[Openswan Users] NO_PROPOSAL_CHOSEN error while connecting

Simon Deziel simon at xelerance.com
Tue Apr 16 20:20:04 UTC 2013


On 13-04-16 10:32 AM, Viacheslav Dushin wrote:
> I realized that the problem is somewhere here:
>>000 "telphin":   IKE algorithms wanted:
> 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5),
> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
>>000 "telphin":   IKE algorithms found:
>  3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
>>000 "telphin":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
>>000 "telphin":   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
> flags=-strict
>>000 "telphin":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
> 
> But I still don't understand how to strictly specify the algorithms it
> needs.

For strict algo selection you can use something like if PFS is desired:

 ike=3des-sha1;modp1024
 phase2alg=3des-sha1;modp1024

Or this for no PFS:

 ike=3des-sha1;modp1024
 phase2alg=3des-sha1

The usage of "pfs" and "esp" is deprecated and should be replaced by the
above. See man 5 ipsec.conf for all the details.

Regards,
Simon

> 2013/4/16 Viacheslav Dushin <slava333 at gmail.com <mailto:slava333 at gmail.com>>
> 
>     Hi, everybody.
>     First of all, thanks for the answers
> 
>     I also have some stupid questions: what does all these states mean?
>     What is the last state after establishing a connection?
> 
>     In some tutorials PKS is inside brackets, but on in the other ones
>     it's without them. Which one is correct? My PKS contains letters and
>     numbers only:
> 
>     my /etc/ipsec.secrets file
> 
> 
>     # this file is managed with debconf and will contain the
>     automatically created RSA keys
>     #include /var/lib/openswan/ipsec.secrets.inc
> 
>     1.1.1.123 2.2.2.2 <http://2.2.2.2>: PSK XXXXXX 
> 
>     /etc/ipsec.secrets file ends
> 
>     Also does anybody have succeeded in using openswan on XEN VPS and/or
>     Cisco-Unity? Maybe the problem is in XEN or Cisco-Unity.
> 
>     I'll keep digging.
> 
>     Thanks, Slava
> 
>     2013/4/16 Simon Deziel <simon at xelerance.com
>     <mailto:simon at xelerance.com>>
>     > Hi Slava,
>     > 
>     > On 13-04-15 10:59 AM, Viacheslav Dushin wrote:
>     > > Hi, I'm trying to create site-to-site connection
>     > >
>     > >
>     > > My provider sent me the following settings:
>     > >
>     > >>VPN server address – 2.2.2.2
>     > >>Client subnet 10.128.139.0/24 <http://10.128.139.0/24>
>     <http://10.128.139.0/24>
>     > >>Destiantion subnet - 10.128.0.0/24 <http://10.128.0.0/24>
>     <http://10.128.0.0/24>
>     > >>PSK: – XXXXXXXXX
>     > >>VPN mode: – tunnel, PSK, 3DES encryption, hash: SHA1,  UDP
>     encapsulation
>     > 
>     > UDP encapsulation means you should enable nat_traversal and might also
>     > need to use "forceencaps=yes" for the connection. You might also
>     need to
>     > disable PFS but this should be confirmed with the remote side.
>     > 
>     > HTH,
>     > Simon
> 
>     What if I don't need nat traversal? I have no NAT on my server. Or
>     is it my provider, who is behind NAT?
> 
> 
>     2013/4/15 Gertjan Baarda <gertjan.baarda at gmail.com
>     <mailto:gertjan.baarda at gmail.com>>
>     > This message can appear for various reasons, most likely both
>     sides can't agree on the IKE params.
>     > Try:
>     > pfs=no
>     > ike=3des-sha1-modp1024
>     > esp=3des-sha1
>     > (notice the removed exclamation point)
>     > 
>     > or else:
>     > pfs=no
>     > ike=3des-sha1
>     > esp=3des-sha1
> 
>     Still the same: with modp1024 or without it hangs on STATE_MAIN_I4
> 
> 
>     2013/4/15 Leto <letoams at gmail.com <mailto:letoams at gmail.com>>
>     > try modp1536 and/or pfs=no
>     > 
>     > sent from a tiny device
>     In case of modp1536 or modp2048 it hangs on the first stage
>      (STATE_MAIN_I1)
> 
> 
> 
>     2013/4/16 Simon Deziel <simon at xelerance.com
>     <mailto:simon at xelerance.com>>
> 
>         Hi Slava,
> 
>         On 13-04-15 10:59 AM, Viacheslav Dushin wrote:
>         > Hi, I'm trying to create site-to-site connection
>         >
>         >
>         > My provider sent me the following settings:
>         >
>         >>VPN server address – 2.2.2.2
>         >>Client subnet 10.128.139.0/24 <http://10.128.139.0/24>
>         <http://10.128.139.0/24>
>         >>Destiantion subnet - 10.128.0.0/24 <http://10.128.0.0/24>
>         <http://10.128.0.0/24>
>         >>PSK: – XXXXXXXXX
>         >>VPN mode: – tunnel, PSK, 3DES encryption, hash: SHA1,  UDP
>         encapsulation
> 
>         UDP encapsulation means you should enable nat_traversal and
>         might also
>         need to use "forceencaps=yes" for the connection. You might also
>         need to
>         disable PFS but this should be confirmed with the remote side.
> 
>         HTH,
>         Simon
> 
>         > I configured it accordingly, but it doesn't want to connect:
>         >
>         > It fails with "NO_PROPOSAL_CHOSEN"
>         >
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition
>         from state
>         > STATE_MAIN_I3 to state STATE_MAIN_I4
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1:
>         STATE_MAIN_I4: ISAKMP
>         > SA established {auth=OAKLEY_PRESHARED_KEY
>         cipher=oakley_3des_cbc_192
>         > prf=oakley_sha group=modp1024}
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #2: initiating
>         Quick Mode
>         > PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
>         > msgid:cccf4cf7 proposal=3DES(3)_192-SHA1(2)_160
>         > pfsgroup=OAKLEY_GROUP_MODP1024}
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring
>         > informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received
>         and ignored
>         > informational message
>         >
>         >
>         > Openswan version: Linux Openswan U2.6.38/K3.1.0-1.2-xen (netkey)
>         >
>         >
>         > 1.1.1.123 is my local address
>         > 1.1.1.1 is my default gateway
>         > 2.2.2.2 is remote server address
>         >
>         >
>         > Thanks, Slava
>         >
>         >
>         > See all logs and configs below:
>         >
>         >
>         > ipsec.conf start
>         >
>         >
>         > # /etc/ipsec.conf - Openswan IPsec configuration file
>         >
>         > # This file:  /usr/share/doc/openswan/ipsec.conf-sample
>         > #
>         > # Manual:     ipsec.conf.5
>         >
>         >
>         > version2.0# conforms to second version of ipsec.conf specification
>         >
>         > # basic configuration
>         > config setup
>         >         #interfaces="%defaultroute"
>         > # Do not set debug options to debug configuration issues!
>         > # plutodebug / klipsdebug = "all", "none" or a combation from
>         below:
>         > # "raw crypt parsing emitting control klips pfkey natt x509
>         dpd private"
>         > # eg:
>         > # plutodebug="control parsing"
>         > # Again: only enable plutodebug or klipsdebug when asked by a
>         developer
>         > #
>         > # enable to get logs per-peer
>         > # plutoopts="--perpeerlog"
>         > #
>         > # Enable core dumps (might require system changes, like ulimit -C)
>         > # This is required for abrtd to work properly
>         > # Note: incorrect SElinux policies might prevent pluto writing
>         the core
>         > dumpdir=/var/run/pluto/
>         > #
>         > # NAT-TRAVERSAL support, see README.NAT-Traversal
>         > nat_traversal=no
>         > # exclude networks used on server side by adding %v4:!a.b.c.0/24
>         > # It seems that T-Mobile in the US and Rogers/Fido in Canada are
>         > # using 25/8 as "private" address space on their 3G network.
>         > # This range has not been announced via BGP (at least upto
>         2010-12-21)
>         >
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>         <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10>
>         >
>         <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10>
>         > # OE is now off by default. Uncomment and change to on, to enable.
>         > oe=off
>         > # which IPsec stack to use. auto will try netkey, then klips
>         then mast
>         > protostack=netkey
>         > # Use this to log to a file, or disable logging on embedded
>         systems
>         > (like openwrt)
>         > #plutostderrlog=/dev/null
>         >
>         >
>         > # Add connections here
>         >
>         > # sample VPN connection
>         > # for more examples, see /etc/ipsec.d/examples/
>         > #conn sample
>         > ## Left security gateway, subnet behind it, nexthop toward right.
>         > #left=10.0.0.1
>         > #leftsubnet=172.16.0.0/24 <http://172.16.0.0/24>
>         <http://172.16.0.0/24>
>         > #leftnexthop=10.22.33.44
>         > ## Right security gateway, subnet behind it, nexthop toward left.
>         > #right=10.12.12.1
>         > #rightsubnet=192.168.0.0/24 <http://192.168.0.0/24>
>         <http://192.168.0.0/24>
>         > #rightnexthop=10.101.102.103
>         > ## To authorize this connection, but not actually start it,
>         > ## at startup, uncomment this.
>         > ##auto=add
>         >
>         >
>         > conn telphin
>         >                left=1.1.1.123 # left for local
>         >                leftsubnet=10.128.139.0/24
>         <http://10.128.139.0/24> <http://10.128.139.0/24>
>         >                leftnexthop=%defaultroute
>         >                right=2.2.2.2 # right for remote
>         >                rightsubnet=10.128.0.0/24
>         <http://10.128.0.0/24> <http://10.128.0.0/24>
>         >                rightnexthop=%defaultroute
>         >                type=tunnel
>         >                authby=secret
>         >                auto=start
>         >                auth=esp
>         >               keyexchange=ike
>         >               ike=3des-sha1-modp1024!
>         >               esp=3des-sha1!
>         >               pfs=yes
>         >
>         > ipsec.conf end
>         >
>         >
>         > status start
>         >
>         > ipsec auto --status
>         > 000 using kernel interface: netkey
>         > 000 interface lo/lo ::1
>         > 000 interface lo/lo 127.0.0.1
>         > 000 interface eth0/eth0 1.1.1.123
>         > 000 interface tun0/tun0 10.128.139.1
>         > 000 %myid = (none)
>         > 000 debug none
>         > 000
>         > 000 virtual_private (%priv):
>         > 000 - allowed 6 subnets: 10.0.0.0/8 <http://10.0.0.0/8>
>         <http://10.0.0.0/8>, 192.168.0.0/16 <http://192.168.0.0/16>
>         > <http://192.168.0.0/16>, 172.16.0.0/12 <http://172.16.0.0/12>
>         <http://172.16.0.0/12>,
>         > 25.0.0.0/8 <http://25.0.0.0/8> <http://25.0.0.0/8>, fd00::/8,
>         fe80::/10
>         > 000 - disallowed 0 subnets:
>         > 000 WARNING: Disallowed subnets in virtual_private= is empty.
>         If you have
>         > 000          private address space in internal use, it should
>         be excluded!
>         > 000
>         > 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
>         keysizemin=64,
>         > keysizemax=64
>         > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
>         keysizemin=192,
>         > keysizemax=192
>         > 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
>         keysizemin=40,
>         > keysizemax=128
>         > 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
>         > keysizemin=40, keysizemax=448
>         > 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
>         keysizemin=0,
>         > keysizemax=0
>         > 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
>         keysizemin=128,
>         > keysizemax=256
>         > 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
>         > keysizemin=160, keysizemax=288
>         > 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
>         > keysizemin=128, keysizemax=256
>         > 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
>         > keysizemin=128, keysizemax=256
>         > 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
>         > keysizemin=128, keysizemax=256
>         > 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
>         > keysizemin=128, keysizemax=256
>         > 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
>         > keysizemin=128, keysizemax=256
>         > 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
>         > keysizemin=128, keysizemax=256
>         > 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
>         > keysizemin=128, keysizemax=256
>         > 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>         > keysizemin=128, keysizemax=256
>         > 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>         > keysizemin=128, keysizemax=256
>         > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>         > keysizemin=128, keysizemax=128
>         > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>         > keysizemin=160, keysizemax=160
>         > 000 algorithm ESP auth attr: id=5,
>         name=AUTH_ALGORITHM_HMAC_SHA2_256,
>         > keysizemin=256, keysizemax=256
>         > 000 algorithm ESP auth attr: id=6,
>         name=AUTH_ALGORITHM_HMAC_SHA2_384,
>         > keysizemin=384, keysizemax=384
>         > 000 algorithm ESP auth attr: id=7,
>         name=AUTH_ALGORITHM_HMAC_SHA2_512,
>         > keysizemin=512, keysizemax=512
>         > 000 algorithm ESP auth attr: id=8,
>         name=AUTH_ALGORITHM_HMAC_RIPEMD,
>         > keysizemin=160, keysizemax=160
>         > 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
>         > keysizemin=128, keysizemax=128
>         > 000 algorithm ESP auth attr: id=251,
>         name=AUTH_ALGORITHM_NULL_KAME,
>         > keysizemin=0, keysizemax=0
>         > 000
>         > 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
>         keydeflen=131
>         > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
>         blocksize=8,
>         > keydeflen=192
>         > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
>         blocksize=16,
>         > keydeflen=128
>         > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>         > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>         > 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
>         > 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
>         > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
>         bits=1024
>         > 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
>         bits=1536
>         > 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
>         bits=2048
>         > 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
>         bits=3072
>         > 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
>         bits=4096
>         > 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
>         bits=6144
>         > 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
>         bits=8192
>         > 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22,
>         bits=1024
>         > 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23,
>         bits=2048
>         > 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24,
>         bits=2048
>         > 000
>         > 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
>         > trans={0,2,1536} attrs={0,2,2048}
>         > 000
>         > 000 "telphin": 10.128.139.0/24===1.1.1.123
>         <http://10.128.139.0/24===1.1.1.123>
>         >
>         <http://10.128.139.0/24===1.1.1.123><1.1.1.123>---1.1.1.1...1.1.1.1---2.2.2.2<2.2.2.2>===10.128.0.0/24
>         <http://10.128.0.0/24>
>         > <http://10.128.0.0/24>; prospective erouted; eroute owner: #0
>         > 000 "telphin":     myip=unset; hisip=unset;
>         > 000 "telphin":   ike_life: 3600s; ipsec_life: 28800s;
>         rekey_margin:
>         > 540s; rekey_fuzz: 100%; keyingtries: 0
>         > 000 "telphin":   policy:
>         > PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
>         prio: 24,24;
>         > interface: eth0;
>         > 000 "telphin":   newest ISAKMP SA: #1; newest IPsec SA: #0;
>         > 000 "telphin":   IKE algorithms wanted:
>         > 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=strict
>         > 000 "telphin":   IKE algorithms found:
>         >  3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
>         > 000 "telphin":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
>         > 000 "telphin":   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
>         > flags=strict
>         > 000 "telphin":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
>         > 000
>         > 000 #2: "telphin":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
>         > EVENT_RETRANSMIT in 33s; lastdpd=-1s(seq in:0 out:0); idle;
>         import:admin
>         > initiate
>         > 000 #1: "telphin":500 STATE_MAIN_I4 (ISAKMP SA established);
>         > EVENT_SA_REPLACE in 2792s; newest ISAKMP; lastdpd=-1s(seq in:0
>         out:0);
>         > idle; import:admin initiate
>         > 000
>         >
>         > status end
>         >
>         >
>         > log file start
>         >
>         > Apr 15 18:34:38 vm12202 ipsec__plutorun: Starting Pluto
>         subsystem...
>         > Apr 15 18:34:38 vm12202 pluto[4039]: Starting Pluto (Openswan
>         Version
>         > 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:4039
>         > Apr 15 18:34:38 vm12202 pluto[4039]: LEAK_DETECTIVE support
>         [disabled]
>         > Apr 15 18:34:38 vm12202 pluto[4039]: OCF support for IKE
>         [disabled]
>         > Apr 15 18:34:38 vm12202 pluto[4039]: SAref support [disabled]:
>         Protocol
>         > not available
>         > Apr 15 18:34:38 vm12202 pluto[4039]: SAbind support
>         [disabled]: Protocol
>         > not available
>         > Apr 15 18:34:38 vm12202 pluto[4039]: NSS support [disabled]
>         > Apr 15 18:34:38 vm12202 pluto[4039]: HAVE_STATSD notification
>         support
>         > not compiled in
>         > Apr 15 18:34:38 vm12202 pluto[4039]: Setting NAT-Traversal
>         port-4500
>         > floating to off
>         > Apr 15 18:34:38 vm12202 pluto[4039]:    port floating activation
>         > criteria nat_t=0/port_float=1
>         > Apr 15 18:34:38 vm12202 pluto[4039]:    NAT-Traversal support
>          [disabled]
>         > Apr 15 18:34:38 vm12202 pluto[4039]: using /dev/urandom as
>         source of
>         > random entropy
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc():
>         Activating
>         > OAKLEY_AES_CBC: Ok (ret=0)
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_hash():
>         Activating
>         > OAKLEY_SHA2_512: Ok (ret=0)
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_hash():
>         Activating
>         > OAKLEY_SHA2_256: Ok (ret=0)
>         > Apr 15 18:34:38 vm12202 pluto[4039]: starting up 1
>         cryptographic helpers
>         > Apr 15 18:34:38 vm12202 pluto[4039]: started helper pid=4041
>         (fd:6)
>         > Apr 15 18:34:38 vm12202 pluto[4039]: Using Linux 2.6 IPsec
>         interface
>         > code on 3.1.0-1.2-xen (experimental code)
>         > Apr 15 18:34:38 vm12202 pluto[4041]: using /dev/urandom as
>         source of
>         > random entropy
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc():
>         Activating
>         > aes_ccm_8: Ok (ret=0)
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR:
>         algo_type
>         > '0', algo_id '0', Algorithm type already exists
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc():
>         Activating
>         > aes_ccm_12: FAILED (ret=-17)
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR:
>         algo_type
>         > '0', algo_id '0', Algorithm type already exists
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc():
>         Activating
>         > aes_ccm_16: FAILED (ret=-17)
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR:
>         algo_type
>         > '0', algo_id '0', Algorithm type already exists
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc():
>         Activating
>         > aes_gcm_8: FAILED (ret=-17)
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR:
>         algo_type
>         > '0', algo_id '0', Algorithm type already exists
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc():
>         Activating
>         > aes_gcm_12: FAILED (ret=-17)
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR:
>         algo_type
>         > '0', algo_id '0', Algorithm type already exists
>         > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc():
>         Activating
>         > aes_gcm_16: FAILED (ret=-17)
>         > Apr 15 18:34:38 vm12202 pluto[4039]: added connection
>         description "telphin"
>         > Apr 15 18:34:38 vm12202 pluto[4039]: listening for IKE messages
>         > Apr 15 18:34:38 vm12202 pluto[4039]: adding interface tun0/tun0
>         > 10.128.139.1:500 <http://10.128.139.1:500>
>         <http://10.128.139.1:500>
>         > Apr 15 18:34:38 vm12202 pluto[4039]: adding interface eth0/eth0
>         > 1.1.1.123:500 <http://1.1.1.123:500> <http://1.1.1.123:500>
>         > Apr 15 18:34:38 vm12202 pluto[4039]: adding interface lo/lo
>         > 127.0.0.1:500 <http://127.0.0.1:500> <http://127.0.0.1:500>
>         > Apr 15 18:34:38 vm12202 pluto[4039]: adding interface lo/lo
>         ::1:500
>         > Apr 15 18:34:38 vm12202 pluto[4039]: loading secrets from
>         > "/etc/ipsec.secrets"
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: initiating
>         Main Mode
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition
>         from state
>         > STATE_MAIN_I1 to state STATE_MAIN_I2
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1:
>         STATE_MAIN_I2: sent
>         > MI2, expecting MR2
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received
>         Vendor ID
>         > payload [Cisco-Unity]
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received
>         Vendor ID
>         > payload [Dead Peer Detection]
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring
>         unknown
>         > Vendor ID payload [24f71717df62d1ed92fbaa8e988a9af6]
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received
>         Vendor ID
>         > payload [XAUTH]
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition
>         from state
>         > STATE_MAIN_I2 to state STATE_MAIN_I3
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1:
>         STATE_MAIN_I3: sent
>         > MI3, expecting MR3
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: Main mode
>         peer ID is
>         > ID_IPV4_ADDR: '2.2.2.2'
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition
>         from state
>         > STATE_MAIN_I3 to state STATE_MAIN_I4
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1:
>         STATE_MAIN_I4: ISAKMP
>         > SA established {auth=OAKLEY_PRESHARED_KEY
>         cipher=oakley_3des_cbc_192
>         > prf=oakley_sha group=modp1024}
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #2: initiating
>         Quick Mode
>         > PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
>         > msgid:cccf4cf7 proposal=3DES(3)_192-SHA1(2)_160
>         > pfsgroup=OAKLEY_GROUP_MODP1024}
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring
>         > informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
>         > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received
>         and ignored
>         > informational message
>         >
>         > log file end
>         >
>         >
>         > _______________________________________________
>         > Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>         > https://lists.openswan.org/mailman/listinfo/users
>         > Micropayments:
>         https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>         > Building and Integrating Virtual Private Networks with Openswan:
>         >
>         http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>         >
> 
>         _______________________________________________
>         Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>         https://lists.openswan.org/mailman/listinfo/users
>         Micropayments:
>         https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>         Building and Integrating Virtual Private Networks with Openswan:
>         http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 
> 
> 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 



More information about the Users mailing list