[opennhrp-devel] DMVPN failure from behind 1-1 Nat in the Amazon Cloud.
Brought to you by:
fabled80
From: Chris P. <chr...@pe...> - 2015-01-09 04:02:18
|
Replicated in both vyos and Amazon Linux using Opennhrp - theres an off chance I'm doing something a little stupid, but I'm having issues connecting from a client behind a 1-1 NAT in the Amazon Cloud - to a DMVPN hub on a public IP (Cisco 1800). Specifically the error is that the Cisco is rejecting phase 2. Negotiation. *Jan 8 11:18:43.773 ACST: IPSEC(ipsec_process_proposal): proxy identities not supported *Jan 8 11:18:43.773 ACST: ISAKMP:(3076): IPSec policy invalidated proposal with error 32 Any ideas on what to fix this? >From the Router: *Jan 8 11:18:43.773 ACST: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 203.3.x.x, remote= 54.66.239.229, local_proxy= 203.3.x.x/255.255.255.255/47/0 (type=1), remote_proxy= 172.31.8.67/255.255.255.255/47/0 (type=1), protocol= ESP, transform= NONE (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jan 8 11:18:43.773 ACST: map_db_find_best did not find matching map *Jan 8 11:18:43.773 ACST: IPSEC(ipsec_process_proposal): proxy identities not supported *Jan 8 11:18:43.773 ACST: ISAKMP:(3076): IPSec policy invalidated proposal with error 32 *Jan 8 11:18:43.773 ACST: IPSEC(validate_proposal_request): proposal part #1 *Jan 8 11:18:43.773 ACST: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 203.3.x.x, remote= 54.66.239.229, local_proxy= 203.3.x.x/255.255.255.255/47/0 (type=1), remote_proxy= 172.31.8.67/255.255.255.255/47/0 (type=1), protocol= ESP, transform= NONE (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 *Jan 8 11:18:43.773 ACST: map_db_find_best did not find matching map *Jan 8 11:18:43.773 ACST: IPSEC(ipsec_process_proposal): proxy identities not supported *Jan 8 11:18:43.773 ACST: ISAKMP:(3076): IPSec policy invalidated proposal with error 32 *Jan 8 11:18:43.773 ACST: ISAKMP:(3076): phase 2 SA policy not acceptable! (local 203.3.x.x remote 54.66.239.229) >From oepnnprh: Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: OpenNHRP 0.14.1 starting Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface lo: configured UP, mtu=0 Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface eth0: configured UP, mtu=9001 Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gre0: config change, mtu=1476 Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gretap0: config change, mtu=1462 Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gre1: configured UP, mtu=8973 Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Interface gre1: GRE configuration changed. Purged 1 peers. Jan 8 04:17:27 ip-172-31-8-67 opennhrp[6760]: Filter code installed (20 opcodes) Jan 8 04:17:32 ip-172-31-8-67 racoon: INFO: initiate new phase 2 negotiation: 172.31.8.67[500]<=>203.3.x.x[500] Jan 8 04:17:32 ip-172-31-8-67 racoon: [203.3.x.x] ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange. Jan 8 04:17:32 ip-172-31-8-67 racoon: [203.3.x.x] ERROR: error message: 'X '. Jan 8 04:18:02 ip-172-31-8-67 racoon: INFO: IPsec-SA expired: ESP/Transport 203.3.x.x[500]->172.31.8.67[500] spi=121444521(0x73d18a9) Jan 8 04:18:02 ip-172-31-8-67 racoon: WARNING: PF_KEY EXPIRE message received from kernel for SA being negotiated. Stopping negotiation. Jan 8 04:18:02 ip-172-31-8-67 opennhrp[6760]: [192.168.201.1] Peer up script failed: exitstatus 1 [root@ip-172-31-8-67 ec2-user]# ip tunnel show gre0: gre/ip remote any local any ttl 64 tos inherit gre1: gre/ip remote 203.3.x.x local 172.31.8.67 dev eth0 ttl 64 key 0 [root@ip-172-31-8-67 ec2-user]# cat /etc/opennhrp/opennhrp.conf interface gre1 map 192.168.201.1/24 203.3.x.x register cisco-authentication secret shortcut redirect non-caching interface lo shortcut-destination [root@ip-172-31-8-67 ec2-user]# cat /etc/racoon/racoon.conf # Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; path script "/etc/racoon/scripts"; listen { adminsock "/var/racoon/racoon.sock" "root" "operator" 0660; } sainfo anonymous { pfs_group 2; lifetime time 24 hour ; encryption_algorithm 3des; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } remote anonymous { exchange_mode main,aggressive; lifetime time 24 hour; # nat_traversal on; script "/etc/opennhrp/racoon-ph1down.sh" phase1_down; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } [root@ip-172-31-8-67 ec2-user]# uname -a Linux ip-172-31-8-67 3.14.26-24.46.amzn1.x86_64 #1 SMP Wed Dec 10 10:02:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root@ip-172-31-8-67 ec2-user]# rpm -q ipsec-tools ipsec-tools-0.8.0-5.16.amzn1.x86_64 Relevant parts of the cisco config: crypto isakmp policy 30 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key secret address 0.0.0.0 0.0.0.0 crypto isakmp invalid-spi-recovery crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto ipsec profile cisco set security-association lifetime seconds 30000 set transform-set strong ! ! interface Tunnel0 ip address 192.168.201.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication secret2 ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp redirect ip tcp adjust-mss 1360 no ip mroute-cache tunnel source Loopback10 tunnel mode gre multipoint tunnel key 5000 tunnel protection ipsec profile cisco ! |