Hi,
can't get past ipsec phase1, getting NO-PROPOSAL-CHOSEN although everything matches, checked hundred times. Wiresharked tcpdumps etc.
What happens: in ikev1, zywall proposes AES256-SHA512-DH14, nat traversal, dpd etc.
Opnsense immediately replies with NO-PROPOSAL-CHOSEN.
I have played with multiple cipher /single different cipher etc.
Both are behind NAT, but opnsense has udp/500, upd/4500 ports from public ip.
What am I doing wrong?
(https://pasteboard.co/zxbN1kJHeHPX.png)
Try setting local and remote ID to distinguished name.
Leave proposals on default and see if anything matched.
tried rebooting, creating new setups on both sides, switched from ikev1 to ikev2, used domains and email addresses for IDs, nothing helped.
There's small progress though, seems like now they are able to agree no p1 proposal, but stucked in ikev2_init\[I\] and ikev2_init[R].
Geez, thinking about i was about to migrate 20 tunnels from another (commercial) strongswan vendor to opnsense and spent whole weekend with the first one lol.
You wrote ikev1 in your initial post but now its ikev2?
I created countless tunnels to many vendors, its sometimes a little thing that makes it fail.
Try using Connections if you use Legacy, as the options there align better with Strongswan.
EDIT: Oh you wrote you changed to ikev2 sorry overread that.
Cant you look at the logs on the other side? Sometimes its both sides logs you need to make sense of it.
Somehow, I managed to get the tunnel connected. Well, I can't ping the firewalls from either site, but that should be easier to handle. :)
I don't know what was wrong—I was experimenting so much with it—but I suspect something in the Zyxel. Also, I switched to configuring OPNsense using the legacy connection—only regret I didn't find that sooner it's so much more convenient that Connections.. Hopefully, they don't remove it in a future version.
If it worked with legacy download the swanctl file (VPN - IPsec - Advanced Settings) And compare it to what you did in connections.
Its the same file that both implementations populate with the same options.
Thanks, good to know. Legacy settings are what I am more used to be working with.
Now, have only last issue with the tunnel - I can ping, http etc. from the lan at zyxel side any device on remote side of the tunnel, but not in opposite direction. I've checked firewall rules, ipsec P2 networks, routing.. what else could be wrong?
EDIT: it was because of asymmetric routing. all ok now. thanks again