NO_PROPOSAL_CHOSEN on IPSEC VPN

[TechTrend]

I am setting up an IPSEC VPN between a new OPNsense 16.7.12 VM and a Cisco ASA using a configuration similar to what I normally use with pfSense 2.3.2. Phase 1 appears to complete but phase 2 fails with NO_PROPOSAL_CHOSEN (log below). According to the pfSense docs, that implies an encryption or hash mismatch. The tunnel settings for phase 1 and phase 2 in the webConfigurator match what the other side expects. Are there any suggestions on how to troubleshoot the cause for this?

Thanks.
----------
Jan 1 21:22:43   charon: 06[IKE] received DELETE for IKE_SA con1[13]
Jan 1 21:22:43   charon: 06[ENC] parsed INFORMATIONAL_V1 request 2623450652 [ HASH D ]
Jan 1 21:22:43   charon: 06[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43   charon: 05[IKE] received NO_PROPOSAL_CHOSEN error notify
Jan 1 21:22:43   charon: 05[ENC] parsed INFORMATIONAL_V1 request 584985045 [ HASH N(NO_PROP) ]
Jan 1 21:22:43   charon: 05[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43   charon: 05[IKE] received (24576) notify
Jan 1 21:22:43   charon: 05[ENC] parsed INFORMATIONAL_V1 request 2773286589 [ HASH N((24576)) ]
Jan 1 21:22:43   charon: 05[NET] received packet: from d.d.d.d[500] to s.s.s.s[500] (92 bytes)
Jan 1 21:22:43   charon: 11[NET] sending packet: from s.s.s.s[500] to d.d.d.d[500] (172 bytes)
Jan 1 21:22:43   charon: 11[ENC] generating QUICK_MODE request 4227466899 [ HASH SA No ID ID ]
Jan 1 21:22:43   charon: 11[IKE] maximum IKE_SA lifetime 28685s
Jan 1 21:22:43   charon: 11[IKE] scheduling reauthentication in 28145s

[TechTrend]

OPNsense appears to either ignore or handle differently the NAT/BINAT option on IPSEC phase 2 entries. In pfSense a BIN/NAT on a phase 2 entry generates a line in ipsec.conf with

Code: [Select]

leftsubnet = n.n.n.n|l.l.l.lwhere n.n.n.n is the NAT translation address and l.l.l.l is the local address. In OPNsense the same config generates just a

Code: [Select]

leftsubnet = l.l.l.lThe NAT translation address is not listed anywhere on the ipsec.conf. I tried all NAT/BINAT type options (Auto, NAT, BINAT) but none seem to generate the correct 'leftsubnet' for strongSwan in ipsec.conf. Manually editing 'leftsubnet' in ipsec.conf makes the tunnel work properly. My phase 2 NAT configurations use a single address (/32) to a single address (/32).

This behavior appears in OPNsense 16.7.12 and 17.1.b_60. Is there a way to enter NAT/BINAT in OPNsense such that it generates the proper 'leftsubnet'?

[TechTrend]

This issue appears related to the one discussed in NAT before IPSec question and NAT before IPsec is not functional. If I understand it correctly, NAT/BINAT for IPSEC works in pfSense because they use a custom build of strongSwan and proprietary syntax in ipsec.conf (like the 'leftsubnet' entry above). It does NOT work in OPNsense due to the use of a mainline strongSwan, e.g. the NAT/BINAT parameters are ignored.

If that is the case. there should be a WARNING on the NAT/BINAT entry indicating it is still under development. Entering config parameters that are not used at all is misleading and can lead to many wasted hours.