[Openswan Users] Connecting to Cisco VPN, getting INVALID_ID_INFORMATION followed by "perhaps peer likes no proposal"

Tim McCune tim at mccune.name
Wed Mar 19 16:40:44 EDT 2014


THANK YOU.  That was clearly a piece of the puzzle that I had failed to
wrap my head around: that I needed 2 different connection declarations for
the 2 different hosts, even though they were both routing through the same
VPN appliance.  I am now getting a different error message, which seems
like progress. :)  Now, instead of INVALID_ID_INFORMATION, I'm getting back
NO_PROPOSAL_CHOSEN.  Off to google that message, but if anyone has any
insights into that one as well, I would appreciate it.  Thanks again for
moving me what seems to be one step closer.


On Wed, Mar 19, 2014 at 12:43 PM, simon charles <charlessimon at hotmail.com>wrote:

> Tim ,
>     Based on your ip addressing convention - i am presuming the following
>
> XX.XX.XX.XX is your Server A
> YY.YY.YY.YY is your Server B
> ZZ.ZZ.ZZ.ZZ is your Server C
>
>
> If that is true then the ipsec configuration should look something like
> this
>
>
> conn ServerA-to-ServerB
>   left=XX.XX.XX.XX
>   leftsubnet= XX.XX.XX.XX /32
>   right=CC.CC.CC.CC  ( public ip addr of the Cisco VPN device )
>   rightsubnet= YY.YY.YY.YY /32
>
>   authby=secret
>   auto=start
>   ike=aes128-sha1;modp1024
>   phase2=esp
>   phase2alg=aes128-sha1;modp1024
>   pfs=yes
>   aggrmode=no
>   salifetime=28800s
>
>
>
>
>
>
> conn ServerA-to-ServerC
>   left=XX.XX.XX.XX
>   leftsubnet= XX.XX.XX.XX /32
>   right=CC.CC.CC.CC  ( public ip addr of the Cisco VPN device )
>   rightsubnet= ZZ.ZZ.ZZ.ZZ/32
>
>   authby=secret
>   auto=start
>   ike=aes128-sha1;modp1024
>   phase2=esp
>   phase2alg=aes128-sha1;modp1024
>   pfs=yes
>   aggrmode=no
>   salifetime=28800s
>
>
>
> - Simon Charles -
>
>
> ------------------------------
> Date: Wed, 19 Mar 2014 12:24:58 -0700
> Subject: Re: [Openswan Users] Connecting to Cisco VPN, getting
> INVALID_ID_INFORMATION followed by "perhaps peer likes no proposal"
> From: tim at mccune.name
> To: charlessimon at hotmail.com
> CC: users at lists.openswan.org
>
>
> Thanks Simon.  This seems like a reasonable guess based on other stuff
> I've found while searching online.  However, I have to confess that I just
> don't understand how to translate from what I've pasted from the Cisco
> configuration into an openswan config.  Here is the network topology that
> we are trying to accomplish:
>
>
>       ---->[Customer Server B]
> [My Server A (running openswan)] <-------> [Customer Cisco VPN appliance]
> -----|
>
>       ---->[Customer Server C]
>
> Where all 4 of the servers in that diagram have public IP addresses.  What
> would the rightsubnet and leftsubnet settings on the openswan side need to
> be in a case like that?  I'm confused because we are not trying to reach a
> private network.  We just want to tell our server "when communicating with
> server B and server C, use the ipsec tunnel."
>
>
> On Wed, Mar 19, 2014 at 11:44 AM, simon charles <charlessimon at hotmail.com>wrote:
>
> Tim ,
>     I did not see the rightsubnet and leftsubnet listed in your ipsec
> configuration. It is possible that you have a mismatch between what you
> have for your leftsubnet/rightsubnet and what Cisco side has for its
> access-list 127 ( which is  a translation of {local subnet} { remote subnet
> } )
>
>
>
>
> - Simon Charles -
>
>
> ------------------------------
> Date: Wed, 19 Mar 2014 09:52:12 -0700
> From: tim at mccune.name
> To: users at lists.openswan.org
> Subject: [Openswan Users] Connecting to Cisco VPN, getting
> INVALID_ID_INFORMATION followed by "perhaps peer likes no proposal"
>
>
> Hi there.  I was wondering if anyone could help me out with this problem
> I'm having trying to connect from openswan 2.6.38 on Ubuntu Lucid to a
> Cisco VPN appliance.  I don't seem to be able to establish a connection.
> Here is the output I get in pluto.log:
>
> "mine" #1: initiating Main Mode
> "mine" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
> "mine" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> "mine" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> "mine" #1: received Vendor ID payload [Cisco-Unity]
> "mine" #1: received Vendor ID payload [XAUTH]
> "mine" #1: ignoring unknown Vendor ID payload
> [716e44df1a91b4edaffa5ff96dd22125]
> "mine" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> "mine" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> "mine" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> "mine" #1: received Vendor ID payload [Dead Peer Detection]
> "mine" #1: Main mode peer ID is ID_IPV4_ADDR: 'XX.XX.XX.XX'
> "mine" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> "mine" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_128 prf=oakley_sha group=modp1024}
> "mine" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
> msgid:c359ad28 proposal=AES(12)_128-SHA1(2)_160
> pfsgroup=OAKLEY_GROUP_MODP1024}
> "mine" #1: ignoring informational payload, type INVALID_ID_INFORMATION
> msgid=00000000
> "mine" #1: received and ignored informational message
> "mine" #1: received Delete SA payload: deleting ISAKMP State #1
> packet from 80.87.94.106:500: received and ignored informational message
> "mine" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No
> acceptable response to our first Quick Mode message: perhaps peer likes no
> proposal
> "mine" #2: starting keying attempt 2 of an unlimited number
>
> and this output just repeats over and over.  As far as I can tell, we are
> sending all of the correct parameters in our proposal, based on the
> configuration information we have been given by the organization that
> maintains the Cisco appliance.  Here is what they provided us with:
>
> Phase 1:
> Encryption scheme: IKE
> Authentication Method: Pre-Shared Key
> Diffie-Hellman Group: Group 2
> Encryption Algorithm: AES128
> Hashing Algorithm: SHA-1
> Main or Aggressive Mode: Main Mode
> Lifetime (for renegotiation): 28800 seconds
>
> Phase 2:
> Encapsulation mode: tunnel
> Encryption algorithm ESP: AES128
> Authentication Algorithm: SHA-1
> Perfect Forward Secrecy: Group 2
> Lifetime (for renegotiation): 3600 seconds
>
> Here is the configuration on our end in ipsec.conf:
>
> conn mine
>   left=XX.XX.XX.XX
>   right=XX.XX.XX.XX
>   authby=secret
>   auto=start
>   ike=aes128-sha1;modp1024
>   phase2=esp
>   phase2alg=aes128-sha1;modp1024
>   pfs=yes
>   aggrmode=no
>   salifetime=28800s
>
>
> And here is the configuration on their end on the Cisco appliance:
>
> crypto ipsec transform-set MyOrg esp-aes esp-sha-hmac
> crypto map gtvpn-rules 127 match address 127
> crypto map gtvpn-rules 127 set pfs group2
>
> crypto map gtvpn-rules 127 set peer XX.XX.XX.XX
> crypto map gtvpn-rules 127 set transform-set MyOrg
> crypto map gtvpn-rules 127 set security-association lifetime seconds 3600
>
> tunnel-group XX.XX.XX.XX type ipsec-l2l
> tunnel-group XX.XX.XX.XX ipsec-attributes
> pre-shared-key xxxxxxxx
>
> access-list 127 extended permit ip host YY.YY.YY.YY host XX.XX.XX.XX
> access-list 127 extended permit ip host ZZ.ZZ.ZZ.ZZ host XX.XX.XX.XX
>
> Any guidance would be appreciated.
>
> Thank you!!
>
> _______________________________________________ Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and
> Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140319/c6240f24/attachment.html>


More information about the Users mailing list