• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help with IPSEC not connecting

Scheduled Pinned Locked Moved IPsec
12 Posts 3 Posters 7.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    Dinmiller
    last edited by Dec 5, 2015, 5:12 AM

    I am new to this, I have basically had to take a crash course of tons of reading to build this from scratch. I had a new client call me up and really needed me to come try to get this running for him. I have everything up and running except for some reason I can't get the VPN tunnel to connect and I am at a loss. 1 side is running 2.0.3-RELEASE
    and the other is up to date with 2.2.5-RELEASE (amd64). I will post the logs from one side, they are attempting to talk to each other but it is failing somewhere, and well I am sure a lot of you know how it can be entering a train wreck.

    Also He has a phone switch that has to travel through the VPN to the other side, is there some way I need to force the connection through this VPN to the other side? I have no way of testing the phone switch because the netgear switch on the other side is fried and we are running sunday to replace it. I will be taking out IPs for obvious reasons.

    Dec 4 22:53:59    racoon: []:ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
    Dec 4 22:53:59    racoon: INFO: begin Aggressive mode.
    Dec 4 22:53:59    racoon: []: INFO: initiate new phase 1 negotiation:
    Dec 4 22:53:59    racoon: []: INFO: IPsec-SA request for queued due to no phase1 found.
    Dec 4 22:53:59    racoon: INFO: delete phase 2 handler.
    Dec 4 22:53:59    racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP
    Dec 4 22:53:34    racoon: ERROR: phase1 negotiation failed due to time up. 368007a05be3be28:0000000000000000
    Dec 4 22:53:28    racoon: []: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Dec 4 22:53:24    racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
    Dec 4 22:53:15    racoon: INFO: delete phase 2 handler.
    Dec 4 22:53:15    racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP
    Dec 4 22:53:14    racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
    Dec 4 22:53:04    racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
    Dec 4 22:52:54    racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
    Dec 4 22:52:44    racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
    Dec 4 22:52:44    racoon: INFO: begin Aggressive mode.
    Dec 4 22:52:44    racoon: []: INFO: initiate new phase 1 negotiation:
    Dec 4 22:52:44    racoon: []: INFO: IPsec-SA request for queued due to no phase1 found.
    Dec 4 22:52:38    racoon: INFO: delete phase 2 handler.
    Dec 4 22:52:38    racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP
    Dec 4 22:52:13    racoon: ERROR: phase1 negotiation failed due to time up. 7e3c16028ee9ac85:0000000000000000
    Dec 4 22:52:07    racoon: []:INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Dec 4 22:52:03    racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
    Dec 4 22:51:54    racoon: INFO: delete phase 2 handler.
    Dec 4 22:51:54    racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP
    Dec 4 22:51:53    racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
    Dec 4 22:51:43    racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
    Dec 4 22:51:33    racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
    Dec 4 22:51:23    racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
    Dec 4 22:51:23    racoon: INFO: begin Aggressive mode.
    Dec 4 22:51:23    racoon: []: INFO: initiate new phase 1 negotiation:
    Dec 4 22:51:23    racoon: []: INFO: IPsec-SA request for queued due to no phase1 found.
    Dec 4 22:51:14    racoon: INFO: delete phase 2 handler.

    I have a feeling its something very simple, but I have had little sleep between having an 11 month old and then staying up all night working on everything thats happened. Thank you all in advance.

    1 Reply Last reply Reply Quote 0
    • C
      cmb
      last edited by Dec 5, 2015, 5:25 AM

      You have a phase 1 mismatch of some sort, no way to tell what from that. Just make sure things match up on both sides.

      1 Reply Last reply Reply Quote 0
      • D
        Dinmiller
        last edited by Dec 5, 2015, 5:30 AM

        It's hard to tell what it could be because there are some different settings on the newer that aren’t there on the older version. I may just have to create a new machine up at the main office with an up to date pfsense and build it out.

        1 Reply Last reply Reply Quote 0
        • D
          Dinmiller
          last edited by Dec 5, 2015, 6:00 AM

          picture 1 and 2 are the old pfsense and 3 4 5 are of the new one. any tips at this point would be appreciated

          1.png
          1.png_thumb
          2.png
          2.png_thumb
          3.png
          3.png_thumb
          4.png
          4.png_thumb
          5.png
          5.png_thumb

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by Dec 5, 2015, 6:15 AM

            The ones that matter in the context of no proposal chosen are identical between them. Interface, remote gateway, identifiers. Make them main mode, you don't want aggressive. AES would be better than 3DES (faster and more secure) though that won't matter since they match.

            There should be no reason you can't upgrade the 2.0x side, that's extremely dated at this point.

            1 Reply Last reply Reply Quote 0
            • D
              Dinmiller
              last edited by Dec 5, 2015, 6:28 AM

              Well i changed what you suggested, and double checked the other settings, in the logs im still getting spam of delete phase 2, So I am still at a loss lol,

              1 Reply Last reply Reply Quote 0
              • D
                Dinmiller
                last edited by Dec 5, 2015, 6:37 AM

                Is it possible all i need to do is delete and recreate the tunnel on the old one,  i never re created it i just assumed it would work with the new one considering the ip and everything stayed the same.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by Dec 5, 2015, 9:48 AM

                  The part above the "delete phase 2 handler" is what matters (that just indicates a P1 mismatch), is that still no proposal chosen?

                  Updating it after an IP change is fine, no need to re-create it.

                  1 Reply Last reply Reply Quote 0
                  • D
                    Dinmiller
                    last edited by Dec 5, 2015, 2:25 PM

                    Dec 5 08:20:09 racoon: ERROR: phase1 negotiation failed due to time up. 586c519806462d76:0000000000000000
                    Dec 5 08:20:01 racoon: []: [66.xx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
                    Dec 5 08:19:59 racoon: []: [66.xx.xxx.xxx] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
                    Dec 5 08:19:50 racoon: INFO: delete phase 2 handler.
                    Dec 5 08:19:50 racoon: []: [66.xx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 66.xx.xxx.xxx[0]->208.xxx.xxx.xxx[0]
                    Dec 5 08:19:49 racoon: []: [66.xx.xxx.xxx] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.

                    Thats what im still getting

                    1 Reply Last reply Reply Quote 0
                    • D
                      Dinmiller
                      last edited by Dec 5, 2015, 2:42 PM

                      charon: 07[IKE] <2371> no IKE config found for 66.xx.xxx.xxx…208.xxx.xxx.xxx, sending NO_PROPOSAL_CHOSEN

                      I am getting that on the other firewall

                      1 Reply Last reply Reply Quote 0
                      • N
                        Netizen1
                        last edited by Dec 5, 2015, 5:35 PM

                        I just did this last week, but I was on the same version of pfsense at both sites. (2.2.5 RELEASE)

                        Why can't you upgrade your  2.0.3 side?
                        Did you double check your settings, making sure you're entering the proper IP's in 'Remote Gateway'? On gw1 enter the remote IP of gw2 and vice versa…
                        Set 'Key Exchange version' to Auto
                        Set 'Negotiation mode' to Main mode as cmb suggested

                        Is there an Auto setting for 'NAT Traversal' in the old version? In 2.2.5 there's only Auto or Force

                        Double check your 'Pre-Shared Key' in both firewalls, they have to match!

                        1 Reply Last reply Reply Quote 0
                        • D
                          Dinmiller
                          last edited by Dec 5, 2015, 5:45 PM

                          Yeah I've double checked all of that, the client doesn't want to upgrade yet because he is afraid of it causing issues.  But i think that may be the only choice

                          1 Reply Last reply Reply Quote 0
                          12 out of 12
                          • First post
                            12/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received