Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with IPsec tunnel between 2 pfsense 2.2 boxes.

    Scheduled Pinned Locked Moved IPsec
    7 Posts 3 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shade
      last edited by

      I'm trying to setup a IPsec tunnel between 2 pfsense boxes.

      Fase 1 are configures with:

      • Key exchange V2.
      • Mutual PSK.
      • AES encryption.
      • AES Hash.
      • DH Key group 2.

      But it keeps stopping with NO PROPOSAL CHOSEN, log shows:

      Feb 12 21:14:44 charon: 10[IKE] initiating IKE_SA con1[2] to A.A.A.A
      Feb 12 21:14:45 charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
      Feb 12 21:14:45 charon: 10[NET] sending packet: from B.B.B.B[500] to A.A.A.A[500] (312 bytes)
      Feb 12 21:14:45 charon: 10[NET] received packet: from A.A.A.A[500] to B.B.B.B[500] (36 bytes)
      Feb 12 21:14:45 charon: 10[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
      Feb 12 21:14:45 charon: 10[IKE] <con1|2>received NO_PROPOSAL_CHOSEN notify error
      Feb 12 21:14:45 charon: 10[IKE] received NO_PROPOSAL_CHOSEN notify error

      All fase 2 are mad as in the guide, I can't see what is missing.</con1|2>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Increase the logging for IKE SA and IKE Child SA and try again.

        With NO_PROPOSAL_CHOSEN there must be a mismatch somewhere. Without seeing the exact settings on both sides it's impossible to tell just from that messge. You can mask out the PSK and peer IPs if you post the configuration/screenshots.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          shade
          last edited by

          Config from box A+B attached.

          Last log lines from box B (client box):

          Feb 13 03:01:53 charon: 10[KNL] creating acquire job for policy B.B.B.B/32|/0 === A.A.A.A/32|/0 with reqid {1}
          Feb 13 03:01:53 charon: 10[IKE] <con1|1>establishing CHILD_SA con1{1}
          Feb 13 03:01:53 charon: 10[IKE] establishing CHILD_SA con1{1}
          Feb 13 03:01:53 charon: 10[ENC] generating CREATE_CHILD_SA request 7 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
          Feb 13 03:01:53 charon: 10[NET] sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (284 bytes)
          Feb 13 03:01:53 charon: 09[NET] received packet: from A.A.A.A[4500] to B.B.B.B[4500] (76 bytes)
          Feb 13 03:01:53 charon: 09[ENC] parsed CREATE_CHILD_SA response 7 [ N(NO_PROP) ]
          Feb 13 03:01:53 charon: 09[IKE] <con1|1>received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
          Feb 13 03:01:53 charon: 09[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
          Feb 13 03:01:53 charon: 09[IKE] <con1|1>failed to establish CHILD_SA, keeping IKE_SA
          Feb 13 03:01:53 charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA

          box_a.png
          box_b.png
          box_a.png_thumb
          box_b.png_thumb</con1|1></con1|1></con1|1>

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            Your phase2 settings are not matching!

            1 Reply Last reply Reply Quote 0
            • S
              shade
              last edited by

              They seem okay to me, screenshots attached. I can't find the difference.

              box_a_fase2.png
              box_b_fase2.png
              box_a_fase2.png_thumb
              box_b_fase2.png_thumb

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                Try removing AES-XCBC to something else?

                1 Reply Last reply Reply Quote 0
                • S
                  shade
                  last edited by

                  I have tried with MD5, SHA1 and also SHA256 with not luck, still same error.

                  I noticed that the IPsec widget one the dashboard only showed 1 tunnel, when it before upgrade showed all 4 so I figured that something where off and the upgraded IPsec settings was fubar.
                  I deleted all IPsec settings both fase1 and 2 from both boxes, and then created them again (with samme settings, screenshot wise) buy only one fase2 tunnel, and now it works :) I then recreated the last 3 tunnels and it still works, so I guess that there was something in the config files that where upgraded wrong.

                  The wigdet are still only show 1 of the 4 fase 2 tunnels, mabee that is a bug ?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.