[strongSwan] Trying to connect to PFsense appliance but getting received NO_PROPOSAL_CHOSEN error notify

Brent Clark brentgclarklist at gmail.com
Tue May 31 09:19:43 CEST 2016

Good day Guys

Im trying to connect to a Pfsense device, but for the likes of me, I cant
get Strongswan to connect.

What I get is: 09[IKE] received NO_PROPOSAL_CHOSEN error notify

According to Pfsenses trouble shooting (
https://doc.pfsense.org/index.php/IPsec_Troubleshooting), the issue is
Encryption Algorithm Mismatch.

If someone could take alook at my setup it would be appreciated.

Here is the full debug.

The vendor gave me the following information. (This is a copy and paste
from an excel spreadsheet. The first column is what my setting must be, and
the second is what their settings are)

Phase I Settings			"IPSec Phase 1 Settings MUST match on both sides"
Diffie-Helman Group	2 (Mod1024)	2 (Mod1024)	
Encryption Algorithm	3DES	3DES	
Hash Algorithm	SHA-1	SHA-1	
NAT-T	Disable	Disable	
Lifetime (In Seconds)	86400	86400	
Phase II Settings			"IPSec Phase 2 Settings.MUST match on both sides"
Encapsulation	ESP (encrypted)	ESP (encrypted)	
Perfect Forward Secrecy (PFS)	NO PFS	NO PFS	
Encryption Algorithm	3DES	3DES	
Hash Algorithm	SHA-1	SHA-1	
Lifetime (In Seconds)	3	3600	
Lifetime (In Kbytes)	N/A	N/A

Here is some additional information.

root at removed ~ # ipsec up pfsense
initiating Main Mode IKE_SA pfsense[1] to remote_ip
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from my_ip[500] to remote_ip[500] (192 bytes)
received packet: from remote_ip[500] to my_ip[500] (56 bytes)
parsed INFORMATIONAL_V1 request 1194142694 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'pfsense' failed


root at removed ~ # tcpdump -i eth0 -n -s 0 -vv \(port 500 or port 4500\)
and  host remote_ip
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes
15:55:53.950366 IP (tos 0x0, ttl 64, id 20824, offset 0, flags [DF],
proto UDP (17), length 220)
    my_ip.500 > remote_ip.500: [bad udp cksum 0x1b3d -> 0x2356!]
isakmp 1.0 msgid 00000000 cookie 1f0003ab455e05b6->0000000000000000:
phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #0 protoid=isakmp transform=2
            (t: #1 id=ike (type=enc value=3des)(type=hash
value=sha1)(type=group desc value=modp1024)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration len=4
            (t: #2 id=ike (type=enc value=3des)(type=hash
value=md5)(type=group desc value=modp1024)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration len=4
    (vid: len=8)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
15:55:54.140147 IP (tos 0x28, ttl 46, id 29153, offset 0, flags
[none], proto UDP (17), length 84)
    remote_ip.500 > my_ip.500: [udp sum ok] isakmp 1.0 msgid 02e19b96
cookie 1f0003ab455e05b6->3f736b18c0f74262: phase 2/others R inf:
    (n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN

Thanks if you can help me.

Brent Clark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160531/fa7a920e/attachment-0001.html>

More information about the Users mailing list