IKEv2 client VPN: unexpected no proposal match
-
Hello,
I can't figure out why the following connection attempt case (Android 11 client, IKEv2 MSCHAPv2 VPN) ends up with:received proposals unacceptable
Proposals are:
received proposals:
IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/PRF_HMAC_SHA1/PRF_AES128_XCBC/MODP_4096/MODP_3072/MODP_2048
IKE:AES_GCM_16_256/AES_GCM_12_256/AES_GCM_8_256/AES_GCM_16_192/AES_GCM_12_192/AES_GCM_8_192/AES_GCM_16_128/AES_GCM_12_128/AES_GCM_8_128/PRF_HMAC_SHA1/PRF_AES128_XCBC/MODP_4096/MODP_3072/MODP_2048configured proposals:
IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024And I'd expect a match on the highlighted combination.
Does anyone have any idea why it ends up with no match?05[NET] <13> received packet: from 1.2.3.4[65227] to 4.3.2.1[500] (940 bytes) 05[ENC] <13> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ] 05[CFG] <13> looking for an IKEv2 config for 4.3.2.1...1.2.3.4 05[CFG] <13> candidate: 4.3.2.1...0.0.0.0/0, ::/0, prio 1052 05[CFG] <13> found matching ike config: 4.3.2.1...0.0.0.0/0, ::/0 with prio 1052 05[IKE] <13> 1.2.3.4 is initiating an IKE_SA 05[IKE] <13> IKE_SA (unnamed)[13] state change: CREATED => CONNECTING 05[CFG] <13> selecting proposal: 05[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found 05[CFG] <13> selecting proposal: 05[CFG] <13> no acceptable PSEUDO_RANDOM_FUNCTION found 05[CFG] <13> selecting proposal: 05[CFG] <13> no acceptable PSEUDO_RANDOM_FUNCTION found 05[CFG] <13> selecting proposal: 05[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found 05[CFG] <13> selecting proposal: 05[CFG] <13> no acceptable INTEGRITY_ALGORITHM found 05[CFG] <13> selecting proposal: 05[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found 05[CFG] <13> selecting proposal: 05[CFG] <13> no acceptable INTEGRITY_ALGORITHM found 05[CFG] <13> selecting proposal: 05[CFG] <13> no acceptable ENCRYPTION_ALGORITHM found 05[CFG] <13> received proposals: IKE:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/PRF_HMAC_SHA1/PRF_AES128_XCBC/MODP_4096/MODP_3072/MODP_2048, IKE:AES_GCM_16_256/AES_GCM_12_256/AES_GCM_8_256/AES_GCM_16_192/AES_GCM_12_192/AES_GCM_8_192/AES_GCM_16_128/AES_GCM_12_128/AES_GCM_8_128/PRF_HMAC_SHA1/PRF_AES128_XCBC/MODP_4096/MODP_3072/MODP_2048 05[CFG] <13> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 05[CFG] <13> looking for IKEv2 configs for 4.3.2.1...1.2.3.4 05[CFG] <13> candidate: 4.3.2.1...0.0.0.0/0, ::/0, prio 1052 05[CFG] <13> received supported signature hash algorithms: sha256 sha384 sha512 05[IKE] <13> remote host is behind NAT 05[IKE] <13> received proposals unacceptable 05[ENC] <13> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] 05[NET] <13> sending packet: from 4.3.2.1[500] to 1.2.3.4[65227] (36 bytes) 05[IKE] <13> IKE_SA (unnamed)[13] state change: CONNECTING => DESTROYING
-
@petrh said in IKEv2 client VPN: unexpected no proposal match:
PRF_HMAC_SHA2_256
The received proposal does not include
PRF_HMAC_SHA2_256
, and the only entry which matches most of the other parts requiresPRF_HMAC_SHA2_256
.You can check the box to set a specific alternate PRF and then choose SHA1 for that which should work.
Or configure the remote side to allow a SHA2 PRF.
-
@jimp Great, thanks for the hint. I was thinking the right direction, but missed the setting. I look more thoroughly again and found it.