Re: IPSec fails with NO_PROPOSAL_CHOSEN when connecting from recent MacOS/iOS clients

Fri, 18 Feb 2022 13:56:36 -0800 

On Fri, Feb 18, 2022 at 15:06 Stuart Henderson wrote...
> On Fri, Feb 18, 2022 at 11:43 AM I wrote:
>> ike passive esp transport proto udp from $public_ip to any \
>>   main auth "hmac-sha2-256" enc "aes-256" group "modp2048" \
>>   quick auth "hmac-sha2-256" enc "aes-256" group "modp2048" \
>>   psk "THIS_IS_MY_IPSEC_PASSPHRASE"
>>
>> ike passive esp transport proto udp from $public_ip to any \
>>  main auth "hmac-md5" enc "3des" group "modp1024" \
>>  quick auth "hmac-md5" enc "3des" group "modp1024" \
>>   psk "THIS_IS_MY_IPSEC_PASSPHRASE"

> With isakmpd and ipsec.conf you can't have two proposals for the default
> ("to any") peer with different PFS groups, you will have to choose one
> or the other. As-is the second will overwrite the first config block.
> (Use ipsecctl -v to see the commands sent by ipsecctl to isakmpd;
> it generates what are basically isakmpd.conf style config blocks and
> sends them over the control socket).

It still fails even with one block, but this is good to know. Thanks.

> You will save yourself a lot of trouble if you can move the newer machines
> to IKEv2 .. (It would not be possible to run both isakmpd and iked on a
> single OpenBSD machine though). Or alternatively wireguard or openvpn
> (which _can_ coexist with IKEv1) though IKEv2 generally has a simpler
> client config.

I'm not opposed to this and I've tried, but even now it still gives me
proposal errors from both iOS and MacOS

Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 ENCR=AES_CBC-128
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 PRF=HMAC_SHA1
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 INTEGR=HMAC_SHA1_96
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #4 DH=MODP_1024
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 ENCR=3DES
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 PRF=HMAC_SHA1
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 INTEGR=HMAC_SHA1_96
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_log_proposal: IKE #5 DH=MODP_1024
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65:
ikev2_add_error: NO_PROPOSAL_CHOSEN
Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: send
IKE_SA_INIT res 0 peer 100.64.10.10:57904 local 203.0.113.1:500, 36
bytes

Reply via email to