Issue #3692
Failing IPsec Phase 2 connection between Centos 7 VPS and Cisco ASA5540
Description
Hello
I am having issues bringing up a VPN connection. This is a site to site IPSec VPN
This is the Scenario
My Peer device (One that is facing my Provider) is a Linux VPS ( Server on the cloud) .... then the 2 Private Subnets on my side are
1. Another VPS on the cloud
2. 1 created a virtual/sub interface on the Peer VPS
Below are the parameters I was given by my service provider who is running the VPN on a CISCO ASA Firewall
Phase 1
Tunnel VPN Gateway ()
Authentication Method :Pre-shared Key
Cryptography Type :IKEv1
Diffie-Hellman Group :Group 2
Cryptography Algorithm :3DES
Hash Algorithm :SHA
Main or Aggressive Mode :Main mode
Lifetime (for renegotiation) :86400 seconds
Phase 2
Tunnel VPN Gateway (ECONET)
Encapsulation (ESP or AH) :ESP
Cryptography Algorithm :3DES
Algorithm Method :SHA
Perfect Forward Secrecy :NO PFS
Lifetime (for renegotiation) :86400 seconds
Lifesize in KB (for renegotiation) : Not specified
My Peering server is running Centos 7 ,
strongswan version
Linux strongSwan U5.7.2/K3.10.0
My configuration is as follows
config setup
charondebug="all"
uniqueids=yes
conn ECO_YOSTORE
type=tunnel
auto=start
keyexchange=ikev1
authby=secret
left= My Internet IP
leftid= My Internet IP
leftsubnets=Virtual Interface created on the LEFT SERVER ABOVE/32 , My Internet IP of 2nd VPS/32right=Porovider’s Internet IP
rightsubnet=Private Service Provider IP /32
rightid=Porovider’s Internet IP ike=3des-sha1-modp1024
esp=3des-sha1
pfs=no
aggressive=no
keyingtries=%forever
ikelifetime=86400s
lifetime=86400s
dpddelay=30s
dpdtimeout=120s
dpdaction=restartThe results I get in trying to bring up the VPN are as below.
[root@shumba2 ~]# strongswan up ECO_YOSTORE
initiating Main Mode IKE_SA ECO_YOSTORE3 to Porovider’s Internet IP
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from My Internet IP500 to Porovider’s Internet IP500 (248 bytes)
received packet: from Porovider’s Internet IP500 to My Internet IP500 (128 bytes)
parsed ID_PROT response 0 [ SA V V ]
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from My Internet IP500 to Porovider’s Internet IP500 (244 bytes)
received packet: from Porovider’s Internet IP500 to My Internet IP500 (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: 7e:07:12:38:3a:e9:2e:b4:74:18:9f:79:57:4a:90:89
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from My Internet IP500 to Porovider’s Internet IP500 (100 bytes)
received packet: from Porovider’s Internet IP500 to My Internet IP500 (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA ECO_YOSTORE3 established between My Internet IP[My Internet IP]...Porovider’s Internet IP[Porovider’s Internet IP]
scheduling reauthentication in 85735s
maximum IKE_SA lifetime 86275s
generating QUICK_MODE request 1213313119 [ HASH SA No ID ID ]
sending packet: from My Internet IP500 to Porovider’s Internet IP500 (204 bytes)
received packet: from Porovider’s Internet IP500 to My Internet IP500 (84 bytes)
parsed INFORMATIONAL_V1 request 3366055023 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'ECO_YOSTORE' failed
History
#1 Updated by Tobias Brunner over 4 years ago
- Status changed from New to Feedback
- Assignee deleted (
Evans Vete)
received NO_PROPOSAL_CHOSEN error notify
Check the log on the other end to see why it sends that notify back.