v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

Butcher · 2014-05-15 10:05:30

Hello guys, I'm trying to get a IPsec + L2TP VPN server running on Arch Linux.

I have followed this tutorial: https://raymii.org/s/tutorials/IPSEC_L2 … Linux.html -- I skipped the "Local user (PAM//etc/passwd) authentication" part.

When I try to connect from a Windows 7 system or from a Windows Phone 8.1 phone, I get this in the system log:

May 15 11:57:05 acherus pluto[1341]: packet from 77.xxx.xxx.xxx:500: sending  notification v2N_NO_PROPOSAL_CHOSEN to 77.xxx.xxx.xxx:500

What I find more amusing is the fact that there are absolutely no mentions to this error in Google: https://www.google.com/search?q=%22send … _CHOSEN%22

This is the log of Openswan starting:

May 15 12:04:19 acherus systemd[1]: Starting Openswan daemon...
May 15 12:04:20 acherus ipsec_setup[2424]: Starting Openswan IPsec U2.6.41/K3.10.23-xxxx-std-ipv6-64...
May 15 12:04:20 acherus ipsec[2416]: ipsec_setup: Starting Openswan IPsec U2.6.41/K3.10.23-xxxx-std-ipv6-64...
May 15 12:04:20 acherus ipsec_setup[2439]: Using NETKEY(XFRM) stack
May 15 12:04:20 acherus ipsec__plutorun[2457]: Starting Pluto subsystem...
May 15 12:04:20 acherus ipsec_setup[2461]: ...Openswan IPsec started
May 15 12:04:20 acherus systemd[1]: Started Openswan daemon.
May 15 12:04:20 acherus ipsec__plutorun[2459]: adjusting ipsec.d to /etc/ipsec.d
May 15 12:04:20 acherus pluto[2464]: adjusting ipsec.d to /etc/ipsec.d
May 15 12:04:20 acherus pluto[2464]: Starting Pluto (Openswan Version 2.6.41; Vendor ID OSWsxljF@TSY) pid:2464
May 15 12:04:20 acherus pluto[2464]: LEAK_DETECTIVE support [disabled]
May 15 12:04:20 acherus pluto[2464]: OCF support for IKE [disabled]
May 15 12:04:20 acherus pluto[2464]: SAref support [disabled]: Protocol not available
May 15 12:04:20 acherus pluto[2464]: SAbind support [disabled]: Protocol not available
May 15 12:04:20 acherus pluto[2464]: NSS support [disabled]
May 15 12:04:20 acherus pluto[2464]: HAVE_STATSD notification support not compiled in
May 15 12:04:20 acherus pluto[2464]: Setting NAT-Traversal port-4500 floating to on
May 15 12:04:20 acherus pluto[2464]: port floating activation criteria nat_t=1/port_float=1
May 15 12:04:20 acherus pluto[2464]: NAT-Traversal support  [enabled]
May 15 12:04:20 acherus pluto[2464]: using /dev/urandom as source of random entropy
May 15 12:04:20 acherus pluto[2464]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
May 15 12:04:20 acherus pluto[2464]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
May 15 12:04:20 acherus pluto[2464]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
May 15 12:04:20 acherus pluto[2464]: starting up 1 cryptographic helpers
May 15 12:04:20 acherus pluto[2464]: started helper pid=2466 (fd:6)
May 15 12:04:20 acherus pluto[2464]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.23-xxxx-std-ipv6-64
May 15 12:04:20 acherus pluto[2466]: using /dev/urandom as source of random entropy
May 15 12:04:20 acherus pluto[2464]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
May 15 12:04:20 acherus pluto[2464]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
May 15 12:04:20 acherus pluto[2464]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
May 15 12:04:20 acherus pluto[2464]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
May 15 12:04:20 acherus pluto[2464]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
May 15 12:04:20 acherus pluto[2464]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
May 15 12:04:20 acherus pluto[2464]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
May 15 12:04:20 acherus pluto[2464]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
May 15 12:04:20 acherus pluto[2464]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
May 15 12:04:20 acherus pluto[2464]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
May 15 12:04:20 acherus pluto[2464]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
May 15 12:04:20 acherus pluto[2464]: added connection description "L2TP-PSK-NAT"
May 15 12:04:20 acherus ipsec__plutorun[2459]: 002 added connection description "L2TP-PSK-NAT"
May 15 12:04:20 acherus pluto[2464]: added connection description "L2TP-PSK-noNAT"
May 15 12:04:20 acherus ipsec__plutorun[2459]: 002 added connection description "L2TP-PSK-noNAT"
May 15 12:04:20 acherus pluto[2464]: listening for IKE messages
May 15 12:04:20 acherus pluto[2464]: adding interface eth0/eth0 91.x.x.x:500
May 15 12:04:20 acherus pluto[2464]: adding interface eth0/eth0 91.x.x.x:4500
May 15 12:04:20 acherus pluto[2464]: adding interface lo/lo 127.0.0.1:500
May 15 12:04:20 acherus pluto[2464]: adding interface lo/lo 127.0.0.1:4500
May 15 12:04:20 acherus pluto[2464]: adding interface lo/lo ::1:500
May 15 12:04:20 acherus pluto[2464]: loading secrets from "/etc/ipsec.secrets"

Can you help me? The config files are the same as the ones in that article so there's no need to paste them here.

Rexilion · 2014-05-15 10:12:06

No proposal chosen indicates that the client is requesting something different than what the server expects (or is able to provide).

Please start by providing the configuration files and the configuration at the clients. (especially about "L2TP-PSK-NAT" and "L2TP-PSK-noNAT"). Btw, why are you differing between nat and no nat? (is this to differentiate between WWAN and a LAN connection?) The entire point of a VPN is to omit this. However, without further information I cannot help you further.

Finally, (and you might not like this) Strongswan has given me considerable better results and seems to be more actively developed (haven't checked in a while though).

Butcher · 2014-05-15 10:26:59

With all honesty, I don't really understand any of this.

What I want is a virtual network I can connect from my Windows PC and my Windows Phone to tunnel my connections and, optionally, have access between them (the PCs connected and the server itself, within a private network range). I don't really understand what "NAT" and "noNAT" do, tbh.

I made some changes, this is the ipsec.conf file based on what I found online:

version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=91.x.x.x
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

This is the configuration on my computer:

I'm really thankful for your help.

Last edited by Butcher (2014-05-15 10:27:33)

Rexilion · 2014-05-15 13:02:09

I see one apparent error in your configuration. You are attempting to use L2TP + IPSEC. However, the client says in it's 'Type of VPN:' 'Ikev2'. Now I think that might not be correct.

Yes, you are using IKEv2 but that is not all of it. It should be something along the lines of L2TP / IPSEC or (Layer 2 Tunnel Protocol / IPSEC).

Your client is now trying to connect directly. Hence, the left side does not match since that is probably a full connection. And your Openswan server expects a proposition containing udp port 17/1701. Which is not the case if you use 'pure' IPSEC.

However, seeing that Windows 7 is capable of doing 'pure' IKEv2 connections I would recommend that. That will get you rid of the x2ltpd server and let Strongswan handle everything.

I have a 'pure' IPSEC setup and I'm really happy with it. No fiddling with L2TP.

Butcher · 2014-05-15 13:41:12

Thank you again. This should be of help, I guess: https://github.com/modeswitch/blog.mode … ongswan.md

What I do not understand, is how would I set a user and password for each user. It's ok if there's only one, but I see in that configuration that there's only a password set, so I do not know where the user is supposed to be.

Thanks.

Rexilion · 2014-05-15 13:51:17

Butcher wrote:

Thank you again. This should be of help, I guess: https://github.com/modeswitch/blog.mode … ongswan.md

Way too complicated. I only use Strongswan plus some crazy big updown.sh script. You can use Strongswan to assign client ip's. No need for DHCP servers or anything fancy.

Butcher wrote:

What I do not understand, is how would I set a user and password for each user. It's ok if there's only one, but I see in that configuration that there's only a password set, so I do not know where the user is supposed to be.

For me, that means that Windows applies the unwritten rule that local login username == remote login username (for whatever service applicable). But I doubt you cannot change it. Did you make sure that you used the L2TP option for the VPN.

Butcher wrote:

Thanks.

No problem.

Butcher · 2014-05-15 14:12:02

I would like to have a DHCP server working for this VPN. I've read about dnsmasq and the DHCP plugin, but it looks like dnsmasq requires the port 53 to be free, and it's not (I'm running bind there). Anything I can do?

By the way, after having configured Strongswan, it goes a bit further, but I get this error:

This is the content of my /etc/ipsec.conf:

conn %default
    keyingtries=%forever
    keyexchange=ikev2
    authby=secret

conn local
    reauth=no
    rekey=no
    left=%defaultroute
    leftsubnet=192.168.9.0/24
    lefthostaccess=yes
    leftfirewall=yes
    right=%any
    rightsourceip=%dhcp
    auto=start

And the content of my /etc/strongswan.conf:

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf

                charon.plugins.dhcp.force_server_address = yes
                server = 192.168.9.1
        }
}

include strongswan.d/*.conf

/etc/ipsec.secrets:

%any : PSK "password"

The log says this:

May 15 16:10:41 acherus charon[22950]: 15[NET] received packet: from 77.xxx.xxx.xxx[500] to 91.xxx.xxx.xxx[500] (528 bytes)
May 15 16:10:41 acherus charon[22950]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May 15 16:10:41 acherus charon[22950]: 15[IKE] 77.xxx.xxx.xxx is initiating an IKE_SA
May 15 16:10:41 acherus charon[22950]: 15[IKE] 77.xxx.xxx.xxx is initiating an IKE_SA
May 15 16:10:41 acherus charon[22950]: 15[IKE] remote host is behind NAT
May 15 16:10:41 acherus charon[22950]: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 15 16:10:41 acherus charon[22950]: 15[NET] sending packet: from 91.xxx.xxx.xxx[500] to 77.xxx.xxx.xxx[500] (308 bytes)
May 15 16:10:41 acherus charon[22950]: 16[NET] received packet: from 77.xxx.xxx.xxx[4500] to 91.xxx.xxx.xxx[4500] (804 bytes)
May 15 16:10:41 acherus charon[22950]: 16[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
May 15 16:10:41 acherus charon[22950]: 16[IKE] received 24 cert requests for an unknown ca
May 15 16:10:41 acherus charon[22950]: 16[CFG] looking for peer configs matching 91.xxx.xxx.xxx[%any]...77.xxx.xxx.xxx[192.168.0.192]
May 15 16:10:41 acherus charon[22950]: 16[CFG] selected peer config 'local'
May 15 16:10:41 acherus charon[22950]: 16[IKE] peer requested EAP, config inacceptable
May 15 16:10:41 acherus charon[22950]: 16[CFG] no alternative config found
May 15 16:10:41 acherus charon[22950]: 16[IKE] peer supports MOBIKE
May 15 16:10:41 acherus charon[22950]: 16[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May 15 16:10:41 acherus charon[22950]: 16[NET] sending packet: from 91.xxx.xxx.xxx[4500] to 77.xxx.xxx.xxx[4500] (68 bytes)

Thanks for your patience.

Rexilion · 2014-05-15 14:36:48

It's selecting a proper configuration. However, you seem to have enabled IPSEC EAP authentication.

Butcher · 2014-05-15 15:33:13

These are the available options:

None of them work, or they request additional certificates.

Last edited by Butcher (2014-05-15 15:33:26)

Rexilion · 2014-05-15 15:41:26

You did not explicitly mentioned you wanted EAP. So I suggest you generate your own pki and install that. I think that's the second radio button in the Authentication table.

Butcher · 2014-05-15 15:47:13

I do not want to have certificates. I want to log in using a user and a password, and the VPN type has to be "IKEv2".

Rexilion · 2014-05-15 16:58:51

Butcher wrote:

I do not want to have certificates. I want to log in using a user and a password, and the VPN type has to be "IKEv2".

I take it you don't want to carry around certificates and stuff (or long non rememberable passhprases).

But that means you have 3 options (I believe). You have to pick since you are aiming for the sky here.

- initial connection: strongswan with psk
- vpn: x2ltpd over pptp
- authentication: x2ltpd usename + password
- advantages: username + password, but simple setup and backwards compatible until at least Windows XP
- disadvantages: ikev1 is old but well implemented, deprecated method
- initial connection: strongswan with certificate
- vpn: strongswan over ikev2 in tunnel mode
- authentication: see initial connection
- advantages: fast connection, new protocol that is well supported, ikev2 is shiny new and this only supported on windows 7 and higher
- disadvantages: better start carrying an usb with cerficates
- initial connection: strongswan with EAP-MSCHAP
- vpn: strongswan over ikev2 in tunnel mode
- authentication: see initial connection
- advantages: fast connection, new protocol that is well supported, ikev2 is shiny new and this only supported on windows 7 and higher
- disadvantages: simple connection method, requires setting up an eap radius server which I know nothing about

The last setup fits your criteria exactly. But, having ikev2 with username + password requires EAP-MSCHAP requires setting up a RADIUS server. EAP-MSCHAP only requires are a server certificate. So on the clients you should be good to go with just a username + password + ip.

Please note, I'm assuming that l2tp/ipsec is using ikev1. IKEv2 is also IPSEC. And also note that the IKE protocol is only a negotiation protocol. It has absolutely no effect on the inner workings of your network. IKE is purely a administrative protocol (if I may call it like that).

Butcher · 2014-05-15 17:05:11

It looks like the first setup is what I originally intended; are you sure that's only supported with IKEv1?

If a simple setup is not possible with user + pass I think I can switch to certificates, but this is becoming too complicated by now...

Rexilion · 2014-05-15 18:39:00

Yes, the first setup is what you intended. I *think* it only supports ikev1. The naming that is used is absurd. Because, IKEv2 is IPSEC too.

Remember, your choice is limited by your clients. The above three will work for Windows 7 and higher. The first one will also work on 2000/XP/Vista.

Simple setup is possible, but you have to make the decision between easy setup -> clumsy configuration or clumsy setup -> easy configuration. Whereby setup = server and configuration = client.

This is not complicated yet. You should really think this through before you start putting time in this. When I started out with this, my setup went through 4 iterations up until the point where I am today. You learn a lot, but it takes some time.

EDIT: Btw, you cannot use the Strongswan DHCP plugin in combination with x2ltp. Well, it is possible but kind of useless. You would have to integrate DHCP (if possible) with x2ltp. If you cannot choose, I suggest you go for the l2tp/ipsec configuration because of it's backward compatibility. Then for ipsec, you can use a single passhprase. However, using a passhprase is dangerous and not recommended. Again, I don't think it's impossible to have both (certificates + secret).

Last edited by Rexilion (2014-05-16 04:35:44)

Arch Linux

#1 2014-05-15 10:05:30

v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#2 2014-05-15 10:12:06

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#3 2014-05-15 10:26:59

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#4 2014-05-15 13:02:09

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#5 2014-05-15 13:41:12

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#6 2014-05-15 13:51:17

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#7 2014-05-15 14:12:02

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#8 2014-05-15 14:36:48

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#9 2014-05-15 15:33:13

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#10 2014-05-15 15:41:26

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#11 2014-05-15 15:47:13

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#12 2014-05-15 16:58:51

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#13 2014-05-15 17:05:11

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

#14 2014-05-15 18:39:00

Re: v2N_NO_PROPOSAL_CHOSEN when connecting to Openswan

Board footer