ikev1 NO-PROPOSAL-CHOSEN

Started by m256, December 01, 2024, 02:48:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 01, 2024, 02:48:07 PM
Hi,
can't get past ipsec phase1, getting NO-PROPOSAL-CHOSEN although everything matches, checked hundred times. Wiresharked tcpdumps etc.
What happens: in ikev1, zywall proposes AES256-SHA512-DH14, nat traversal, dpd etc.
Opnsense immediately replies with NO-PROPOSAL-CHOSEN.
I have played with multiple cipher /single different cipher etc.
Both are behind NAT, but opnsense has udp/500, upd/4500 ports from public ip.
What am I doing wrong?

December 01, 2024, 02:53:17 PM #1 Last Edit: December 01, 2024, 02:56:15 PM by Monviech (Cedrik)
Try setting local and remote ID to distinguished name.
Leave proposals on default and see if anything matched.
Hardware:
DEC740
December 01, 2024, 05:21:13 PM #2
tried rebooting, creating new setups on both sides, switched from ikev1 to ikev2, used domains and email addresses for IDs, nothing helped.

There's small progress though, seems like now they are able to agree no p1 proposal, but stucked in ikev2_init\[I\] and  ikev2_init[R].

Geez, thinking about i was about to migrate 20 tunnels from another (commercial) strongswan vendor to opnsense and spent whole weekend with the first one lol.
December 01, 2024, 05:25:44 PM #3 Last Edit: December 01, 2024, 05:28:11 PM by Monviech (Cedrik)
You wrote ikev1 in your initial post but now its ikev2?

I created countless tunnels to many vendors, its sometimes a little thing that makes it fail.

Try using Connections if you use Legacy, as the options there align better with Strongswan.

EDIT: Oh you wrote you changed to ikev2 sorry overread that.

Cant you look at the logs on the other side? Sometimes its both sides logs you need to make sense of it.
Hardware:
DEC740
December 01, 2024, 06:57:29 PM #4
Somehow, I managed to get the tunnel connected. Well, I can't ping the firewalls from either site, but that should be easier to handle. :)
I don't know what was wrong—I was experimenting so much with it—but I suspect something in the Zyxel. Also, I switched to configuring OPNsense using the legacy connection—only regret I didn't find that sooner it's so much more convenient that Connections.. Hopefully, they don't remove it in a future version.
December 01, 2024, 07:18:03 PM #5
If it worked with legacy download the swanctl file (VPN - IPsec - Advanced Settings) And compare it to what you did in connections.

Its the same file that both implementations populate with the same options.
Hardware:
DEC740
December 01, 2024, 08:31:59 PM #6 Last Edit: December 01, 2024, 08:56:28 PM by m256
Thanks, good to know. Legacy settings are what I am more used to be working with.
Now, have only last issue with the tunnel - I can ping, http etc. from the lan at zyxel side any device on remote side of the tunnel, but not in opposite direction. I've checked firewall rules, ipsec P2 networks, routing.. what else could be wrong?

EDIT: it was because of asymmetric routing. all ok now. thanks again
Print
Go Up Pages1
User actions