@posto587 said in IPsec Site-To-Site pfSense <-> Securepoint:

May 17 12:54:33 charon 07[IKE] <con5000|86410> received NO_PROPOSAL_CHOSEN notify error
May 17 12:54:33 charon 07[CFG] <con5000|86410> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

The other side is rejecting the tunnel transform proposal

You are asking for:
AES_CBC_128
SHA256
PFS Group 14

They will have to tell you why they are rejecting that.

I've double checked the firewall rules on both desktops, and everything is set right.

If you can ping the LAN address at the other end then the tunnel is up and working.

Use packet captures. Ping something on the LAN on the other side and pcap there. Do you see the traffic leaving that interface? Is there a reply? If not find out why not. Compare with a capture to the same host from the local pfSense's LAN interface.

This problem is almost always 1 of two things:

The default gateway on the target host is not the VPN firewall. It seems you have eliminated this since the host can ping the far side's LAN interface address so that leaves... The software firewall (think windows firewall) on the target host is not allowing connections to the target host from the foreign subnet. It could be some other local security software on the host breaking things too.

@murphster_matt What's funny about this is that I had the same problem when trying to set up a different phone, and I'd completely forgotten about this solution until you posted your comment! Thanks for reminding me!

@sugarpeter

Not a clue sorry, I don’t use google authenticator.

@jimp said in DH Group 31 (curve25519) supported?:

Probably wants a feature request at https://redmine.pfsense.org

Alright that shouldn't be a problem :) Coming up!

Issue resolved!

Believe it or not it was a f****** reboot that solved it...
Probably the firewall still had some old caches or something still in it's memory...

@highc said in IPSec VPN to OpenWrt Strongswan Travel Router:

Thanks for trying to help me. I tried to do what you said, i.e. setup a new site-to-site config in pfSense

Look at the file on the PFSense side
/var/etc/ipsec/ipsec.conf
This is an example of what settings should be on the Openwrt router . These settings should mirror the settings on the PFSense (left/right)

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routing-internet-traffic-through-a-site-to-site-ipsec-vpn.html

For example , my file ipsec.conf (CentOS server, site-to-site connection)

conn es_ru_pfsense_rsa keyexchange=ikev2 authby=pubkey fragmentation = yes ikelifetime=28800s ike = aes256-sha256-modp2048,aes-sha256-modp2048! esp = aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes128gcm16-sha256-modp2048,aes128gcm64-sha256-modp2048! left=XX.XXX.XX.XX leftsubnet=0.0.0.0/0 leftcert=strongswan_rsa.pem leftca="C=ES, O=M, CN=e.m.org" leftid=@strongswan.m.org leftfirewall=yes lefthostaccess=no right=YY.YY.YY.YYY rightid=@pfsense.m.org rightsubnet=192.168.55.32/27 auto=add

Again, there are numerous threads around the forum already covering this in detail.

Solved (I think).

Turns out that not only do you have to add IPSec ports to the pfSense firewall, I had to add UDP 4500 to the AWS Security Group (AWS version of a firewall). The person who set up the Security Group had added UDP 500, but not 4500.