1. Home
  2. pfSense® Software
  3. IPsec
  4. AWS VPN NO_PROPOSAL_CHOSEN

AWS VPN NO_PROPOSAL_CHOSEN

  • T

    Hello,

    I'm trying to create a VPN on AWS. I created the tunnels with AWS VPC VPN Wizard but the tunnels aren't going up.
    I received a NO_PROPOSAL_CHOSEN.

    Here is log:

    Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> activating ISAKMP_VENDOR task
Apr 5 17:28:07 	charon 		05[IKE] activating ISAKMP_CERT_PRE task
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> activating ISAKMP_CERT_PRE task
Apr 5 17:28:07 	charon 		05[IKE] activating MAIN_MODE task
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> activating MAIN_MODE task
Apr 5 17:28:07 	charon 		05[IKE] activating ISAKMP_CERT_POST task
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> activating ISAKMP_CERT_POST task
Apr 5 17:28:07 	charon 		05[IKE] activating ISAKMP_NATD task
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> activating ISAKMP_NATD task
Apr 5 17:28:07 	charon 		05[IKE] sending XAuth vendor ID
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> sending XAuth vendor ID
Apr 5 17:28:07 	charon 		05[IKE] sending DPD vendor ID
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> sending DPD vendor ID
Apr 5 17:28:07 	charon 		05[IKE] sending FRAGMENTATION vendor ID
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> sending FRAGMENTATION vendor ID
Apr 5 17:28:07 	charon 		05[IKE] sending NAT-T (RFC 3947) vendor ID
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> sending NAT-T (RFC 3947) vendor ID
Apr 5 17:28:07 	charon 		05[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 5 17:28:07 	charon 		05[IKE] initiating Main Mode IKE_SA con2000[25] to 35.180.xxx
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> initiating Main Mode IKE_SA con2000[25] to 35.180.xxx
Apr 5 17:28:07 	charon 		05[IKE] IKE_SA con2000[25] state change: CREATED => CONNECTING
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> IKE_SA con2000[25] state change: CREATED => CONNECTING
Apr 5 17:28:07 	charon 		05[CFG] <con2000|25> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Apr 5 17:28:07 	charon 		05[ENC] <con2000|25> generating ID_PROT request 0 [ SA V V V V V ]
Apr 5 17:28:07 	charon 		05[NET] <con2000|25> sending packet: from 192.168.1.49[500] to 35.180.xxxx
Apr 5 17:28:07 	charon 		05[NET] <con2000|25> received packet: from 35.180.xxx [500] to 192.168.1.49[500] (40 bytes)
Apr 5 17:28:07 	charon 		05[ENC] <con2000|25> parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
Apr 5 17:28:07 	charon 		05[IKE] received NO_PROPOSAL_CHOSEN error notify
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> received NO_PROPOSAL_CHOSEN error notify
Apr 5 17:28:07 	charon 		05[IKE] IKE_SA con2000[25] state change: CONNECTING => DESTROYING
Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> IKE_SA con2000[25] state change: CONNECTING => DESTROYING

    The encryption algorithm is fine: AES 128bit SHA1 DH2.

    Could somebody help please?

    Regards,
    Cosmin

    0 K 1 Reply
  • K

    @tupanu Hi

    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-troubleshooting.html

    key for finding the source of a possible problem "NO_PROPOSAL_CHOSEN"

    0
  • T

    Hello,

    Thank you for the link.
    When I've created the tunnels with AWS pfsense wizard, the authentication method was Mutual PSK but on aws side I used certificates.
    Anyway, I've imported the certificates from AWS, changed the authentication method and now I've run into another problem:

    Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> generating ID_PROT request 0 [ SA V V V V V ]
Apr 6 06:05:58 	charon 		11[NET] <con3000|887> sending packet: from 192.168.1.49[500] to 52.47.XXX.XXX[500] (180 bytes)
Apr 6 06:05:58 	charon 		11[NET] <con3000|887> received packet: from 52.47.XXX.XXX[500] to 192.168.1.49[500] (124 bytes)
Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> parsed ID_PROT response 0 [ SA V V ]
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> received DPD vendor ID
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> received NAT-T (RFC 3947) vendor ID
Apr 6 06:05:58 	charon 		11[CFG] <con3000|887> selecting proposal:
Apr 6 06:05:58 	charon 		11[CFG] <con3000|887> proposal matches
Apr 6 06:05:58 	charon 		11[CFG] <con3000|887> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 6 06:05:58 	charon 		11[CFG] <con3000|887> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 6 06:05:58 	charon 		11[CFG] <con3000|887> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> reinitiating already active tasks
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> ISAKMP_VENDOR task
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> ISAKMP_CERT_PRE task
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> MAIN_MODE task
Apr 6 06:05:58 	charon 		11[LIB] <con3000|887> size of DH secret exponent: 1023 bits
Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 6 06:05:58 	charon 		11[NET] <con3000|887> sending packet: from 192.168.1.49[500] to 52.47.XXX.XXX[500] (244 bytes)
Apr 6 06:05:58 	charon 		11[NET] <con3000|887> received packet: from 52.47.XXX.XXX[500] to 192.168.1.49[500] (356 bytes)
Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> received cert request for 'C=FR, O=xx, OU=xx, ST=xx xx, CN=xx, L=xx'
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> local host is behind NAT, sending keep alives
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> remote host is behind NAT
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> reinitiating already active tasks
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> ISAKMP_VENDOR task
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> ISAKMP_CERT_PRE task
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> MAIN_MODE task
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> sending cert request for 'C=FR, O=xx, OU=xx, ST=xx xx, CN=xx, L=xx'
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> authentication of 'CN=vpn-07633023bf21e2c62.endpoint-1' (myself) successful
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> sending end entity cert "CN=vpn-07633023bf21e2c62.endpoint-1"
Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Apr 6 06:05:58 	charon 		11[NET] <con3000|887> sending packet: from 192.168.1.49[4500] to 52.47.xx.xx4500] (1500 bytes)
Apr 6 06:05:58 	charon 		11[NET] <con3000|887> received packet: from 52.47.xxx.xxx[4500] to 192.168.1.49[4500] (1356 bytes)
Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> parsed ID_PROT response 0 [ ID CERT SIG V ]
Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> received unknown vendor ID: 49:4b:45:76:32
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> received end entity cert "CN=vpn-07633023bf21e2c62.endpoint-1"
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> IDir 'CN=vpn-07633023bf21e2c62.endpoint-1' does not match to '52.47.xx.xx'
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> queueing ISAKMP_DELETE task
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> activating new tasks
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> activating ISAKMP_DELETE task
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> deleting IKE_SA con3000[887] between 192.168.1.49[CN=vpn-07633023bf21e2c62.endpoint-1]...52.47.xx.xx[%any]
Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> sending DELETE for IKE_SA con3000[887]

    What is means Apr 6 06:05:58 charon 11[IKE] <con3000|887> IDir 'CN=vpn-07633023bf21e2c62.endpoint-1' does not match to '52.47.xx.xx' ?
    Does this means that the certificated from pfsense don't match the one from aws?
    How can I fix this?

    Thanks a lot

    0 K 1 Reply
  • K

    @tupanu

    c55cf18d-95a6-4be5-8a72-852952866963-image.png

    a87014bb-be53-45ea-aeba-1c9d3f436c1f-image.png

    0
  • T

    Please excuse my ignorance but I can't make it work.

    From the log the CN of the certificate is :

    received cert request for 'C=FR, O=XXX, OU=ASW, ST=Haute Garonne, CN=akka-openwis, L=Toulouse

    Here are my settings:

    e719daa6-0241-48ce-849c-870f0b188726-image.png

    But I still get:

    Apr 6 07:34:00 	charon 		14[IKE] <con2000|1071> IDir 'CN=vpn-07633023bf21e2c62.endpoint-0' does not match to 'akka-openwis'

    I've tried with keyID = vpn-07633023bf21e2c62.endpoint-0 but no luck.

    0
  • C

    I ran into this and had created my own post https://forum.netgate.com/topic/157561/aws-vpn-to-pfsense-w-cert-based-auth-how-to-configure-peer-identifier-for-cn/2 but I found the answer through testing and think it would work for you too.

    On the pfSense side, for the Phase 1 peer identifier set the type to ASN.1 distinguished Name and the value to CN=vpn-07633023bf21e2c62.endpoint-1 (just using the example in your post, I assume in reality you haven't left a broken VPN running in AWS all this time and now you would have a different endpoint name) and try connecting the tunnel.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy