Trying to use Strongswan to connect to a work VPN and getting "selected peer config inacceptable" errors in the logs which I haven't been able to find any info on in Google:
~$ sudo ipsec up VDI
initiating Aggressive Mode IKE_SA VDI[1] to 163.x.y.z
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.1.214[500] to 163.x.y.z[500] (547 bytes)
received packet: from 163.x.y.z[500] to 192.168.1.214[500] (556 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID V V NAT-D NAT-D V V HASH ]
received DPD vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received XAuth vendor ID
received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:53:34:79:49:45:4a:4f:50:54:59:77:4f:54:59:79:4f:41:3d:3d
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (108 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes)
parsed TRANSACTION request 3165206765 [ HASH CPRQ(X_USER X_PWD X_MSG) ]
XAuth message: Please Enter Your User Name and Password :
generating TRANSACTION response 3165206765 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (92 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes)
parsed TRANSACTION request 3165206765 [ HASH CPS(ADDR MASK DNS DNS U_DEFDOM X_STATUS) ]
selected peer config 'VDI' inacceptable
no alternative config found
XAuth authentication of 'DR400' (myself) failed
IKE_SA VDI[1] established between 192.168.1.214[VDI]...163.x.y.z[163.x.y.z]
scheduling reauthentication in 28180s
maximum IKE_SA lifetime 28720s
generating TRANSACTION response 3165206765 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes)
generating TRANSACTION request 2622082016 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes)
parsed TRANSACTION response 2622082016 [ HASH CPRP(ADDR DNS DNS) ]
installing DNS server 10.132.0.10 via resolvconf
installing DNS server 10.132.0.11 via resolvconf
installing new virtual IP 192.168.246.108
generating QUICK_MODE request 1906245246 [ HASH SA No KE ID ID ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (444 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3184934143 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'VDI' failed
ipsec.conf:
config setup
conn VDI
left=%any
leftauth=psk
leftauth2=xauth
leftid=userfqdn:VDI
leftsourceip=%config
right=163.x.y.z
rightauth=psk
rightauth2=xauth
aggressive=yes
auto=add
dpdaction=restart
dpddelay=20s
keyexchange=ikev1
lifetime=8h
ikelifetime=8h
modeconfig=pull
xauth_identity=DR400
ike=aes256-sha1-modp2048
esp=aes256-sha2_256-modp2048
ipsec.secret:
: PSK "zzzzzzzzzzzzzz"
DR400 : XAUTH "xxxxxxxxxx"
It looks to me like phase 1 is successful, but then I can't see why I get NO_PROPOSAL_CHOSEN at phase 2. I am 100% sure the esp propsal and lifetimes are correct (they work from a different VPN client on a Windows machine).
But I don't really understand the lines:
selected peer config 'VDI' inacceptable
no alternative config found
XAuth authentication of 'DR400' (myself) failed
If the XAuth password is actually wrong the responder sends XAuth message: User Authentication Failed ! Try Again
. What could be causing "selected peer config inacceptable" and this early XAuth failure?
Since only the initiator/client uses XAuth for authentication, rightauth2=xauth has to be removed.
Note that using Aggressive Mode with PSK/XAuth is very insecure.