[Openswan Users] Connecting to Cisco VPN, getting INVALID_ID_INFORMATION followed by "perhaps peer likes no proposal"
Tim McCune
tim at mccune.name
Wed Mar 19 18:32:43 EDT 2014
Looks like the FAILED status was a red herring. I have bastille installed
on this device, and stopped it to see if that made any difference in being
able to reach YY.YY.YY.YY (it didn't), but when I restarted bastille,
"ipsec verify" no longer showed a FAILED status for IP forwarding. Still
unable to reach YY.YY.YY.YY.
On Wed, Mar 19, 2014 at 3:10 PM, Tim McCune <tim at mccune.name> wrote:
> # ping YY.YY.YY.YY -I XX.XX.XX.XX
> PING YY.YY.YY.YY (YY.YY.YY.YY) from XX.XX.XX.XX : 56(84) bytes of data.
> ^C
> --- YY.YY.YY.YY ping statistics ---
> 17 packets transmitted, 0 received, 100% packet loss, time 16003ms
>
> Not pingable. Also of note, when I run "ipsec verify", I get a "FAILED"
> status for "Two or more interfaces found, checking IP forwarding".
> However, "cat /proc/sys/net/ipv4/ip_forward" outputs "1". I don't know why
> I'm getting back a FAILED status, or if this is the reason that I can't
> reach YY.YY.YY.YY. I was previously running an older version of openswan
> on this machine (2.6.23), and I didn't get the FAILED status from that. It
> only started occurring after I upgraded to 2.6.38.
>
>
> On Wed, Mar 19, 2014 at 2:52 PM, simon charles <charlessimon at hotmail.com>wrote:
>
>> Tim ,
>> Looks like the vpn tunnel has been established. What does your
>> firewall rules look like on XX.XX.XX.XX and YY.YY.YY.YY
>>
>> What happens when do you execute this command from the XX.XX.XX.XX server
>>
>>
>> # ping YY.YY.YY.YY -I XX.XX.XX.XX
>>
>> - Simon Charles -
>>
>>
>> ------------------------------
>> Date: Wed, 19 Mar 2014 14:30:51 -0700
>>
>> Subject: Re: [Openswan Users] Connecting to Cisco VPN, getting
>> INVALID_ID_INFORMATION followed by "perhaps peer likes no proposal"
>> From: tim at mccune.name
>> To: charlessimon at hotmail.com
>> CC: users at lists.openswan.org
>>
>> Progress! I just went back into ipsec.conf and removed all of the
>> additional settings that I had been trying to experiment with, until I just
>> had a very basic configuration:
>>
>> conn server-a
>> left=XX.XX.XX.XX
>> right=CC.CC.CC.CC
>> rightsubnet=YY.YY.YY.YY/32
>> authby=secret
>> auto=start
>>
>> Now I can ping CC.CC.CC.CC and my pluto.log file ends with:
>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>> {ESP=>0xd574cb40 <0xb49adebe xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none
>> DPD=none}
>>
>> However, I cannot seem to reach the port that is supposed to be open on
>> YY.YY.YY.YY.
>>
>> On Wed, Mar 19, 2014 at 1:40 PM, Tim McCune <tim at mccune.name> wrote:
>>
>> THANK YOU. That was clearly a piece of the puzzle that I had failed to
>> wrap my head around: that I needed 2 different connection declarations for
>> the 2 different hosts, even though they were both routing through the same
>> VPN appliance. I am now getting a different error message, which seems
>> like progress. :) Now, instead of INVALID_ID_INFORMATION, I'm getting back
>> NO_PROPOSAL_CHOSEN. Off to google that message, but if anyone has any
>> insights into that one as well, I would appreciate it. Thanks again for
>> moving me what seems to be one step closer.
>>
>>
>> On Wed, Mar 19, 2014 at 12:43 PM, simon charles <charlessimon at hotmail.com
>> > wrote:
>>
>> Tim ,
>> Based on your ip addressing convention - i am presuming the following
>>
>> XX.XX.XX.XX is your Server A
>> YY.YY.YY.YY is your Server B
>> ZZ.ZZ.ZZ.ZZ is your Server C
>>
>>
>> If that is true then the ipsec configuration should look something like
>> this
>>
>>
>> conn ServerA-to-ServerB
>> left=XX.XX.XX.XX
>> leftsubnet= XX.XX.XX.XX /32
>> right=CC.CC.CC.CC ( public ip addr of the Cisco VPN device )
>> rightsubnet= YY.YY.YY.YY /32
>>
>> authby=secret
>> auto=start
>> ike=aes128-sha1;modp1024
>> phase2=esp
>> phase2alg=aes128-sha1;modp1024
>> pfs=yes
>> aggrmode=no
>> salifetime=28800s
>>
>>
>>
>>
>>
>>
>> conn ServerA-to-ServerC
>> left=XX.XX.XX.XX
>> leftsubnet= XX.XX.XX.XX /32
>> right=CC.CC.CC.CC ( public ip addr of the Cisco VPN device )
>> rightsubnet= ZZ.ZZ.ZZ.ZZ/32
>>
>> authby=secret
>> auto=start
>> ike=aes128-sha1;modp1024
>> phase2=esp
>> phase2alg=aes128-sha1;modp1024
>> pfs=yes
>> aggrmode=no
>> salifetime=28800s
>>
>>
>>
>> - Simon Charles -
>>
>>
>> ------------------------------
>> Date: Wed, 19 Mar 2014 12:24:58 -0700
>> Subject: Re: [Openswan Users] Connecting to Cisco VPN, getting
>> INVALID_ID_INFORMATION followed by "perhaps peer likes no proposal"
>> From: tim at mccune.name
>> To: charlessimon at hotmail.com
>> CC: users at lists.openswan.org
>>
>>
>> Thanks Simon. This seems like a reasonable guess based on other stuff
>> I've found while searching online. However, I have to confess that I just
>> don't understand how to translate from what I've pasted from the Cisco
>> configuration into an openswan config. Here is the network topology that
>> we are trying to accomplish:
>>
>>
>> ---->[Customer Server B]
>> [My Server A (running openswan)] <-------> [Customer Cisco VPN appliance]
>> -----|
>>
>> ---->[Customer Server C]
>>
>> Where all 4 of the servers in that diagram have public IP addresses.
>> What would the rightsubnet and leftsubnet settings on the openswan side
>> need to be in a case like that? I'm confused because we are not trying to
>> reach a private network. We just want to tell our server "when
>> communicating with server B and server C, use the ipsec tunnel."
>>
>>
>> On Wed, Mar 19, 2014 at 11:44 AM, simon charles <charlessimon at hotmail.com
>> > wrote:
>>
>> Tim ,
>> I did not see the rightsubnet and leftsubnet listed in your ipsec
>> configuration. It is possible that you have a mismatch between what you
>> have for your leftsubnet/rightsubnet and what Cisco side has for its
>> access-list 127 ( which is a translation of {local subnet} { remote subnet
>> } )
>>
>>
>>
>>
>> - Simon Charles -
>>
>>
>> ------------------------------
>> Date: Wed, 19 Mar 2014 09:52:12 -0700
>> From: tim at mccune.name
>> To: users at lists.openswan.org
>> Subject: [Openswan Users] Connecting to Cisco VPN, getting
>> INVALID_ID_INFORMATION followed by "perhaps peer likes no proposal"
>>
>>
>> Hi there. I was wondering if anyone could help me out with this problem
>> I'm having trying to connect from openswan 2.6.38 on Ubuntu Lucid to a
>> Cisco VPN appliance. I don't seem to be able to establish a connection.
>> Here is the output I get in pluto.log:
>>
>> "mine" #1: initiating Main Mode
>> "mine" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
>> "mine" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
>> "mine" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>> "mine" #1: received Vendor ID payload [Cisco-Unity]
>> "mine" #1: received Vendor ID payload [XAUTH]
>> "mine" #1: ignoring unknown Vendor ID payload
>> [716e44df1a91b4edaffa5ff96dd22125]
>> "mine" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
>> "mine" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
>> "mine" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> "mine" #1: received Vendor ID payload [Dead Peer Detection]
>> "mine" #1: Main mode peer ID is ID_IPV4_ADDR: 'XX.XX.XX.XX'
>> "mine" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
>> "mine" #1: STATE_MAIN_I4: ISAKMP SA established
>> {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
>> "mine" #2: initiating Quick Mode
>> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
>> msgid:c359ad28 proposal=AES(12)_128-SHA1(2)_160
>> pfsgroup=OAKLEY_GROUP_MODP1024}
>> "mine" #1: ignoring informational payload, type INVALID_ID_INFORMATION
>> msgid=00000000
>> "mine" #1: received and ignored informational message
>> "mine" #1: received Delete SA payload: deleting ISAKMP State #1
>> packet from 80.87.94.106:500: received and ignored informational message
>> "mine" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No
>> acceptable response to our first Quick Mode message: perhaps peer likes no
>> proposal
>> "mine" #2: starting keying attempt 2 of an unlimited number
>>
>> and this output just repeats over and over. As far as I can tell, we are
>> sending all of the correct parameters in our proposal, based on the
>> configuration information we have been given by the organization that
>> maintains the Cisco appliance. Here is what they provided us with:
>>
>> Phase 1:
>> Encryption scheme: IKE
>> Authentication Method: Pre-Shared Key
>> Diffie-Hellman Group: Group 2
>> Encryption Algorithm: AES128
>> Hashing Algorithm: SHA-1
>> Main or Aggressive Mode: Main Mode
>> Lifetime (for renegotiation): 28800 seconds
>>
>> Phase 2:
>> Encapsulation mode: tunnel
>> Encryption algorithm ESP: AES128
>> Authentication Algorithm: SHA-1
>> Perfect Forward Secrecy: Group 2
>> Lifetime (for renegotiation): 3600 seconds
>>
>> Here is the configuration on our end in ipsec.conf:
>>
>> conn mine
>> left=XX.XX.XX.XX
>> right=XX.XX.XX.XX
>> authby=secret
>> auto=start
>> ike=aes128-sha1;modp1024
>> phase2=esp
>> phase2alg=aes128-sha1;modp1024
>> pfs=yes
>> aggrmode=no
>> salifetime=28800s
>>
>>
>> And here is the configuration on their end on the Cisco appliance:
>>
>> crypto ipsec transform-set MyOrg esp-aes esp-sha-hmac
>> crypto map gtvpn-rules 127 match address 127
>> crypto map gtvpn-rules 127 set pfs group2
>>
>> crypto map gtvpn-rules 127 set peer XX.XX.XX.XX
>> crypto map gtvpn-rules 127 set transform-set MyOrg
>> crypto map gtvpn-rules 127 set security-association lifetime seconds 3600
>>
>> tunnel-group XX.XX.XX.XX type ipsec-l2l
>> tunnel-group XX.XX.XX.XX ipsec-attributes
>> pre-shared-key xxxxxxxx
>>
>> access-list 127 extended permit ip host YY.YY.YY.YY host XX.XX.XX.XX
>> access-list 127 extended permit ip host ZZ.ZZ.ZZ.ZZ host XX.XX.XX.XX
>>
>> Any guidance would be appreciated.
>>
>> Thank you!!
>>
>> _______________________________________________ Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users Micropayments:
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and
>> Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140319/5c095e11/attachment.html>
More information about the Users
mailing list