IPSec AES256
-
I'm trying to create an IPSec tunnel between two endpoints. Phase 1 seems to complete but I get the 11[IKE] <con1000|1>receive NO_PROPOSAL_CHOSEN error notify error. I am running 2.2.1.
I think I have it narrowed down to the encryption algorithm in phase 1 isn't the same on both ends because it won't allow me to choose AES256. I can choose AES from the first drop down but the drop down to choose the type doesn't have anything listed. The line related line in /var/etc/ipsec/ipsec.conf says ike = aes-sha1-modp1024
Am I correct in assuming that it's using AES and not AES256? If so is there a work around? </con1000|1>
-
I think I have it narrowed down to the encryption algorithm in phase 1 isn't the same on both ends because it won't allow me to choose AES256
What won't let you select AES256?
-
Where you choose your encryption algorithm there is two drop down menu. One that lets you choose AES or 3DES etc, then there is a second drop down that should let you choose 256 or 128. The drop down menu that should let you choose 256 is empty. It's there but there isn't anything to select.
-
NoScript? Turn on JavaScript and reload.
-
What HW are we talking about? https://redmine.pfsense.org/issues/4361
-
It's a SuperMicro X7SPE-HF-D525 Atom-based board.
NoScript? Turn on JavaScript and reload.
I'll try but the other pull down works…
-
Strangely enough I changed browsers and and it let me choose 256. So thanks for the help on that.
Still getting the No Proposal error though. Any thoughts?
-
You probably have a mismatch. Check everything.
The only pulldowns that usually require javascript are the ones that change content when the other item is changed, as is the case with changing the algorithm presenting a specific selection of key lengths.
-
I am having the same problem something that started after I updated today.
-
FYI
I had that set previously
Kept getting message so blew awase phase II settings and tried again same issue.
Blew away Phase I and recreated I and II and this is the same message I am getting.
–--------------------------------------------
I did export of config to check and it looks correct.Might be something in the interface
-
What part about Only 128-bit AES can be used with glxsb accelerator is hard to understand?
-
I am having the same problem something that started after I updated today.
You had the problem before you upgraded actually. 2.2.1 enforces a proper configuration there. You have glxsb enabled, which means you cannot use AES > 128. If set to "auto", many times you'll end up using AES > 128 and have a broken VPN. I added that input validation so you can't configure something that's going to break with your glxsb card enabled.
-
My research has pointed that the NO_PROPOSAL_CHOSEN error is caused by an error in the Phase 2 settings. Is this a correct assumption?
-
Derelict The part where "glxsb" was not in my vocabulary. It is now. I didn't even know it was enabled on this box.
When you are right, you are right. This was old box, soon to be replaced by an APU, if they ever make it back into the USA. I did not catch it because we don't use accelerators. This old geode had it.
Thank you!
-
My research has pointed that the NO_PROPOSAL_CHOSEN error is caused by an error in the Phase 2 settings. Is this a correct assumption?
-
My research has pointed that the NO_PROPOSAL_CHOSEN error is caused by an error in the Phase 2 settings. Is this a correct assumption?
A mismatch of some sort, most likely it's something in P1.
-
My research has pointed that the NO_PROPOSAL_CHOSEN error is caused by an error in the Phase 2 settings. Is this a correct assumption?
It can be either Phase 1 or Phase 2. See https://doc.pfsense.org/index.php/IPsec_Troubleshooting for help interpreting the logs.
Best thing to do is set IKE SA, IKE Child SA, and Configuration Backend to Diag in the log settings, all others on Control, and have the remote end initiate.
