Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Windows mobile -> no suitable proposal found.

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 10.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hakko
      last edited by

      Hi guys,

      I'm trying to make a vpn-connection to my windows mobile 6.1 device. But it just won't work..

      Here my log:

      Sep 12 13:12:26 racoon: ERROR: failed to process packet.
      Sep 12 13:12:26 racoon: ERROR: failed to get valid proposal.
      Sep 12 13:12:26 racoon: ERROR: no suitable proposal found.
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#12) = 7:DES-CBC
      Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = MD5:SHA
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#11) = 7:DES-CBC
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#10) = 7:3DES-CBC
      Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = MD5:SHA
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#9) = 7:3DES-CBC
      Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#8) = 768-bit MODP group:1024-bit MODP group
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = 7:DES-CBC
      Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#7) = 768-bit MODP group:1024-bit MODP group
      Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = MD5:SHA
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = 7:DES-CBC
      Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#6) = 768-bit MODP group:2048-bit MODP group
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = 7:DES-CBC
      Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 768-bit MODP group:2048-bit MODP group
      Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = MD5:SHA
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 7:DES-CBC
      Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 768-bit MODP group:1024-bit MODP group
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 7:3DES-CBC
      Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 768-bit MODP group:1024-bit MODP group
      Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 7:3DES-CBC
      Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 768-bit MODP group:2048-bit MODP group
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 7:3DES-CBC
      Sep 12 13:12:26 racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 768-bit MODP group:2048-bit MODP group
      Sep 12 13:12:26 racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = MD5:SHA
      Sep 12 13:12:26 racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 7:3DES-CBC
      Sep 12 13:12:26 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Sep 12 13:12:26 racoon: INFO: received Vendor ID: FRAGMENTATION
      Sep 12 13:12:26 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
      Sep 12 13:12:26 racoon: INFO: begin Identity Protection mode.
      Sep 12 12:54:37 racoon: [Mobile Test]: INFO: respond new phase 1 negotiation: ..61.242[500]<=>*..127.35[500]

      My pocket pc connection to the internet with a 3G connection, and it gets a dynamic ip-adres from my provider..
      As you can see, nothing wrong with that (i think) because it tries to connect, and racoon knows it's my mobile device..

      But when it comes to communicating with eachother things get messed-up and no connection is made..

      Here a bit of my configuration:
      Settings for IPSec tunnel [Mobile Test]:

      Phase 1 proposal (Authentication)
      Negotiation mode: Main
      Encryption algorithm: rijndael AES
      Hash algorithm: MD5
      DH Key group: 1
      Authentication method: Pre-shared key

      Settings for VPN: IPsec: Mobile Clients:

      Phase 1 proposal (Authentication)
      Negotiation mode: Main
      Encryption algorithm: rijndael AES
      Hash algorithm: MD5
      DH Key group: 1
      Authentication method: Pre-shared key

      Does anyone know what i'm doing wrong here?

      Edit:
      Found some more information from our friends at Microsoft:

      IPSec v4 for Windows Embedded CE has been implemented to avoid the most common security attacks, but some security risks remain.

      To protect your device from security attacks, follow these security best practices.

      Best Practices
      Use certificate authentication
      Use authentication through a user certificate instead of preshared-key authentication. Preshared-key authentication is not scalable. If you decide to use preshared-key authentication, make sure to use long and strong passwords. For more information, see Certificates.

      Understand the impact of setting the action for outgoing traffic to "soft"
      If the outAction member of the IPSEC_API_MODE_INFO structure is set to IPSEC_API_OUT ACTION_SOFT, and the peer does not respond to IPSec, the system will resort to the fallback mechanism. In this case, packets will be sent to that peer in clear text. If you want both incoming and outgoing traffic to be secure, set the inAction member of IPSEC_API_MODE_INFO to IPSEC_API_IN_ACTION_SECURE and set the outAction member to IPSEC_API_OUT ACTION_SECURE.

      Understand the strengths of encryption algorithms
      If you want strong encryption, use 3DES instead of DES.

      Note: 
         If your policy supports DES and 3DES, a peer can choose to use DES.

      If you want to use only 3DES, configure the policy accordingly. Setting the encryption algorithm to IPSEC_API_CONF_ALGO_NONE implies that the peer can choose to select no encryption.

      Understand the strengths of hashing (MAC) algorithms
      Use SHA1 if possible.

      Note: 
      If your policy supports SHA1 and MD5, a peer can choose to use MD5.

      If you want to use only SHA1, configure the policy accordingly. Setting the hash mask to IPSEC_API_AUTH_ALGO_NONE implies that the peer can choose to select no integrity check.

      Understand which source IP address IPSec is applied to
      IPSec policy is applied per source IP address. The IPSec policy that is applied to one specific source IP address does not apply to your data if the network traffic passes through a network interface with a different source IP address.

      If you want the IPSec policy to automatically apply to all source IP addresses, set the srcIP member in the IPSEC_API_MODE_INFO structure to zero and use IPSEC_API_APPLY_TO_ALL_SRC_IP to call SetIPSecMode. If your IPSec policy is set to a specific source IP address, the caller of the IPSec functions must handle the renewal of IP addresses and the appearance of new network interfaces.


      So based on this information; the setting should be:

      Phase 1 proposal (Authentication)
      Negotiation mode: Main
      Encryption algorithm: 3des
      Hash algorithm: MD5
      DH Key group: 2
      Authentication method: Pre-shared key

      So that's what I tried.. Guess what -> Didn't work…  ???

      So again: Does someone know something about connecting windows mobile clients?


      Narrowed it down to:

      racoon: ERROR: couldn't find the pskey for 212.187.108.161.

      Thats less error's, but still no connection..

      1 Reply Last reply Reply Quote 0
      • H
        hakko
        last edited by

        Anyone?

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          I think this is dynamic to dynamic and sorry, this isn´t supported by 1.2/1.21. With 1.3 you can do this
          Regards
          heiko

          1 Reply Last reply Reply Quote 0
          • M
            mgrooms
            last edited by

            The remote peer is not sending a proposal that matches what you have listed as its configuration. For phase1 its using …

            3DES-CBC
            SHA1
            DH Group 2

            Try setting the pfsense phase1 parameters to match. It should get farther along.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.