Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
NO_PROPOSAL_CHOSEN on IPSEC VPN
« previous
next »
Print
Pages: [
1
]
Author
Topic: NO_PROPOSAL_CHOSEN on IPSEC VPN (Read 20871 times)
TechTrend
Newbie
Posts: 3
Karma: 0
NO_PROPOSAL_CHOSEN on IPSEC VPN
«
on:
January 02, 2017, 03:48:40 am »
I am setting up an IPSEC VPN between a new OPNsense 16.7.12 VM and a Cisco ASA using a configuration similar to what I normally use with pfSense 2.3.2. Phase 1 appears to complete but phase 2 fails with NO_PROPOSAL_CHOSEN (log below). According to the
pfSense docs
, that implies an encryption or hash mismatch. The tunnel settings for phase 1 and phase 2 in the webConfigurator match what the other side expects. Are there any suggestions on how to troubleshoot the cause for this?
Thanks.
----------
Jan 1 21:22:43 charon: 06[IKE] received DELETE for IKE_SA con1[13]
Jan 1 21:22:43 charon: 06[ENC] parsed INFORMATIONAL_V1 request 2623450652 [ HASH D ]
Jan 1 21:22:43 charon: 06[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43 charon: 05[IKE] received NO_PROPOSAL_CHOSEN error notify
Jan 1 21:22:43 charon: 05[ENC] parsed INFORMATIONAL_V1 request 584985045 [ HASH N(NO_PROP) ]
Jan 1 21:22:43 charon: 05[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43 charon: 05[IKE] received (24576) notify
Jan 1 21:22:43 charon: 05[ENC] parsed INFORMATIONAL_V1 request 2773286589 [ HASH N((24576)) ]
Jan 1 21:22:43 charon: 05[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43 charon: 11[NET] sending packet: from s.s.s.s[500] to d.d.d.d[500] (172 bytes)
Jan 1 21:22:43 charon: 11[ENC] generating QUICK_MODE request 4227466899 [ HASH SA No ID ID ]
Jan 1 21:22:43 charon: 11[IKE] maximum IKE_SA lifetime 28685s
Jan 1 21:22:43 charon: 11[IKE] scheduling reauthentication in 28145s
«
Last Edit: January 03, 2017, 04:14:32 am by TechTrend
»
Logged
TechTrend
Newbie
Posts: 3
Karma: 0
Re: NO_PROPOSAL_CHOSEN on IPSEC VPN
«
Reply #1 on:
January 03, 2017, 04:58:58 am »
OPNsense appears to either ignore or handle differently the NAT/BINAT option on IPSEC phase 2 entries. In pfSense a BIN/NAT on a phase 2 entry generates a line in ipsec.conf with
Code:
[Select]
leftsubnet = n.n.n.n|l.l.l.l
where n.n.n.n is the NAT translation address and l.l.l.l is the local address. In OPNsense the same config generates just a
Code:
[Select]
leftsubnet = l.l.l.l
The NAT translation address is not listed anywhere on the ipsec.conf. I tried all NAT/BINAT type options (Auto, NAT, BINAT) but none seem to generate the correct 'leftsubnet' for strongSwan in ipsec.conf. Manually editing 'leftsubnet' in ipsec.conf makes the tunnel work properly. My phase 2 NAT configurations use a single address (/32) to a single address (/32).
This behavior appears in OPNsense 16.7.12 and 17.1.b_60. Is there a way to enter NAT/BINAT in OPNsense such that it generates the proper 'leftsubnet'?
«
Last Edit: January 03, 2017, 05:11:36 am by TechTrend
»
Logged
TechTrend
Newbie
Posts: 3
Karma: 0
Re: NO_PROPOSAL_CHOSEN on IPSEC VPN
«
Reply #2 on:
January 03, 2017, 05:26:10 am »
This issue appears related to the one discussed in
NAT before IPSec question
and
NAT before IPsec is not functional
. If I understand it correctly, NAT/BINAT for IPSEC works in pfSense because they use a custom build of strongSwan and proprietary syntax in ipsec.conf (like the 'leftsubnet' entry above). It does NOT work in OPNsense due to the use of a mainline strongSwan, e.g. the NAT/BINAT parameters are ignored.
If that is the case. there should be a WARNING on the NAT/BINAT entry indicating it is still under development. Entering config parameters that are not used at all is misleading and can lead to many wasted hours.
«
Last Edit: January 03, 2017, 05:31:06 am by TechTrend
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
NO_PROPOSAL_CHOSEN on IPSEC VPN