[strongSwan] Trying to connect to PFsense appliance but getting received NO_PROPOSAL_CHOSEN error notify

Brent Clark brentgclarklist at gmail.com
Tue May 31 09:19:43 CEST 2016 

Good day Guys

Im trying to connect to a Pfsense device, but for the likes of me, I cant
get Strongswan to connect.

What I get is: 09[IKE] received NO_PROPOSAL_CHOSEN error notify

According to Pfsenses trouble shooting (
https://doc.pfsense.org/index.php/IPsec_Troubleshooting), the issue is
Encryption Algorithm Mismatch.

If someone could take alook at my setup it would be appreciated.

Here is the full debug.
http://pastebin.com/raw/Rd0ZSvNN

The vendor gave me the following information. (This is a copy and paste
from an excel spreadsheet. The first column is what my setting must be, and
the second is what their settings are)

Phase I Settings			"IPSec Phase 1 Settings MUST match on both sides"
Diffie-Helman Group	2 (Mod1024)	2 (Mod1024)	
Encryption Algorithm	3DES	3DES	
Hash Algorithm	SHA-1	SHA-1	
NAT-T	Disable	Disable	
Lifetime (In Seconds)	86400	86400	
Phase II Settings			"IPSec Phase 2 Settings.MUST match on both sides"
Encapsulation	ESP (encrypted)	ESP (encrypted)	
Perfect Forward Secrecy (PFS)	NO PFS	NO PFS	
Encryption Algorithm	3DES	3DES	
Hash Algorithm	SHA-1	SHA-1	
Lifetime (In Seconds)	3	3600	
Lifetime (In Kbytes)	N/A	N/A


Here is some additional information.

root at removed ~ # ipsec up pfsense
initiating Main Mode IKE_SA pfsense[1] to remote_ip
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from my_ip[500] to remote_ip[500] (192 bytes)
received packet: from remote_ip[500] to my_ip[500] (56 bytes)
parsed INFORMATIONAL_V1 request 1194142694 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'pfsense' failed

-----------------------------------------------------------------------------

root at removed ~ # tcpdump -i eth0 -n -s 0 -vv \(port 500 or port 4500\)
and  host remote_ip
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes
15:55:53.950366 IP (tos 0x0, ttl 64, id 20824, offset 0, flags [DF],
proto UDP (17), length 220)
    my_ip.500 > remote_ip.500: [bad udp cksum 0x1b3d -> 0x2356!]
isakmp 1.0 msgid 00000000 cookie 1f0003ab455e05b6->0000000000000000:
phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #0 protoid=isakmp transform=2
            (t: #1 id=ike (type=enc value=3des)(type=hash
value=sha1)(type=group desc value=modp1024)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration len=4
value=00015180))
            (t: #2 id=ike (type=enc value=3des)(type=hash
value=md5)(type=group desc value=modp1024)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration len=4
value=00015180))))
    (vid: len=8)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
15:55:54.140147 IP (tos 0x28, ttl 46, id 29153, offset 0, flags
[none], proto UDP (17), length 84)
    remote_ip.500 > my_ip.500: [udp sum ok] isakmp 1.0 msgid 02e19b96
cookie 1f0003ab455e05b6->3f736b18c0f74262: phase 2/others R inf:
    (n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN
spi=1f0003ab455e05b63f736b18c0f74262)


Thanks if you can help me.

Regards
Brent Clark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160531/fa7a920e/attachment-0001.html>

More information about the Users mailing list