1
Virtual private networks / NO_PROPOSAL_CHOSEN | IPSec eap-mschapv2 raodwarrior config
« on: February 21, 2024, 01:50:34 pm »
Hi,
I can't get a IPSec connection via the new connection tab working. At the moment I always get the following errors in the opnsense log:
2024-02-22T09:38:17 Informational charon 09[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2024-02-22T09:38:17 Informational charon 09[IKE] <1> no IKE config found for 10.246.42.10...redacted, sending NO_PROPOSAL_CHOSEN
2024-02-22T09:38:17 Informational charon 09[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Using a working legacy config these are the proposals chosen by the clients:
AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
So in the new connection tab I offer aes256-sha384-modp4096(DH group 16) as phase 1 proposal and aes256-sha25 + dh groups 14/16 + aes256-sha256-no dh group for phase 2
In the working legacy con I also get packets requesting certain proposals in case I don't propose them, however I don't get them now.
What is my configuration error?
I can't get a IPSec connection via the new connection tab working. At the moment I always get the following errors in the opnsense log:
2024-02-22T09:38:17 Informational charon 09[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2024-02-22T09:38:17 Informational charon 09[IKE] <1> no IKE config found for 10.246.42.10...redacted, sending NO_PROPOSAL_CHOSEN
2024-02-22T09:38:17 Informational charon 09[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Using a working legacy config these are the proposals chosen by the clients:
AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
So in the new connection tab I offer aes256-sha384-modp4096(DH group 16) as phase 1 proposal and aes256-sha25 + dh groups 14/16 + aes256-sha256-no dh group for phase 2
In the working legacy con I also get packets requesting certain proposals in case I don't propose them, however I don't get them now.
What is my configuration error?