10.128.139.0/24
leftnexthop=%defaultroute
right=2.2.2.2 # right for remote
rightsubnet=10.128.0.0/24
rightnexthop=%defaultroute
type=tunnel
authby=secret
auto=start
auth=esp
keyexchange=ike
ike=3des-sha1-modp1024!
esp=3des-sha1!
pfs=yes
ipsec.conf end
status start
ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 1.1.1.123
000 interface tun0/tun0 10.128.139.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
trans={0,2,1536} attrs={0,2,2048}
000
000 "telphin": 10.128.139.0/24===1.1.1.123
<1.1.1.123>---1.1.1.1...1.1.1.1---2.2.2.2<2.2.2.2>===10.128.0.0/24;
prospective erouted; eroute owner: #0
000 "telphin": myip=unset; hisip=unset;
000 "telphin": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "telphin": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
interface: eth0;
000 "telphin": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "telphin": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=strict
000 "telphin": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "telphin": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "telphin": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
flags=strict
000 "telphin": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000
000 #2: "telphin":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 33s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate
000 #1: "telphin":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2792s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000
status end
log file start
Apr 15 18:34:38 vm12202 ipsec__plutorun: Starting Pluto subsystem...
Apr 15 18:34:38 vm12202 pluto[4039]: Starting Pluto (Openswan Version
2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:4039
Apr 15 18:34:38 vm12202 pluto[4039]: LEAK_DETECTIVE support [disabled]
Apr 15 18:34:38 vm12202 pluto[4039]: OCF support for IKE [disabled]
Apr 15 18:34:38 vm12202 pluto[4039]: SAref support [disabled]: Protocol not
available
Apr 15 18:34:38 vm12202 pluto[4039]: SAbind support [disabled]: Protocol
not available
Apr 15 18:34:38 vm12202 pluto[4039]: NSS support [disabled]
Apr 15 18:34:38 vm12202 pluto[4039]: HAVE_STATSD notification support not
compiled in
Apr 15 18:34:38 vm12202 pluto[4039]: Setting NAT-Traversal port-4500
floating to off
Apr 15 18:34:38 vm12202 pluto[4039]: port floating activation criteria
nat_t=0/port_float=1
Apr 15 18:34:38 vm12202 pluto[4039]: NAT-Traversal support [disabled]
Apr 15 18:34:38 vm12202 pluto[4039]: using /dev/urandom as source of random
entropy
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Apr 15 18:34:38 vm12202 pluto[4039]: starting up 1 cryptographic helpers
Apr 15 18:34:38 vm12202 pluto[4039]: started helper pid=4041 (fd:6)
Apr 15 18:34:38 vm12202 pluto[4039]: Using Linux 2.6 IPsec interface code
on 3.1.0-1.2-xen (experimental code)
Apr 15 18:34:38 vm12202 pluto[4041]: using /dev/urandom as source of random
entropy
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type '0',
algo_id '0', Algorithm type already exists
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type '0',
algo_id '0', Algorithm type already exists
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
aes_ccm_16: FAILED (ret=-17)
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type '0',
algo_id '0', Algorithm type already exists
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
aes_gcm_8: FAILED (ret=-17)
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type '0',
algo_id '0', Algorithm type already exists
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
aes_gcm_12: FAILED (ret=-17)
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type '0',
algo_id '0', Algorithm type already exists
Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Apr 15 18:34:38 vm12202 pluto[4039]: added connection description "telphin"
Apr 15 18:34:38 vm12202 pluto[4039]: listening for IKE messages
Apr 15 18:34:38 vm12202 pluto[4039]: adding interface tun0/tun0
10.128.139.1:500
Apr 15 18:34:38 vm12202 pluto[4039]: adding interface eth0/eth0
1.1.1.123:500
Apr 15 18:34:38 vm12202 pluto[4039]: adding interface lo/lo 127.0.0.1:500
Apr 15 18:34:38 vm12202 pluto[4039]: adding interface lo/lo ::1:500
Apr 15 18:34:38 vm12202 pluto[4039]: loading secrets from
"/etc/ipsec.secrets"
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: initiating Main Mode
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID
payload [Cisco-Unity]
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID
payload [Dead Peer Detection]
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring unknown Vendor
ID payload [24f71717df62d1ed92fbaa8e988a9af6]
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID
payload [XAUTH]
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: Main mode peer ID is
ID_IPV4_ADDR: '2.2.2.2'
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
msgid:cccf4cf7 proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=OAKLEY_GROUP_MODP1024}
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received and ignored
informational message
log file end
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130415/c1d72f94/attachment-0001.html>
More information about the Users
mailing list