IPSec phase2 problem - pfSense - Checkpoint

  • Dear all,

    We have established a phase1 tunnel to a Checkpoint device.
    The problem occurs when initiation QUICK_MODE or phase 2.

    0_1530801263864_Screen Shot 2018-07-05 at 16.11.38.png

    As seen in the logs the error is NO_PROPOSAL_CHOSEN and HASH N(NO_PROP).

    We have tried symmetric configuration with all possible encryption and hash algorithms.

    Is there maybe a vendor incompatibility here or just some algorithms are compatible between the two devices?

    We are yousing pfSense 2.3.4-RELEASE-p1.


  • Hello,

    please double check the encryption parameters (AES, SHA, PFS).
    Also please check the participating networks. They have to match exactly. Why is your subnet /24/0?!

    Is the checkpoint configured with "One VPN tunnel per subnet pair"?

  • Hello Bepo,

    The solution to the problem was resolved by killing the IPsec service from terminal and starting it again.
    All encryption parameters where always matching and in Checkpoint the configuration was all subnets on one VPN tunnel (one phase1 and many phase2).

    Why is your subnet /24/0?!
    Do not know the reason why is it like that in system logs. On the configuration side only mask /24 was in use.
    Evan when established the log is the same regarding subnet notation.

    0_1531394443740_Screen Shot 2018-07-12 at 13.17.54.png

    Thanks for the help!

  • Okay. Good to hear. Please mark the topic as resolved.

    Kind regards