OpenSwan IPSec phase #2 complications

Posted by XXL on Server Fault See other posts from Server Fault or by XXL
Published on 2012-06-11T14:43:34Z Indexed on 2012/06/12 10:41 UTC
Read the original article Hit count: 655

Filed under:
|
|
|
|

Phase #1 (IKE) succeeds without any problems (verified at the target host).
Phase #2 (IPSec), however, is erroneous at some point (apparently due to misconfiguration on localhost).

This should be an IPSec-only connection. I am using OpenSwan on Debian. The error log reads the following (the actual IP-addr. of the remote endpoint has been modified):

pluto[30868]: "x" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:5ece82ee proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_DH22}
pluto[30868]: "x" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
pluto[30868]: "x" #1: received and ignored informational message
pluto[30868]: "x" #1: the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
pluto[30868]: "x" #3: responding to Quick Mode proposal {msgid:a4f5a81c}
pluto[30868]: "x" #3: us: 192.168.1.76<192.168.1.76>[+S=C]
pluto[30868]: "x" #3: them: 222.222.222.222<222.222.222.222>[+S=C]===10.196.0.0/17
pluto[30868]: "x" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
pluto[30868]: "x" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
pluto[30868]: "x" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
pluto[30868]: "x" #1: received and ignored informational message
pluto[30868]: "x" #3: next payload type of ISAKMP Hash Payload has an unknown value: 97 X pluto[30868]: "x" #3: malformed payload in packet
pluto[30868]: | payload malformed after IV

I am behind NAT and this is all coming from wlan2. Here are the details:

default via 192.168.1.254 dev wlan2 proto static
169.254.0.0/16 dev wlan2 scope link metric 1000
192.168.1.0/24 dev wlan2 proto kernel scope link src 192.168.1.76 metric 2

Output of ipsec verify:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-24-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

This is what happens when I run ipsec auto --up x:

104 "x" #1: STATE_MAIN_I1: initiate
003 "x" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "x" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "x" #1: received Vendor ID payload [Cisco-Unity]
003 "x" #1: received Vendor ID payload [Dead Peer Detection]
003 "x" #1: ignoring unknown Vendor ID payload [502099ff84bd4373039074cf56649aad]
003 "x" #1: received Vendor ID payload [XAUTH]
003 "x" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "x" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "x" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
117 "x" #2: STATE_QUICK_I1: initiate
010 "x" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "x" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "x" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "x" #2: starting keying attempt 2 of at most 3, but releasing whack

I have enabled NAT traversal in ipsec.conf accordingly. Here are the settings relative to the connection in question:

version 2.0

config setup

plutoopts="--perpeerlog"
plutoopts="--interface=wlan2"
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

conn x

authby=secret  
pfs=yes  
auto=add  
phase2alg=aes256-sha1;dh22  
keyingtries=3  
ikelifetime=8h  
type=transport  
left=192.168.1.76  
leftsubnet=192.168.1.0/24  
leftprotoport=0/0  
right=222.222.222.222  
rightsubnet=10.196.0.0/17  
rightprotoport=0/0

Here are the specs provided by the other end that must be met for Phase #2:

encryption algorithm: AES (128 or 256 bit)
hash algorithm: SHA
local ident1 (addr/mask/prot/port): (10.196.0.0/255.255.128.0/0/0)
local ident2 (addr/mask/prot/port): (10.241.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (x.x.x.x/x.x.x.x/0/0) (internal network or localhost)
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS: DH group2

So, finally, what might be the cause of the issue that I am experiencing? Thank you.

© Server Fault or respective owner

Related posts about linux

Related posts about security