Topics

1

16.7 Legacy Series / NO_PROPOSAL_CHOSEN on IPSEC VPN

« on: January 02, 2017, 03:48:40 am »

I am setting up an IPSEC VPN between a new OPNsense 16.7.12 VM and a Cisco ASA using a configuration similar to what I normally use with pfSense 2.3.2. Phase 1 appears to complete but phase 2 fails with NO_PROPOSAL_CHOSEN (log below). According to the pfSense docs, that implies an encryption or hash mismatch. The tunnel settings for phase 1 and phase 2 in the webConfigurator match what the other side expects. Are there any suggestions on how to troubleshoot the cause for this?

Thanks.
----------
Jan 1 21:22:43   charon: 06[IKE] received DELETE for IKE_SA con1[13]
Jan 1 21:22:43   charon: 06[ENC] parsed INFORMATIONAL_V1 request 2623450652 [ HASH D ]
Jan 1 21:22:43   charon: 06[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43   charon: 05[IKE] received NO_PROPOSAL_CHOSEN error notify
Jan 1 21:22:43   charon: 05[ENC] parsed INFORMATIONAL_V1 request 584985045 [ HASH N(NO_PROP) ]
Jan 1 21:22:43   charon: 05[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43   charon: 05[IKE] received (24576) notify
Jan 1 21:22:43   charon: 05[ENC] parsed INFORMATIONAL_V1 request 2773286589 [ HASH N((24576)) ]
Jan 1 21:22:43   charon: 05[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43   charon: 11[NET] sending packet: from s.s.s.s[500] to d.d.d.d[500] (172 bytes)
Jan 1 21:22:43   charon: 11[ENC] generating QUICK_MODE request 4227466899 [ HASH SA No ID ID ]
Jan 1 21:22:43   charon: 11[IKE] maximum IKE_SA lifetime 28685s
Jan 1 21:22:43   charon: 11[IKE] scheduling reauthentication in 28145s