[opennhrp-devel] DMVPN failure from behind 1-1 Nat in the Amazon Cloud.

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Replicated in both vyos and Amazon Linux using Opennhrp - theres an off chance I'm doing something a little stupid, but I'm having issues connecting from a client behind a 1-1 NAT in the Amazon Cloud - to a DMVPN hub on a public IP (Cisco 1800).

Specifically the error is that the Cisco is rejecting phase 2. Negotiation.
*Jan  8 11:18:43.773 ACST: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jan  8 11:18:43.773 ACST: ISAKMP:(3076): IPSec policy invalidated proposal with error 32

Any ideas on what to fix this?

>From the Router:
*Jan  8 11:18:43.773 ACST: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 203.3.x.x, remote= 54.66.239.229,
    local_proxy= 203.3.x.x/255.255.255.255/47/0 (type=1),
    remote_proxy= 172.31.8.67/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jan  8 11:18:43.773 ACST: map_db_find_best did not find matching map
*Jan  8 11:18:43.773 ACST: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jan  8 11:18:43.773 ACST: ISAKMP:(3076): IPSec policy invalidated proposal with error 32
*Jan  8 11:18:43.773 ACST: IPSEC(validate_proposal_request): proposal part #1
*Jan  8 11:18:43.773 ACST: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 203.3.x.x, remote= 54.66.239.229,
    local_proxy= 203.3.x.x/255.255.255.255/47/0 (type=1),
    remote_proxy= 172.31.8.67/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jan  8 11:18:43.773 ACST: map_db_find_best did not find matching map
*Jan  8 11:18:43.773 ACST: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jan  8 11:18:43.773 ACST: ISAKMP:(3076): IPSec policy invalidated proposal with error 32
*Jan  8 11:18:43.773 ACST: ISAKMP:(3076): phase 2 SA policy not acceptable! (local 203.3.x.x remote 54.66.239.229)

>From oepnnprh:
Jan  8 04:17:27 ip-172-31-8-67 opennhrp[6760]: OpenNHRP 0.14.1 starting
Jan  8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface lo: configured UP, mtu=0
Jan  8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface eth0: configured UP, mtu=9001
Jan  8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gre0: config change, mtu=1476
Jan  8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gretap0: config change, mtu=1462
Jan  8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gre1: configured UP, mtu=8973
Jan  8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gre1: GRE configuration changed. Purged 1 peers.
Jan  8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Filter code installed (20 opcodes)
Jan  8 04:17:32 ip-172-31-8-67 racoon: INFO: initiate new phase 2 negotiation: 172.31.8.67[500]<=>203.3.x.x[500]
Jan  8 04:17:32 ip-172-31-8-67 racoon: [203.3.x.x] ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.
Jan  8 04:17:32 ip-172-31-8-67 racoon: [203.3.x.x] ERROR: error message: 'X '.
Jan  8 04:18:02 ip-172-31-8-67 racoon: INFO: IPsec-SA expired: ESP/Transport 203.3.x.x[500]->172.31.8.67[500] spi=121444521(0x73d18a9)
Jan  8 04:18:02 ip-172-31-8-67 racoon: WARNING: PF_KEY EXPIRE message received from kernel for SA being negotiated. Stopping negotiation.
Jan  8 04:18:02 ip-172-31-8-67 opennhrp[6760]: [192.168.201.1] Peer up script failed: exitstatus 1

[root@ip-172-31-8-67 ec2-user]# ip tunnel show
gre0: gre/ip  remote any  local any  ttl 64  tos inherit
gre1: gre/ip  remote 203.3.x.x  local 172.31.8.67  dev eth0  ttl 64  key 0

[root@ip-172-31-8-67 ec2-user]# cat /etc/opennhrp/opennhrp.conf
interface gre1
  map 192.168.201.1/24 203.3.x.x register
  cisco-authentication secret
  shortcut
  redirect
  non-caching

interface lo
  shortcut-destination
[root@ip-172-31-8-67 ec2-user]# cat /etc/racoon/racoon.conf
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

listen {
        adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
}

sainfo anonymous
{
        pfs_group 2;
        lifetime time 24 hour ;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}

   remote anonymous {
      exchange_mode main,aggressive;
      lifetime time 24 hour;
      # nat_traversal on;
      script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
      proposal {
         encryption_algorithm 3des;
         hash_algorithm sha1;
         authentication_method pre_shared_key;
         dh_group 2;
      }
   }
[root@ip-172-31-8-67 ec2-user]# uname -a
Linux ip-172-31-8-67 3.14.26-24.46.amzn1.x86_64 #1 SMP Wed Dec 10 10:02:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@ip-172-31-8-67 ec2-user]# rpm -q ipsec-tools
ipsec-tools-0.8.0-5.16.amzn1.x86_64

Relevant parts of the cisco config:
crypto isakmp policy 30
encr 3des
hash md5 
 authentication pre-share
group 2

crypto isakmp key secret address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery

crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec profile cisco
set security-association lifetime seconds 30000
set transform-set strong
!
!
interface Tunnel0
ip address 192.168.201.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication secret2
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp redirect
ip tcp adjust-mss 1360
no ip mroute-cache
tunnel source Loopback10
tunnel mode gre multipoint
tunnel key 5000
tunnel protection ipsec profile cisco
!