Undocumented IPsec message types??
I have a rhel 7.0 system that acts as a firewall and authentication server for a small LAN ( 64 nodes)
We have a requirement for employees and customers to be able to login to the LAN remotely.
I have a test scenario using a windows 7 client system that has a VPN client built into the windows 7 OS.
Both sides are configured to use x.509 certificates and IKEv2. Additionally users will be required to login once the VPN connection is established.
I've gotten the following error messages whenever the windows 7 client tries to establish an IKEv2 VPN connection.
packet from 107.223.51.250:500: initial parent SA message received on 69.54.99.132:500 but no connection has been authorized with policy=IKEV2_ALLOW
packet from 107.223.51.250:500: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to 107.223.51.250:500
packet from 107.223.51.250:500: initial parent SA message received on 69.54.99.132:500 but no connection has been authorized with policy=IKEV2_ALLOW
packet from 107.223.51.250:500: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to 107.223.51.250:500
packet from 107.223.51.250:500: initial parent SA message received on 69.54.99.132:500 but no connection has been authorized with policy=IKEV2_ALLOW
packet from 107.223.51.250:500: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to 107.223.51.250:500
IKEV2_ALLOW and v2N_NO_PROPOSAL_CHOSEN appear to be message-type strings probably assigned some numeric value.
However there's no documentation that I can find that relates these message types to a parameter or set of parameters in the ipsec.conf file.
Anyone have a "clue" as to how I can find out more about these message types? I've tried the Libreswan and Strongswan websites, but no joy.
Best Regards
Guy
Responses
There is no one-to-one translation of those errors to configuration options.
- The answer NO_PROPOSAL_CHOSEN (or v2N_NO_PROPOSAL_CHOSEN ) means there was a significant mismatching configuration that both ends could not continue with each other.
-
initial parent SA message received on 69.54.99.132:500 but no connection has been authorized with policy=IKEV2_ALLOW
This message might mean that you have no connection configured with ikev2=allow or ikev2=insist, although it could also be that other parameters of your connection with ikev2=yes are not matching with the other end.
It's not about a choice of mapping an option to a parameter. The IKE protocol only gives limited error messages back (on purpose for security). "no proposal chosen" is what is returned in many configuration mismatches. libreswan cannot do anything more.
I'm confused about your additional user/password that seems to be required. Is that a separate login somewhere, or is the Windows7 server expecting some kind of EAP method (like EAP-MSCHAPv2 ?) Currently, libreswan/openswan does not support EAP.
We have tested windows7 client using "machine certificate" to libreswan IKEv2, which works. But does not have a user/password phase, just the valid X.509 certificate on the windows7 client.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
