Windows mobile -> no suitable proposal found.

hakko

Hi guys,

I'm trying to make a vpn-connection to my windows mobile 6.1 device. But it just won't work..

Here my log:

Sep 12 13:12:26 racoon: ERROR: failed to process packet.
Sep 12 13:12:26 racoon: ERROR: failed to get valid proposal.
Sep 12 13:12:26 racoon: ERROR: no suitable proposal found.
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#12) = 7:DES-CBC
Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = MD5:SHA
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = 7:DES-CBC
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#10) = 7:3DES-CBC
Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = MD5:SHA
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = 7:3DES-CBC
Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#8) = 768-bit MODP group:1024-bit MODP group
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = 7:DES-CBC
Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#7) = 768-bit MODP group:1024-bit MODP group
Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = MD5:SHA
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = 7:DES-CBC
Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#6) = 768-bit MODP group:2048-bit MODP group
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = 7:DES-CBC
Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 768-bit MODP group:2048-bit MODP group
Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = MD5:SHA
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 7:DES-CBC
Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 768-bit MODP group:1024-bit MODP group
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 7:3DES-CBC
Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 768-bit MODP group:1024-bit MODP group
Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 7:3DES-CBC
Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 768-bit MODP group:2048-bit MODP group
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 7:3DES-CBC
Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 768-bit MODP group:2048-bit MODP group
Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = MD5:SHA
Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 7:3DES-CBC
Sep 12 13:12:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 12 13:12:26 racoon: INFO: received Vendor ID: FRAGMENTATION
Sep 12 13:12:26 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Sep 12 13:12:26 racoon: INFO: begin Identity Protection mode.
Sep 12 12:54:37 racoon: [Mobile Test]: INFO: respond new phase 1 negotiation: ..61.242[500]<=>*..127.35[500]

My pocket pc connection to the internet with a 3G connection, and it gets a dynamic ip-adres from my provider..
As you can see, nothing wrong with that (i think) because it tries to connect, and racoon knows it's my mobile device..

But when it comes to communicating with eachother things get messed-up and no connection is made..

Here a bit of my configuration:
Settings for IPSec tunnel [Mobile Test]:

Phase 1 proposal (Authentication)
Negotiation mode: Main
Encryption algorithm: rijndael AES
Hash algorithm: MD5
DH Key group: 1
Authentication method: Pre-shared key

Settings for VPN: IPsec: Mobile Clients:

Phase 1 proposal (Authentication)
Negotiation mode: Main
Encryption algorithm: rijndael AES
Hash algorithm: MD5
DH Key group: 1
Authentication method: Pre-shared key

Does anyone know what i'm doing wrong here?

Edit:
Found some more information from our friends at Microsoft:
IPSec v4 for Windows Embedded CE has been implemented to avoid the most common security attacks, but some security risks remain.

To protect your device from security attacks, follow these security best practices.

Best Practices
Use certificate authentication
Use authentication through a user certificate instead of preshared-key authentication. Preshared-key authentication is not scalable. If you decide to use preshared-key authentication, make sure to use long and strong passwords. For more information, see Certificates.

Understand the impact of setting the action for outgoing traffic to "soft"
If the outAction member of the IPSEC_API_MODE_INFO structure is set to IPSEC_API_OUT ACTION_SOFT, and the peer does not respond to IPSec, the system will resort to the fallback mechanism. In this case, packets will be sent to that peer in clear text. If you want both incoming and outgoing traffic to be secure, set the inAction member of IPSEC_API_MODE_INFO to IPSEC_API_IN_ACTION_SECURE and set the outAction member to IPSEC_API_OUT ACTION_SECURE.

Understand the strengths of encryption algorithms
If you want strong encryption, use 3DES instead of DES.

Note: 
   If your policy supports DES and 3DES, a peer can choose to use DES.

If you want to use only 3DES, configure the policy accordingly. Setting the encryption algorithm to IPSEC_API_CONF_ALGO_NONE implies that the peer can choose to select no encryption.

Understand the strengths of hashing (MAC) algorithms
Use SHA1 if possible.

Note: 
If your policy supports SHA1 and MD5, a peer can choose to use MD5.

If you want to use only SHA1, configure the policy accordingly. Setting the hash mask to IPSEC_API_AUTH_ALGO_NONE implies that the peer can choose to select no integrity check.

Understand which source IP address IPSec is applied to
IPSec policy is applied per source IP address. The IPSec policy that is applied to one specific source IP address does not apply to your data if the network traffic passes through a network interface with a different source IP address.

If you want the IPSec policy to automatically apply to all source IP addresses, set the srcIP member in the IPSEC_API_MODE_INFO structure to zero and use IPSEC_API_APPLY_TO_ALL_SRC_IP to call SetIPSecMode. If your IPSec policy is set to a specific source IP address, the caller of the IPSec functions must handle the renewal of IP addresses and the appearance of new network interfaces.

---

So based on this information; the setting should be:

Phase 1 proposal (Authentication)
Negotiation mode: Main
Encryption algorithm: 3des
Hash algorithm: MD5
DH Key group: 2
Authentication method: Pre-shared key

So that's what I tried.. Guess what -> Didn't work…  ???

So again: Does someone know something about connecting windows mobile clients?

---

Narrowed it down to:

racoon: ERROR: couldn't find the pskey for 212.187.108.161.

Thats less error's, but still no connection..

hakko

Anyone?

heiko

I think this is dynamic to dynamic and sorry, this isn´t supported by 1.2/1.21. With 1.3 you can do this
Regards
heiko

mgrooms

The remote peer is not sending a proposal that matches what you have listed as its configuration. For phase1 its using …

3DES-CBC
SHA1
DH Group 2

Try setting the pfsense phase1 parameters to match. It should get farther along.