Peplink pfsense ipsec vpn
-
Hi,
i am unable to configure Peplink Balance 380 with Pfsense for site-to-site IPsec VPN. The configuration is pretty straight forward but it simply won't finish phase 1 :(
It is always this:
ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Since it is a multi wan router i did bind IPsec to a single WAN interface with fixed IP so i don't think problem is there.
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: === Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 120 bytes message received from 2.2.2.2[500] to 1.1.1.1[500] Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 39660a4d 1857c5b1 00000000 00000000 01100200 00000000 00000078 0d000038 00000001 00000001 0000002c 00010001 00000024 00010000 800b0001 800c0e10 80010007 80020002 80030001 80040005 800e0100 0d000010 4f456e54 4e77494c 76567e5c 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: === Apr 26 16:34:50racoon: 2012-04-26 16:34:50: INFO: respond new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500] Apr 26 16:34:50racoon: 2012-04-26 16:34:50: INFO: begin Identity Protection mode. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: begin. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: seen nptype=1(sa) Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: seen nptype=13(vid) Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: seen nptype=13(vid) Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: succeed. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: received unknown Vendor ID Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 4f456e54 4e77494c 76567e5c Apr 26 16:34:50racoon: 2012-04-26 16:34:50: INFO: received Vendor ID: DPD Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: remote supports DPD Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: total SA len=52 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 00000001 00000001 0000002c 00010001 00000024 00010000 800b0001 800c0e10 80010007 80020002 80030001 80040005 800e0100 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: begin. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: seen nptype=2(prop) Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: succeed. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: proposal #0 len=44 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: begin. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: seen nptype=3(trns) Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: succeed. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: transform #0 len=36 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Life Type, flag=0x8000, lorv=seconds Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Life Duration, flag=0x8000, lorv=3600 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: encryption(aes) Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: hash(sha1) Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Group Description, flag=0x8000, lorv=1536-bit MODP group Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: hmac(modp1536) Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Key Length, flag=0x8000, lorv=256 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: pair 0: Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 0x8016346c0: next=0x0 tnext=0x0 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: proposal #0: 1 transform Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Life Type, flag=0x8000, lorv=seconds Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Life Duration, flag=0x8000, lorv=3600 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Group Description, flag=0x8000, lorv=1536-bit MODP group Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: type=Key Length, flag=0x8000, lorv=256 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: prop#=0, prot-id=ISAKMP, spi-size=0, #trns=1 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: trns#=0, trns-id=IKE Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: lifetime = 3600 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: lifebyte = 0 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: enctype = AES-CBC Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: encklen = 256 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: hashtype = SHA Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: authmethod = pre-shared key Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: dh_group = 1536-bit MODP group Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: an acceptable proposal found. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: hmac(modp1536) Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: agreed on pre-shared key auth. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: === Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: new cookie: 70a28dc260ce8d23 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: add payload of len 52, next type 13 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: add payload of len 16, next type 0 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 104 bytes from 1.1.1.1[500] to 2.2.2.2[500] Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: sockname 1.1.1.1[500] Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: send packet from 1.1.1.1[500] Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: send packet to 2.2.2.2[500] Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 1 times of 104 bytes message will be sent to 2.2.2.2[500] Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 39660a4d 1857c5b1 70a28dc2 60ce8d23 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 00010001 00000024 00010000 800b0001 800c0e10 80010007 80020002 80030001 80040005 800e0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: resend phase1 packet 39660a4d1857c5b1:70a28dc260ce8d23 Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: === Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 40 bytes message received from 2.2.2.2[500] to 1.1.1.1[500] Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 39660a4d 1857c5b1 00000000 00000000 0b100500 00000000 00000028 0000000c 00000001 0100000e Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: receive Information. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: begin. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: seen nptype=11(notify) Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: succeed. Apr 26 16:34:50racoon: 2012-04-26 16:34:50: [2.2.2.2] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: 104 bytes from 1.1.1.1[500] to 2.2.2.2[500] Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: sockname 1.1.1.1[500] Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: send packet from 1.1.1.1[500] Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: send packet to 2.2.2.2[500] Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: 1 times of 104 bytes message will be sent to 2.2.2.2[500] Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: 39660a4d 1857c5b1 70a28dc2 60ce8d23 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 00010001 00000024 00010000 800b0001 800c0e10 80010007 80020002 80030001 80040005 800e0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: resend phase1 packet 39660a4d1857c5b1:70a28dc260ce8d23 Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: === Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: 40 bytes message received from 2.2.2.2[500] to 1.1.1.1[500] Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: 39660a4d 1857c5b1 00000000 00000000 0b100500 00000000 00000028 0000000c 00000001 0100000e Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: receive Information. Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: begin. Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: seen nptype=11(notify) Apr 26 16:35:00racoon: 2012-04-26 16:35:00: DEBUG: succeed. Apr 26 16:35:00racoon: 2012-04-26 16:35:00: [2.2.2.2] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: 104 bytes from 1.1.1.1[500] to 2.2.2.2[500] Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: sockname 1.1.1.1[500] Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: send packet from 1.1.1.1[500] Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: send packet to 2.2.2.2[500] Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: 1 times of 104 bytes message will be sent to 2.2.2.2[500] Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: 39660a4d 1857c5b1 70a28dc2 60ce8d23 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 00010001 00000024 00010000 800b0001 800c0e10 80010007 80020002 80030001 80040005 800e0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: resend phase1 packet 39660a4d1857c5b1:70a28dc260ce8d23 Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: === Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: 40 bytes message received from 2.2.2.2[500] to 1.1.1.1[500] Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: 39660a4d 1857c5b1 00000000 00000000 0b100500 00000000 00000028 0000000c 00000001 0100000e Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: receive Information. Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: begin. Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: seen nptype=11(notify) Apr 26 16:35:10racoon: 2012-04-26 16:35:10: DEBUG: succeed. Apr 26 16:35:10racoon: 2012-04-26 16:35:10: [2.2.2.2] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: 104 bytes from 1.1.1.1[500] to 2.2.2.2[500] Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: sockname 1.1.1.1[500] Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: send packet from 1.1.1.1[500] Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: send packet to 2.2.2.2[500] Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: 1 times of 104 bytes message will be sent to 2.2.2.2[500] Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: 39660a4d 1857c5b1 70a28dc2 60ce8d23 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 00010001 00000024 00010000 800b0001 800c0e10 80010007 80020002 80030001 80040005 800e0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: resend phase1 packet 39660a4d1857c5b1:70a28dc260ce8d23 Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: === Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: 40 bytes message received from 2.2.2.2[500] to 1.1.1.1[500] Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: 39660a4d 1857c5b1 00000000 00000000 0b100500 00000000 00000028 0000000c 00000001 0100000e Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: receive Information. Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: begin. Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: seen nptype=11(notify) Apr 26 16:35:20racoon: 2012-04-26 16:35:20: DEBUG: succeed. Apr 26 16:35:20racoon: 2012-04-26 16:35:20: [2.2.2.2] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: 104 bytes from 1.1.1.1[500] to 2.2.2.2[500] Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: sockname 1.1.1.1[500] Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: send packet from 1.1.1.1[500] Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: send packet to 2.2.2.2[500] Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: 1 times of 104 bytes message will be sent to 2.2.2.2[500] Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: 39660a4d 1857c5b1 70a28dc2 60ce8d23 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 00010001 00000024 00010000 800b0001 800c0e10 80010007 80020002 80030001 80040005 800e0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: resend phase1 packet 39660a4d1857c5b1:70a28dc260ce8d23 Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: === Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: 40 bytes message received from 2.2.2.2[500] to 1.1.1.1[500] Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: 39660a4d 1857c5b1 00000000 00000000 0b100500 00000000 00000028 0000000c 00000001 0100000e Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: receive Information. Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: begin. Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: seen nptype=11(notify) Apr 26 16:35:30racoon: 2012-04-26 16:35:30: DEBUG: succeed. Apr 26 16:35:30racoon: 2012-04-26 16:35:30: [2.2.2.2] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. Apr 26 16:35:40racoon: 2012-04-26 16:35:40: ERROR: phase1 negotiation failed due to time up. 39660a4d1857c5b1:70a28dc260ce8d23
-
your local and remote ID on the peplink are blank, that's probably why it's replying with no proposal chosen. Fill those in with the IPs.
-
@cmb:
your local and remote ID on the peplink are blank, that's probably why it's replying with no proposal chosen. Fill those in with the IPs.
I have already,i was trying without that when i Run out of options. I was trying whole day to connect without success.
Also what is strange is that both sides found acceptable proposal, they agreed on pre-shared key and later i get ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. Does this make sense?
-
In case someone gets into trouble like me…
problematic was secret that contained speical characters !"
:( >:( >:( >:( >:( >:( >:( >:( >:( >:( >:(
-
In case someone gets into trouble like me…
problematic was secret that contained speical characters !"
:( >:( >:( >:( >:( >:( >:( >:( >:( >:( >:(
Ah not the first time we've heard that with other products. That's a bug in Peplink, not on our side, we support every character, symbol, etc. in shared keys. One of my production VPNs runs with every letter, number and symbol in the key just to prove that always works, as people tend to not believe the problem is actually in the commercial box they paid big bucks for and not on our side.