vpn roaming client falla en la fase 2

Discussions in Spanish.
Post Reply
nepski
Posts: 12
Joined: 19 Feb 2009, 13:48

vpn roaming client falla en la fase 2

Post by nepski » 25 May 2009, 11:50

Hola a todos

Al intentar establecer una VPN con un cliente VPN Thegreenbow v4.20.009 la fase 2 siempre da el error "no proposal chosen algoritmos de la fase 2 no corresponde con la configuración del gateway" cuando realmente estan idénticos en el cliente y en el clavister.

El secreto compartido es el mismo, y repicado en ambos lados varias veces.

¿Alguien sabe a que se debe?

jein
Posts: 53
Joined: 30 Oct 2008, 09:16
Location: Clavister HQ

Re: vpn roaming client falla en la fase 2

Post by jein » 25 May 2009, 15:29

¡Hola!

He probado a establecer un tunel Ipsec usando el mismo cliente que tú sin ningún problema. ¿Podrías pegar unos pantallazos con las configuraciones que estás usando y la salida del comando "ipsect"?

/Jens

nepski
Posts: 12
Joined: 19 Feb 2009, 13:48

Re: vpn roaming client falla en la fase 2

Post by nepski » 26 May 2009, 11:23

Hola Jein, espero que sea esto lo que pides:

Image

Image

Image

Image

La salida del comando ipsect es la siguiente:

Cmd> ipsect
No Name Local Net Remote Net Remote GW
-- ---------- -------------------- -------------------- ---------------
1 Tunel_VPN 192.168.1.0/24 0.0.0.0/0 0.0.0.0/0
2009-05-26 11:59:59: IkeSnoop: Received IKE packet from XX.XX.XXX.XXX:6381
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0xe9e7d54747adbbcf -> 0x00000000
Message ID : 0x00000000
Packet length : 100 bytes
# payloads : 2
Payloads:
SA (Security Association)
Payload data length : 48 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ISAKMP
SPI Size : 0
Transform 1/1
Transform ID : IKE
Encryption algorithm : 3DES-cbc
Hash algorithm : MD5
Authentication method : Pre-Shared Key
Group description : MODP 1024
Life type : Seconds
Life duration : 28800
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Description : draft-ietf-ipsec-dpd-00

2009-05-26 11:59:59: IkeSnoop: Sending IKE packet to XX.XX.XXX.XXX:6381
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0xe9e7d54747adbbcf -> 0x2ef1b67591d4fd95
Message ID : 0x00000000
Packet length : 120 bytes
# payloads : 3
Payloads:
SA (Security Association)
Payload data length : 48 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ISAKMP
SPI Size : 0
Transform 1/1
Transform ID : IKE
Encryption algorithm : 3DES-cbc
Hash algorithm : MD5
Authentication method : Pre-Shared Key
Group description : MODP 1024
Life type : Seconds
Life duration : 28800
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 8f 9c c9 4e 01 24 8e cd f1 47 59 4c 28 4b 21 3b
Description : SSH Communications Security QuickSec 2.1.0
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Description : draft-ietf-ipsec-dpd-00

2009-05-26 12:00:00: IkeSnoop: Received IKE packet from XX.XX.XXX.XXX:6381
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0xe9e7d54747adbbcf -> 0x2ef1b67591d4fd95
Message ID : 0x00000000
Packet length : 180 bytes
# payloads : 2
Payloads:
KE (Key Exchange)
Payload data length : 128 bytes
NONCE (Nonce)
Payload data length : 16 bytes

2009-05-26 12:00:00: IkeSnoop: Sending IKE packet to XX.XX.XXX.XXX:6381
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0xe9e7d54747adbbcf -> 0x2ef1b67591d4fd95
Message ID : 0x00000000
Packet length : 180 bytes
# payloads : 2
Payloads:
KE (Key Exchange)
Payload data length : 128 bytes
NONCE (Nonce)
Payload data length : 16 bytes

2009-05-26 12:00:00: IkeSnoop: Received IKE packet from XX.XX.XXX.XXX:6381
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags : E (encryption)
Cookies : 0xe9e7d54747adbbcf -> 0x2ef1b67591d4fd95
Message ID : 0x00000000
Packet length : 88 bytes
# payloads : 3
Payloads:
ID (Identification)
Payload data length : 8 bytes
ID : ipv4(any:0,[0..3]=172.16.48.15)
HASH (Hash)
Payload data length : 16 bytes
N (Notification)
Payload data length : 24 bytes
Protocol ID : ISAKMP
Notification : Initial contact

2009-05-26 12:00:00: IkeSnoop: Sending IKE packet to XX.XX.XXX.XXX:6381
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags : E (encryption)
Cookies : 0xe9e7d54747adbbcf -> 0x2ef1b67591d4fd95
Message ID : 0x00000000
Packet length : 60 bytes
# payloads : 2
Payloads:
ID (Identification)
Payload data length : 8 bytes
ID : ipv4(any:0,[0..3]=yyy.yyy.yyy.yyy)
HASH (Hash)
Payload data length : 16 bytes

2009-05-26 12:00:00: IkeSnoop: Received IKE packet from XX.XX.XXX.XXX:6381
Exchange type : Quick mode
ISAKMP Version : 1.0
Flags : E (encryption)
Cookies : 0xe9e7d54747adbbcf -> 0x2ef1b67591d4fd95
Message ID : 0x42f91c99
Packet length : 144 bytes
# payloads : 5
Payloads:
HASH (Hash)
Payload data length : 16 bytes
SA (Security Association)
Payload data length : 44 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ESP
SPI Size : 4
SPI Value : 0x5acb97f2
Transform 1/1
Transform ID : 3DES
SA life type : Seconds
SA life duration : 3600
Encapsulation mode : Tunnel
Authentication algorithm : HMAC-MD5
NONCE (Nonce)
Payload data length : 16 bytes
ID (Identification)
Payload data length : 8 bytes
ID : ipv4(any:0,[0..3]=172.16.48.15)
ID (Identification)
Payload data length : 12 bytes
ID : ipv4_subnet(any:0,[0..7]=192.168.1.0/24)

2009-05-26 12:00:00: IkeSnoop: Sending IKE packet to XX.XX.XXX.XXX:6381
Exchange type : CFG mode
ISAKMP Version : 1.0
Flags : E (encryption)
Cookies : 0xe9e7d54747adbbcf -> 0x2ef1b67591d4fd95
Message ID : 0x5007f0e3
Packet length : 64 bytes
# payloads : 2
Payloads:
HASH (Hash)
Payload data length : 16 bytes
CfgMode Attribute
Payload data length : 12 bytes
Message type : Cfg Request
Identifier : 1
Attributes
Attribute type : XAUTH-USER-NAME
Attribute type : XAUTH-USER-PASSWORD

2009-05-26 12:00:01: IkeSnoop: Received IKE packet from XX.XX.XXX.XXX:6381
Exchange type : CFG mode
ISAKMP Version : 1.0
Flags : E (encryption)
Cookies : 0xe9e7d54747adbbcf -> 0x2ef1b67591d4fd95
Message ID : 0x5007f0e3
Packet length : 64 bytes
# payloads : 2
Payloads:
HASH (Hash)
Payload data length : 16 bytes
CfgMode Attribute
Payload data length : 12 bytes
Message type : Cfg Reply
Identifier : 1
Attributes
Attribute type : Reserved
Attribute type : Reserved

2009-05-26 12:00:01: IkeSnoop: Sending IKE packet to XX.XX.XXX.XXX:6381
Exchange type : Informational
ISAKMP Version : 1.0
Flags : E (encryption)
Cookies : 0xe9e7d54747adbbcf -> 0x2ef1b67591d4fd95
Message ID : 0xf79d4d49
Packet length : 114 bytes
# payloads : 2
Payloads:
HASH (Hash)
Payload data length : 16 bytes
N (Notification)
Payload data length : 62 bytes
Protocol ID : ESP
Notification : No proposal chosen
Notification data:
Notify message version: 1
Error text: "Could not find acceptable proposal"
Offending message ID: 0x42f91c99

2009-05-26 12:00:08: IkeSnoop: Received IKE packet from XX.XX.XXX.XXX:6381
2009-05-26 12:00:08: IkeSnoop: Other end retransmitted its packet
2009-05-26 12:00:16: IkeSnoop: Received IKE packet from XX.XX.XXX.XXX:6381
2009-05-26 12:00:16: IkeSnoop: Other end retransmitted its packet

Y el del cliente es el siguiente:

[VPNCONF] TGBIKESTART received
20090526 105412 Default (SA VPN_SG51-P1) SEND phase 1 Main Mode [SA] [VID]
20090526 105412 Default (SA VPN_SG51-P1) RECV phase 1 Main Mode [SA] [VID] [VID]
20090526 105412 Default (SA VPN_SG51-P1) SEND phase 1 Main Mode [KEY_EXCH] [NONCE]
20090526 105412 Default (SA VPN_SG51-P1) RECV phase 1 Main Mode [KEY_EXCH] [NONCE]
20090526 105412 Default (SA VPN_SG51-P1) SEND phase 1 Main Mode [HASH] [ID] [NOTIFY]
20090526 105413 Default (SA VPN_SG51-P1) RECV phase 1 Main Mode [HASH] [ID]
20090526 105413 Default phase 1 done: initiator id 172.16.48.15, responder id yyy.yyy.yyy.yyy
20090526 105413 Default (SA VPN_SG51-VPN_SG51-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20090526 105413 Default (SA VPN_SG51-P1) RECV Transaction Mode [HASH] [ATTRIBUTE]
20090526 105413 Default (SA VPN_SG51-P1) SEND Transaction Mode [HASH] [ATTRIBUTE]
20090526 105413 Default (SA VPN_SG51-P1) RECV Informational [HASH] [NOTIFY] with NO_PROPOSAL_CHOSEN error
20090526 105420 Default (SA VPN_SG51-VPN_SG51-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20090526 105420 Default (SA VPN_SG51-P1) RECV Informational [HASH] [NOTIFY] with NO_PROPOSAL_CHOSEN error
20090526 105429 Default (SA VPN_SG51-VPN_SG51-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20090526 105430 Default (SA VPN_SG51-P1) RECV Informational [HASH] [NOTIFY] with NO_PROPOSAL_CHOSEN error
20090526 105440 Default (SA VPN_SG51-VPN_SG51-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20090526 105440 Default (SA VPN_SG51-P1) RECV Informational [HASH] [NOTIFY] with NO_PROPOSAL_CHOSEN error
20090526 105442 Default (SA VPN_SG51-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE
20090526 105442 Default (SA VPN_SG51-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK
20090526 105453 Default (SA VPN_SG51-VPN_SG51-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20090526 105453 Default (SA VPN_SG51-P1) RECV Informational [HASH] [NOTIFY] with NO_PROPOSAL_CHOSEN error
20090526 105508 Default (SA VPN_SG51-VPN_SG51-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20090526 105508 Default transport_send_messages: giving up on message 00DC2D80
20090526 105508 Default (SA VPN_SG51-P1) RECV Informational [HASH] [NOTIFY] with NO_PROPOSAL_CHOSEN error


Saludos

jein
Posts: 53
Joined: 30 Oct 2008, 09:16
Location: Clavister HQ

Re: vpn roaming client falla en la fase 2

Post by jein » 28 May 2009, 08:43

¡Hola!

Quizás podrías echar un vistazo a:
viewtopic.php?f=8&t=3699

/Jens

nepski
Posts: 12
Joined: 19 Feb 2009, 13:48

Re: vpn roaming client falla en la fase 2

Post by nepski » 03 Jun 2009, 16:01

Hola jein,

Repasando los pasos indicados en el documento, y sigo con el mismo error. :cry:

Saludos

Post Reply