NO_PROPOSAL_CHOSEN IPSec (Cisco <-> pfSense <-> Out IP)
-
Hello,
We are trying to connect a Cisco Router Serie 800 (172.128.1.80) via IPSec destined for an external Ip (216.177.216.184) The problem is that this connection cannot be established. I believe that strongSwan interferes in this communication because when seeing the return from the external server to our pfsense we have the status "No proposal chosen"
Port 500.
Dump UDP - Host 172.128.1.80
IPsec Log
Can you help us with this?
Is it possible to perform a bypass so that the communication is established without intermediation by pfsense?
-
Version: 2.4.4-RELEASE-p3 (amd64) built on Wed May 15 18:53:44 EDT 2019 FreeBSD 11.2-RELEASE-p10
Remembering:
In the firewall 172.128.1.80 is released for any destination.
In NAT we create a port forwarding of 500: 4500 (UDP) to the destination address.
-
It can't find an exact match for your crypto settings. Since you posted an image of the logs and not the actual logs, I can't point to anything more specific, but you can see what the remote side is proposing and what is configured locally, and strongSwan is saying there is nothing in common between both lists.
-
If you are still having this issue, You could change your MODP (DH Group) on pfSense to 2 and the hash to sha1, that should get you past that point.
Would be better to get the client side to use better settings though.