OPNSense Business 25.4.2 - IPSec Connection - Pools - NO_PROPOSAL_CHOSEN

Daniel.Hauptmann · August 27, 2025, 01:47:44 PM

Hallo liebe OPNSense Community,

wir betreiben bei einem Kunden eine OPNSense Business Edition 25.4.2.

Auf dieser Appliance laufen erfolgreich zwei IPSec Gateway-to-Gateway Tunnel.

1x über Connections (IKEv2, PSK)
1x über Tunnel Settings (IKEv1, PSK) (Legacy Mode)

Wenn wir nun probieren über Connections eine "RoadWarrior IPSec IKEv2" VPN Verbindung mit einem "IP-Pool" zu erstellen und speichern dies ab, starten IPSec neu, bauen sich die bestehenden IPSec Gateway-to-Gateway Tunnel nicht mehr auf.

Im LOG steht folgendes:

2025-08-26T16:42:26   Informational   charon    04[CHD2] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> SPI 0x547933b8, src A.A.A.A dst B.B.B.B
2025-08-26T16:42:26   Informational   charon    04[CHD2] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> adding outbound ESP SA
2025-08-26T16:42:26   Informational   charon    04[CHD2] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> SPI 0xc4bde0c4, src B.B.B.B dst A.A.A.A
2025-08-26T16:42:26   Informational   charon    04[CHD2] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> adding inbound ESP SA
2025-08-26T16:42:26   Informational   charon    04[CHD2] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> using HMAC_SHA2_256_128 for integrity
2025-08-26T16:42:26   Informational   charon    04[CHD2] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> using AES_CBC for encryption
2025-08-26T16:42:26   Informational   charon    04[CHD2] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> CHILD_SA 373a819e-e792-4165-aa53-6c088d33a0e2{52} state change: CREATED => INSTALLING
2025-08-26T16:42:26   Informational   charon    04[CFG1] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_521/NO_EXT_SEQ
2025-08-26T16:42:26   Informational   charon    04[ENC1] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> parsed CREATE_CHILD_SA request 1 [ SA No KE TSi TSr ]
2025-08-26T16:42:26   Informational   charon    04[NET1] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> received packet: from B.B.B.B[4500] to A.A.A.A[4500] (352 bytes)
2025-08-26T16:42:26   Informational   charon    04[MGR2] IKE_SA a7e47a39-3dc7-4633-a0df-5a077560e177[1] successfully checked out
2025-08-26T16:42:26   Informational   charon    04[MGR2] checkout IKEv2 SA by message with SPIs 48175254c8ac6ba9_i c7c73fa06180a77c_r
2025-08-26T16:42:26   Informational   charon    02[NET2] waiting for data on sockets
2025-08-26T16:42:26   Informational   charon    02[NET2] received packet: from B.B.B.B[4500] to A.A.A.A[4500]
2025-08-26T16:42:25   Informational   charon    04[MGR2] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> checkin of IKE_SA successful
2025-08-26T16:42:25   Informational   charon    04[MGR2] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> checkin IKEv2 SA a7e47a39-3dc7-4633-a0df-5a077560e177[1] with SPIs 48175254c8ac6ba9_i c7c73fa06180a77c_r
2025-08-26T16:42:25   Informational   charon    04[MGR2] IKE_SA a7e47a39-3dc7-4633-a0df-5a077560e177[1] successfully checked out
2025-08-26T16:42:25   Informational   charon    04[MGR2] checkout IKEv2 SA with SPIs 48175254c8ac6ba9_i c7c73fa06180a77c_r
2025-08-26T16:42:24   Informational   charon    04[MGR2] checkin and destroy of IKE_SA successful
2025-08-26T16:42:24   Informational   charon    03[NET2] sending packet: from C.C.C.C[500] to D.D.D.D[500]
2025-08-26T16:42:24   Informational   charon    04[IKE2] <7> IKE_SA (unnamed)[7] state change: CREATED => DESTROYING
2025-08-26T16:42:24   Informational   charon    04[MGR2] <7> checkin and destroy IKE_SA (unnamed)[7]
2025-08-26T16:42:24   Informational   charon    04[NET1] <7> sending packet: from C.C.C.C[500] to D.D.D.D[500] (40 bytes)
2025-08-26T16:42:24   Informational   charon    04[ENC1] <7> generating INFORMATIONAL_V1 request 3652144891 [ N(NO_PROP) ]
2025-08-26T16:42:24   Informational   charon    04[IKE1] <7> no IKE config found for C.C.C.C...D.D.D.D, sending NO_PROPOSAL_CHOSEN
2025-08-26T16:42:24   Informational   charon    04[ENC1] <7> parsed ID_PROT request 0 [ SA V V V V V V V V V V ]
2025-08-26T16:42:24   Informational   charon    04[NET1] <7> received packet: from D.D.D.D[500] to C.C.C.C[500] (288 bytes)
2025-08-26T16:42:24   Informational   charon    04[MGR2] created IKE_SA (unnamed)[7]
2025-08-26T16:42:24   Informational   charon    04[MGR2] checkout IKEv1 SA by message with SPIs af657f6807242246_i 0000000000000000_r
2025-08-26T16:42:24   Informational   charon    02[NET2] waiting for data on sockets
2025-08-26T16:42:24   Informational   charon    02[NET2] received packet: from D.D.D.D[500] to C.C.C.C[500]
2025-08-26T16:42:24   Informational   charon    03[NET2] sending packet: from A.A.A.A[4500] to B.B.B.B[4500]
2025-08-26T16:42:24   Informational   charon    10[MGR2] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> checkin of IKE_SA successful
2025-08-26T16:42:24   Informational   charon    10[MGR2] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> checkin IKEv2 SA a7e47a39-3dc7-4633-a0df-5a077560e177[1] with SPIs 48175254c8ac6ba9_i c7c73fa06180a77c_r
2025-08-26T16:42:24   Informational   charon    10[NET1] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> sending packet: from A.A.A.A[4500] to B.B.B.B[4500] (352 bytes)
2025-08-26T16:42:24   Informational   charon    10[ENC1] <a7e47a39-3dc7-4633-a0df-5a077560e177|1> generating CREATE_CHILD_SA response 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]

Sobald ich unter "VPN -> IPSec -> Connections -> Pools" den "Pool" deaktiviere, bauen sich beide GW-to-GW Tunnel wieder auf...

Wüsste jemand einen Ansatz wie ich "no IKE config found for A.A.A.A...B.B.B.B, sending NO_PROPOSAL_CHOSEN" lösen könnte?

Vielen Dank für eure Feedback.

OPNSense Business 25.4.2 - IPSec Connection - Pools - NO_PROPOSAL_CHOSEN

Daniel.Hauptmann

August 27, 2025, 01:47:44 PM