Undocumented IPsec message types??

Latest response

I have a rhel 7.0 system that acts as a firewall and authentication server for a small LAN ( 64 nodes)

We have a requirement for employees and customers to be able to login to the LAN remotely.

I have a test scenario using a windows 7 client system that has a VPN client built into the windows 7 OS.

Both sides are configured to use x.509 certificates and IKEv2. Additionally users will be required to login once the VPN connection is established.

I've gotten the following error messages whenever the windows 7 client tries to establish an IKEv2 VPN connection.
packet from 107.223.51.250:500: initial parent SA message received on 69.54.99.132:500 but no connection has been authorized with policy=IKEV2_ALLOW
packet from 107.223.51.250:500: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to 107.223.51.250:500
packet from 107.223.51.250:500: initial parent SA message received on 69.54.99.132:500 but no connection has been authorized with policy=IKEV2_ALLOW
packet from 107.223.51.250:500: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to 107.223.51.250:500
packet from 107.223.51.250:500: initial parent SA message received on 69.54.99.132:500 but no connection has been authorized with policy=IKEV2_ALLOW
packet from 107.223.51.250:500: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to 107.223.51.250:500

IKEV2_ALLOW and v2N_NO_PROPOSAL_CHOSEN appear to be message-type strings probably assigned some numeric value.
However there's no documentation that I can find that relates these message types to a parameter or set of parameters in the ipsec.conf file.
Anyone have a "clue" as to how I can find out more about these message types? I've tried the Libreswan and Strongswan websites, but no joy.

Best Regards

Guy

Responses

There is no one-to-one translation of those errors to configuration options.

The answer NO_PROPOSAL_CHOSEN (or v2N_NO_PROPOSAL_CHOSEN ) means there was a significant mismatching configuration that both ends could not continue with each other.

initial parent SA message received on 69.54.99.132:500 but no connection has been authorized with policy=IKEV2_ALLOW

This message might mean that you have no connection configured with ikev2=allow or ikev2=insist, although it could also be that other parameters of your connection with ikev2=yes are not matching with the other end.

Hi Paul thanks for your response.
Interesting... The windows 7 VPN config "wizard" gives options of PPTP, L2TP, SSTP, and IKEv2.
encryption options are: Optional Encryotion, No Encryption Allowed, Require Encryption, and Maximum Strength Encryption. The terminology used by Microsoft is of course different from Openswan, or Strongswan. They also assume one is connecting to a Windows Server system.
Windows doesn't offer a complete vpn connection parameter list as Linux does.
All the other vpn connection parameters are "buried" in the windows registry.
I have selected IKEV2 on both "sides".
From my vpn connection parm list:
ikev2=insist
ike_frag=yes
ikepad=yes
I reckon I have to start "easter-egging"; It's too bad the Libreswan/Openswan/Strongswan developers
didn't choose to relate an error message string to each parameter.
But I've been "spoiled" by IBM and their excellent error message system. ;-)
Thanks again
Best Regards
Guy

It's not about a choice of mapping an option to a parameter. The IKE protocol only gives limited error messages back (on purpose for security). "no proposal chosen" is what is returned in many configuration mismatches. libreswan cannot do anything more.

I'm confused about your additional user/password that seems to be required. Is that a separate login somewhere, or is the Windows7 server expecting some kind of EAP method (like EAP-MSCHAPv2 ?) Currently, libreswan/openswan does not support EAP.

We have tested windows7 client using "machine certificate" to libreswan IKEv2, which works. But does not have a user/password phase, just the valid X.509 certificate on the windows7 client.

Thanks very much for the clarification i.e. [on purpose for security]
So it's the IKE protocol process that does the error message handling.
In my windows networking tracing I did notice an entry:
IkeReceiveCallback ErrorCode: 10054
I wonder if this is from the IKE functionality ?
I couldn't find any documentation on this apparent function return code. It's not part of windows.
Do you think the folks who developed and maintain IKE would be able to "shed some light" on this?
Regarding the login; that process should start once the vpn tunnel connection is established.
the users will be logging on to the corporate LAN.
What I have noted with the windows 7 vpn client is that the process forces a logon despite the fact I have
The "Machine Certificate" option selected AND EAP-MSCHAPv2 is "greyed-out" i.e. NOT selected.
However I don't think the userid and pw is sent, because I can put anything in those fields and the process accepts them. That's a curiousity of windows.
Thanks again for your explanations.

Guy

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.