Phase 1 negotiation is used by the gateway to authenticate with each other and to establish an encrypted channel. Phase 2 negotiation is where IPSec configurations are set. Both are required to complete. The failure to successfully negotiate Phase 2 prevents IPSec from working. If I understand this message:
Code:
responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs:
initiator id 192.168.191.0/255.255.255.0, responder id 192.168.192.0/255.255.255.0
it looks like
both sides of the gateway are trying to use 192.168.191/24 as the local network. But I may be wrong; I've never used this type of complex configuration and may be misunderstanding the cause of the misconnect between the gateways.
I'd recommended avoiding this level of complexity, if at all possible.
Because I have limited IPSec configuration experience, and no one else has jumped in, I recommend you post your problem to OpenBSD's misc@ mailing list. Rather than only one or two people who may have some experience with IPSec, there will be hundreds.
Some warnings:
No attachments are allowed. Place your configuration files and log messages as text, in-line with your e-mail. Attachments will just be stripped, and no one will see them.
Put more information in your request for assistance than you think may be needed. For example, include a dmesg, even though you don't think it is necessary. (Actually, it is often helpful, because it gives readers your specific release, flavor, and architecture for the OS, among other information.) Because the misc@ mailing list is not newbie-friendly, the more you can provide, the less likely your posting will be ignored, and the less likely you'll get a rude response.
Read the Netiquette section from the OpenBSD website, and follow its guidance:
http://www.openbsd.org/mail.html