Problem with IPsec tunnel between 2 pfsense 2.2 boxes.



  • I'm trying to setup a IPsec tunnel between 2 pfsense boxes.

    Fase 1 are configures with:

    • Key exchange V2.
    • Mutual PSK.
    • AES encryption.
    • AES Hash.
    • DH Key group 2.

    But it keeps stopping with NO PROPOSAL CHOSEN, log shows:

    Feb 12 21:14:44 charon: 10[IKE] initiating IKE_SA con1[2] to A.A.A.A
    Feb 12 21:14:45 charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Feb 12 21:14:45 charon: 10[NET] sending packet: from B.B.B.B[500] to A.A.A.A[500] (312 bytes)
    Feb 12 21:14:45 charon: 10[NET] received packet: from A.A.A.A[500] to B.B.B.B[500] (36 bytes)
    Feb 12 21:14:45 charon: 10[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
    Feb 12 21:14:45 charon: 10[IKE] <con1|2>received NO_PROPOSAL_CHOSEN notify error
    Feb 12 21:14:45 charon: 10[IKE] received NO_PROPOSAL_CHOSEN notify error

    All fase 2 are mad as in the guide, I can't see what is missing.</con1|2>


  • Rebel Alliance Developer Netgate

    Increase the logging for IKE SA and IKE Child SA and try again.

    With NO_PROPOSAL_CHOSEN there must be a mismatch somewhere. Without seeing the exact settings on both sides it's impossible to tell just from that messge. You can mask out the PSK and peer IPs if you post the configuration/screenshots.



  • Config from box A+B attached.

    Last log lines from box B (client box):

    Feb 13 03:01:53 charon: 10[KNL] creating acquire job for policy B.B.B.B/32|/0 === A.A.A.A/32|/0 with reqid {1}
    Feb 13 03:01:53 charon: 10[IKE] <con1|1>establishing CHILD_SA con1{1}
    Feb 13 03:01:53 charon: 10[IKE] establishing CHILD_SA con1{1}
    Feb 13 03:01:53 charon: 10[ENC] generating CREATE_CHILD_SA request 7 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
    Feb 13 03:01:53 charon: 10[NET] sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (284 bytes)
    Feb 13 03:01:53 charon: 09[NET] received packet: from A.A.A.A[4500] to B.B.B.B[4500] (76 bytes)
    Feb 13 03:01:53 charon: 09[ENC] parsed CREATE_CHILD_SA response 7 [ N(NO_PROP) ]
    Feb 13 03:01:53 charon: 09[IKE] <con1|1>received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    Feb 13 03:01:53 charon: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    Feb 13 03:01:53 charon: 09[IKE] <con1|1>failed to establish CHILD_SA, keeping IKE_SA
    Feb 13 03:01:53 charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA




    </con1|1></con1|1></con1|1>



  • Your phase2 settings are not matching!



  • They seem okay to me, screenshots attached. I can't find the difference.






  • Try removing AES-XCBC to something else?



  • I have tried with MD5, SHA1 and also SHA256 with not luck, still same error.

    I noticed that the IPsec widget one the dashboard only showed 1 tunnel, when it before upgrade showed all 4 so I figured that something where off and the upgraded IPsec settings was fubar.
    I deleted all IPsec settings both fase1 and 2 from both boxes, and then created them again (with samme settings, screenshot wise) buy only one fase2 tunnel, and now it works :) I then recreated the last 3 tunnels and it still works, so I guess that there was something in the config files that where upgraded wrong.

    The wigdet are still only show 1 of the 4 fase 2 tunnels, mabee that is a bug ?