Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - TechTrend

Pages1
#1
16.7 Legacy Series / Re: NO_PROPOSAL_CHOSEN on IPSEC VPN
January 03, 2017, 05:26:10 AM
This issue appears related to the one discussed in NAT before IPSec question and NAT before IPsec is not functional. If I understand it correctly, NAT/BINAT for IPSEC works in pfSense because they use a custom build of strongSwan and proprietary syntax in ipsec.conf (like the 'leftsubnet' entry above). It does NOT work in OPNsense due to the use of a mainline strongSwan, e.g. the NAT/BINAT parameters are ignored.

If that is the case. there should be a WARNING on the NAT/BINAT entry indicating it is still under development. Entering config parameters that are not used at all is misleading and can lead to many wasted hours.
#2
16.7 Legacy Series / Re: NO_PROPOSAL_CHOSEN on IPSEC VPN
January 03, 2017, 04:58:58 AM
OPNsense appears to either ignore or handle differently the NAT/BINAT option on IPSEC phase 2 entries. In pfSense a BIN/NAT on a phase 2 entry generates a line in ipsec.conf with
Code Select
leftsubnet = n.n.n.n|l.l.l.l
where n.n.n.n is the NAT translation address and l.l.l.l is the local address. In OPNsense the same config generates just a
Code Select
leftsubnet = l.l.l.l
The NAT translation address is not listed anywhere on the ipsec.conf. I tried all NAT/BINAT type options (Auto, NAT, BINAT) but none seem to generate the correct 'leftsubnet' for strongSwan in ipsec.conf. Manually editing 'leftsubnet' in ipsec.conf makes the tunnel work properly. My phase 2 NAT configurations use a single address (/32) to a single address (/32).

This behavior appears in OPNsense 16.7.12 and 17.1.b_60. Is there a way to enter NAT/BINAT in OPNsense such that it generates the proper 'leftsubnet'?
#3
16.7 Legacy Series / NO_PROPOSAL_CHOSEN on IPSEC VPN
January 02, 2017, 03:48:40 AM
I am setting up an IPSEC VPN between a new OPNsense 16.7.12 VM and a Cisco ASA using a configuration similar to what I normally use with pfSense 2.3.2. Phase 1 appears to complete but phase 2 fails with NO_PROPOSAL_CHOSEN (log below). According to the pfSense docs, that implies an encryption or hash mismatch. The tunnel settings for phase 1 and phase 2 in the webConfigurator match what the other side expects. Are there any suggestions on how to troubleshoot the cause for this?

Thanks.
----------
Jan 1 21:22:43   charon: 06[IKE] received DELETE for IKE_SA con1[13]
Jan 1 21:22:43   charon: 06[ENC] parsed INFORMATIONAL_V1 request 2623450652 [ HASH D ]
Jan 1 21:22:43   charon: 06[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43   charon: 05[IKE] received NO_PROPOSAL_CHOSEN error notify
Jan 1 21:22:43   charon: 05[ENC] parsed INFORMATIONAL_V1 request 584985045 [ HASH N(NO_PROP) ]
Jan 1 21:22:43   charon: 05[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43   charon: 05[IKE] received (24576) notify
Jan 1 21:22:43   charon: 05[ENC] parsed INFORMATIONAL_V1 request 2773286589 [ HASH N((24576)) ]
Jan 1 21:22:43   charon: 05[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43   charon: 11[NET] sending packet: from s.s.s.s[500] to d.d.d.d[500] (172 bytes)
Jan 1 21:22:43   charon: 11[ENC] generating QUICK_MODE request 4227466899 [ HASH SA No ID ID ]
Jan 1 21:22:43   charon: 11[IKE] maximum IKE_SA lifetime 28685s
Jan 1 21:22:43   charon: 11[IKE] scheduling reauthentication in 28145s
Pages1