Good day Guys Im trying to connect to a Pfsense device, but for the likes of me, I cant get Strongswan to connect.
What I get is: 09[IKE] received NO_PROPOSAL_CHOSEN error notify According to Pfsenses trouble shooting ( https://doc.pfsense.org/index.php/IPsec_Troubleshooting), the issue is Encryption Algorithm Mismatch. If someone could take alook at my setup it would be appreciated. Here is the full debug. http://pastebin.com/raw/Rd0ZSvNN The vendor gave me the following information. (This is a copy and paste from an excel spreadsheet. The first column is what my setting must be, and the second is what their settings are) Phase I Settings "IPSec Phase 1 Settings MUST match on both sides" Diffie-Helman Group 2 (Mod1024) 2 (Mod1024) Encryption Algorithm 3DES 3DES Hash Algorithm SHA-1 SHA-1 NAT-T Disable Disable Lifetime (In Seconds) 86400 86400 Phase II Settings "IPSec Phase 2 Settings.MUST match on both sides" Encapsulation ESP (encrypted) ESP (encrypted) Perfect Forward Secrecy (PFS) NO PFS NO PFS Encryption Algorithm 3DES 3DES Hash Algorithm SHA-1 SHA-1 Lifetime (In Seconds) 3 3600 Lifetime (In Kbytes) N/A N/A Here is some additional information. root@removed ~ # ipsec up pfsense initiating Main Mode IKE_SA pfsense[1] to remote_ip generating ID_PROT request 0 [ SA V V V V ] sending packet: from my_ip[500] to remote_ip[500] (192 bytes) received packet: from remote_ip[500] to my_ip[500] (56 bytes) parsed INFORMATIONAL_V1 request 1194142694 [ N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify establishing connection 'pfsense' failed ----------------------------------------------------------------------------- root@removed ~ # tcpdump -i eth0 -n -s 0 -vv \(port 500 or port 4500\) and host remote_ip tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:55:53.950366 IP (tos 0x0, ttl 64, id 20824, offset 0, flags [DF], proto UDP (17), length 220) my_ip.500 > remote_ip.500: [bad udp cksum 0x1b3d -> 0x2356!] isakmp 1.0 msgid 00000000 cookie 1f0003ab455e05b6->0000000000000000: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #0 protoid=isakmp transform=2 (t: #1 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)) (t: #2 id=ike (type=enc value=3des)(type=hash value=md5)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)))) (vid: len=8) (vid: len=16) (vid: len=16) (vid: len=16) 15:55:54.140147 IP (tos 0x28, ttl 46, id 29153, offset 0, flags [none], proto UDP (17), length 84) remote_ip.500 > my_ip.500: [udp sum ok] isakmp 1.0 msgid 02e19b96 cookie 1f0003ab455e05b6->3f736b18c0f74262: phase 2/others R inf: (n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN spi=1f0003ab455e05b63f736b18c0f74262) Thanks if you can help me. Regards Brent Clark
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
