Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AWS VPN NO_PROPOSAL_CHOSEN

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tupanu
      last edited by

      Hello,

      I'm trying to create a VPN on AWS. I created the tunnels with AWS VPC VPN Wizard but the tunnels aren't going up.
      I received a NO_PROPOSAL_CHOSEN.

      Here is log:

      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> activating ISAKMP_VENDOR task
      Apr 5 17:28:07 	charon 		05[IKE] activating ISAKMP_CERT_PRE task
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> activating ISAKMP_CERT_PRE task
      Apr 5 17:28:07 	charon 		05[IKE] activating MAIN_MODE task
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> activating MAIN_MODE task
      Apr 5 17:28:07 	charon 		05[IKE] activating ISAKMP_CERT_POST task
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> activating ISAKMP_CERT_POST task
      Apr 5 17:28:07 	charon 		05[IKE] activating ISAKMP_NATD task
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> activating ISAKMP_NATD task
      Apr 5 17:28:07 	charon 		05[IKE] sending XAuth vendor ID
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> sending XAuth vendor ID
      Apr 5 17:28:07 	charon 		05[IKE] sending DPD vendor ID
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> sending DPD vendor ID
      Apr 5 17:28:07 	charon 		05[IKE] sending FRAGMENTATION vendor ID
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> sending FRAGMENTATION vendor ID
      Apr 5 17:28:07 	charon 		05[IKE] sending NAT-T (RFC 3947) vendor ID
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> sending NAT-T (RFC 3947) vendor ID
      Apr 5 17:28:07 	charon 		05[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Apr 5 17:28:07 	charon 		05[IKE] initiating Main Mode IKE_SA con2000[25] to 35.180.xxx
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> initiating Main Mode IKE_SA con2000[25] to 35.180.xxx
      Apr 5 17:28:07 	charon 		05[IKE] IKE_SA con2000[25] state change: CREATED => CONNECTING
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> IKE_SA con2000[25] state change: CREATED => CONNECTING
      Apr 5 17:28:07 	charon 		05[CFG] <con2000|25> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
      Apr 5 17:28:07 	charon 		05[ENC] <con2000|25> generating ID_PROT request 0 [ SA V V V V V ]
      Apr 5 17:28:07 	charon 		05[NET] <con2000|25> sending packet: from 192.168.1.49[500] to 35.180.xxxx
      Apr 5 17:28:07 	charon 		05[NET] <con2000|25> received packet: from 35.180.xxx [500] to 192.168.1.49[500] (40 bytes)
      Apr 5 17:28:07 	charon 		05[ENC] <con2000|25> parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
      Apr 5 17:28:07 	charon 		05[IKE] received NO_PROPOSAL_CHOSEN error notify
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> received NO_PROPOSAL_CHOSEN error notify
      Apr 5 17:28:07 	charon 		05[IKE] IKE_SA con2000[25] state change: CONNECTING => DESTROYING
      Apr 5 17:28:07 	charon 		05[IKE] <con2000|25> IKE_SA con2000[25] state change: CONNECTING => DESTROYING 
      

      The encryption algorithm is fine: AES 128bit SHA1 DH2.

      Could somebody help please?

      Regards,
      Cosmin

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @tupanu
        last edited by

        @tupanu Hi

        https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-troubleshooting.html

        key for finding the source of a possible problem "NO_PROPOSAL_CHOSEN"

        1 Reply Last reply Reply Quote 0
        • T
          tupanu
          last edited by tupanu

          Hello,

          Thank you for the link.
          When I've created the tunnels with AWS pfsense wizard, the authentication method was Mutual PSK but on aws side I used certificates.
          Anyway, I've imported the certificates from AWS, changed the authentication method and now I've run into another problem:

          Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> generating ID_PROT request 0 [ SA V V V V V ]
          Apr 6 06:05:58 	charon 		11[NET] <con3000|887> sending packet: from 192.168.1.49[500] to 52.47.XXX.XXX[500] (180 bytes)
          Apr 6 06:05:58 	charon 		11[NET] <con3000|887> received packet: from 52.47.XXX.XXX[500] to 192.168.1.49[500] (124 bytes)
          Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> parsed ID_PROT response 0 [ SA V V ]
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> received DPD vendor ID
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> received NAT-T (RFC 3947) vendor ID
          Apr 6 06:05:58 	charon 		11[CFG] <con3000|887> selecting proposal:
          Apr 6 06:05:58 	charon 		11[CFG] <con3000|887> proposal matches
          Apr 6 06:05:58 	charon 		11[CFG] <con3000|887> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
          Apr 6 06:05:58 	charon 		11[CFG] <con3000|887> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
          Apr 6 06:05:58 	charon 		11[CFG] <con3000|887> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> reinitiating already active tasks
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> ISAKMP_VENDOR task
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> ISAKMP_CERT_PRE task
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> MAIN_MODE task
          Apr 6 06:05:58 	charon 		11[LIB] <con3000|887> size of DH secret exponent: 1023 bits
          Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
          Apr 6 06:05:58 	charon 		11[NET] <con3000|887> sending packet: from 192.168.1.49[500] to 52.47.XXX.XXX[500] (244 bytes)
          Apr 6 06:05:58 	charon 		11[NET] <con3000|887> received packet: from 52.47.XXX.XXX[500] to 192.168.1.49[500] (356 bytes)
          Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> received cert request for 'C=FR, O=xx, OU=xx, ST=xx xx, CN=xx, L=xx'
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> local host is behind NAT, sending keep alives
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> remote host is behind NAT
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> reinitiating already active tasks
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> ISAKMP_VENDOR task
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> ISAKMP_CERT_PRE task
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> MAIN_MODE task
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> sending cert request for 'C=FR, O=xx, OU=xx, ST=xx xx, CN=xx, L=xx'
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> authentication of 'CN=vpn-07633023bf21e2c62.endpoint-1' (myself) successful
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> sending end entity cert "CN=vpn-07633023bf21e2c62.endpoint-1"
          Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
          Apr 6 06:05:58 	charon 		11[NET] <con3000|887> sending packet: from 192.168.1.49[4500] to 52.47.xx.xx4500] (1500 bytes)
          Apr 6 06:05:58 	charon 		11[NET] <con3000|887> received packet: from 52.47.xxx.xxx[4500] to 192.168.1.49[4500] (1356 bytes)
          Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> parsed ID_PROT response 0 [ ID CERT SIG V ]
          Apr 6 06:05:58 	charon 		11[ENC] <con3000|887> received unknown vendor ID: 49:4b:45:76:32
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> received end entity cert "CN=vpn-07633023bf21e2c62.endpoint-1"
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> IDir 'CN=vpn-07633023bf21e2c62.endpoint-1' does not match to '52.47.xx.xx'
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> queueing ISAKMP_DELETE task
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> activating new tasks
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> activating ISAKMP_DELETE task
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> deleting IKE_SA con3000[887] between 192.168.1.49[CN=vpn-07633023bf21e2c62.endpoint-1]...52.47.xx.xx[%any]
          Apr 6 06:05:58 	charon 		11[IKE] <con3000|887> sending DELETE for IKE_SA con3000[887] 
          

          What is means Apr 6 06:05:58 charon 11[IKE] <con3000|887> IDir 'CN=vpn-07633023bf21e2c62.endpoint-1' does not match to '52.47.xx.xx' ?
          Does this means that the certificated from pfsense don't match the one from aws?
          How can I fix this?

          Thanks a lot

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @tupanu
            last edited by Konstanti

            @tupanu

            c55cf18d-95a6-4be5-8a72-852952866963-image.png

            a87014bb-be53-45ea-aeba-1c9d3f436c1f-image.png

            1 Reply Last reply Reply Quote 0
            • T
              tupanu
              last edited by

              Please excuse my ignorance but I can't make it work.

              From the log the CN of the certificate is :

              received cert request for 'C=FR, O=XXX, OU=ASW, ST=Haute Garonne, CN=akka-openwis, L=Toulouse
              

              Here are my settings:

              e719daa6-0241-48ce-849c-870f0b188726-image.png

              But I still get:

              Apr 6 07:34:00 	charon 		14[IKE] <con2000|1071> IDir 'CN=vpn-07633023bf21e2c62.endpoint-0' does not match to 'akka-openwis'  
              

              I've tried with keyID = vpn-07633023bf21e2c62.endpoint-0 but no luck.

              1 Reply Last reply Reply Quote 0
              • C
                ccrider
                last edited by

                I ran into this and had created my own post https://forum.netgate.com/topic/157561/aws-vpn-to-pfsense-w-cert-based-auth-how-to-configure-peer-identifier-for-cn/2 but I found the answer through testing and think it would work for you too.

                On the pfSense side, for the Phase 1 peer identifier set the type to ASN.1 distinguished Name and the value to CN=vpn-07633023bf21e2c62.endpoint-1 (just using the example in your post, I assume in reality you haven't left a broken VPN running in AWS all this time and now you would have a different endpoint name) and try connecting the tunnel.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.