Error Notification No-proposal-chosen Received In Informational Exchange Pfsense
Contents |
next » Print Pages: [1] Go Down Author Topic: peplink pfsense ipsec vpn (Read 10681 times) 0 Members and 2 Guests are viewing this topic. opti2k4 Newbie error: exchange identity protection not allowed in any applicable rmconf. Posts: 16 Karma: +0/-0 peplink pfsense ipsec vpn « on: April msg: failed to get sainfo. 26, 2012, 03:39:41 pm » Hi,i am unable to configure Peplink Balance 380 with Pfsense for site-to-site phase1 negotiation failed due to send error IPsec VPN. The configuration is pretty straight forward but it simply won't finish phase 1 It is always this:ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.Since it failed to pre-process ph2 packet is a multi wan router i did bind IPsec to a single WAN interface with fixed IP so i don't think problem is there.Code: [Select]
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: ===
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 120 bytes message received from 2.2.2.2[500] to 1.1.1.1[500]
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 39660a4d 1857c5b1
Notification No-proposal-chosen Received In Unencrypted Informational Exchange
00000000 00000000 01100200 00000000 00000078 0d000038 00000001 00000001 0000002c 00010001 00000024 00010000 800b0001 800c0e10 80010007 80020002 80030001 80040005 800e0100 0d000010 4f456e54 4e77494c 76567e5c 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: ===
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: INFO: respond new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: INFO: begin Identity Protection mode.
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: begin.
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: seen nptype=1(sa)
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: seen nptype=13(vid)
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: seen nptype=13(vid)
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: succeed.
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: received unknown Vendor ID
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 4f456e54 4e77494c 76567e5c
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: INFO: received Vendor ID: DPD
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: remote supports DPD
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: total SA len=52
Apr 26 16:34:50racoon: 2012-04-26 16:34:50: DEBUG: 00000001 00000001 0000002c 0001
2.4 Phase 1 Pre-Shared Key Mismatch 2.5 Phase 1 Encryption Algorithm Mismatch 2.6 Phase 1 Hash Algorithm Mismatch 2.7 Phase 1 DH Group Mismatch 2.8 Phase 2 Network Mismatch 2.9 Phase 2 Encryption Algorithm Mismatch
Give Up To Get Ipsec-sa Due To Time Up To Wait.
2.10 Phase 2 Hash Algorithm Mismatch 2.11 Phase 2 PFS Mismatch 2.12 Mismatched Identifier phase2 negotiation failed due to time up waiting for phase1 with NAT 2.13 Incorrect Destination Address 2.14 Disappearing Traffic 2.15 IPsec Status Page Issues 3 Common Errors (racoon, pfSense <= 2.1.x) no ike config found for 3.1 Mismatched Local/Remote Subnets 3.2 Failed pfkey align 3.3 pfkey Delete 3.4 REGISTER message 3.5 Stuck/Broken Phase 1 3.6 Unsupported Cipher Key Length for Cryptographic Accelerator 3.7 Send Errors 3.8 INVALID-PAYLOAD-TYPE 3.9 NAT Problems 4 https://forum.pfsense.org/index.php?topic=48838.0 IPsec Debugging 5 Shrew Soft VPN Client Debugging 6 Packet Loss with Certain Protocols 7 Some Hosts Work, Others Do Not 8 Dropping Tunnels on ALIX/embedded 9 Crash/Panic in NIC driver with IPsec in Backtrace Renegotiation Errors If a tunnel comes up initially, but then fails after a Phase 1 or Phase 2 expiration, try changing the following settings on both ends of the tunnel: System > Advanced, Miscellaneous tab: https://doc.pfsense.org/index.php/IPsec_Troubleshooting *uncheck* Prefer Old IPsec SA (No longer exists on pfSense 2.2.3+) On the IPsec Phase 1 settings, disable NAT Traversal (NAT-T) On the IPsec Phase 1 settings, enable DPD On the IPsec Phase 2 settings, enter an Automaitcally Ping Host in the remote Phase 2 subnet. Common Errors (strongSwan, pfSense >= 2.2.x) The following examples have logs edited for brevity but significant messages remain. Logging for IPsec is configured at VPN > IPsec, Advanced Settings tab. The most useful logging settings for diagnosing tunnel issues with strongSwan on pfSense 2.2.x are: IKE SA, IKE Child SA, and Configuration Backend on Diag All others on Control Other notable behaviors: If there is an Aggressive/Main mode mismatch and the side set for Main initiates, the tunnel will still establish Lifetime mismatches do not cause a failure in Phase 1 or Phase 2 Normal / OK Connection Initiator charon: 09[IKE] IKE_SA con2000[11] established between 192.0.2.90[192.0.2.90]...192.0.2.74[192.0.2.74] charon: 09[IKE] CHILD_SA con2000{2} established with SPIs cf4973bf_i c1cbfdf2_o and TS 192.168.48.0/24|/0 === 10.42.42.0/24|/0 Responder charon: 03[IKE] IKE_SA con1000[19] established between 192.0.2.74[192.0.2.74]...192.0.2.90[192.0.2.90] charon: 16[IKE] CHILD_SA con1000{1} established with SPIs c1cbfdf2_i cf4973bf_o and TS 10.42.42.0/24|/0 === 192.168.48.0/24|/0 Phase 1 Main / Aggressive Mismatch Initiator (Aggressive set, responder on Main) charon: 15[IKE] initiating Aggressive Mode IKE_SA con2000[1]
subject ] [ author ] Having trouble getting my https://lists.freebsd.org/pipermail/freebsd-questions/2008-April/172760.html first connection setup. I am must use the 3des md5 encryption. This is from the error log. : DEBUG: hash validated. : DEBUG: begin. : https://supportforums.cisco.com/discussion/11601386/vti-vpn-problem DEBUG: seen nptype=8(hash) : DEBUG: seen nptype=11(notify) : DEBUG: succeed. : ERROR: unknown notify message, no phase2 handle found. : DEBUG: notification message 14:NO-PROPOSAL-CHOSEN, due to doi=1 proto_id=3 spi=0fddcb32(size=4). : ERROR: 72.164.229.178 give up to get IPsec-SA due to time up to wait. : DEBUG: an undead schedule has been deleted. : DEBUG: msg 1 not interesting : DEBUG: msg 1 not interesting setkey -D -P 192.168.75.101/0[any] 192.168.1.203/0[any] ip4 in ipsec esp/tunnel/72.164.229.178-75.41.234.82/require created: Apr 8 09:59:05 notification no-proposal-chosen received 2008 lastused: Apr 8 09:59:05 2008 lifetime: 0(s) validtime: 0(s) spid=16389 seq=1 pid=896 refcnt=1 192.168.1.203/0[any] 192.168.75.101/0[any] ip4 out ipsec esp/tunnel/75.41.234.82-72.164.229.178/require created: Apr 8 09:59:05 2008 lastused: Apr 8 10:09:04 2008 lifetime: 0(s) validtime: 0(s) spid=16388 seq=0 pid=896 refcnt=1 racoon.conf path pre_shared_key "/usr/local/etc/racoon/psk.txt"; path certificate "@sysconfdir_x@/cert"; log debug2; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 75.41.234.82 [500]; } timer { counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per send. phase1 30 sec; phase2 15 sec; } remote 72.164.229.178 { exchange_mode aggressive,main,base; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5 ; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; lifetime time 12 ho
Instagram YouTube Facebook Twitter Google + LinkedIn DirectoryNetwork InfrastructureWAN, Routing and Switching LAN, Switching and Routing Network Management Remote Access Optical Networking Getting Started with LANs IPv6 Integration and Transition EEM Scripting Other Subjects SecurityVPN Security Management Firewalling Intrusion Prevention Systems/IDS AAA, Identity and NAC Physical Security MARS Email Security Web Security Other Subjects Service ProvidersMetro MPLS Voice Over IP XR OS and Platforms Video Other Subjects Collaboration, Voice and VideoIP Telephony Video Over IP Jabber Clients Unified Communications Applications TelePresence Digital Media System Contact Center Conferencing UC Migrations Other Subjects Wireless - MobilitySecurity and Network Management Wireless IP Voice and Video Getting Started with Wireless WLCCA Other Subjects ServicesCisco ServiceGrid Connected Analytics Smart Call Home Smart Net Total Care Operations Exchange Mobile ApplicationsCisco Proximity Cisco Technical Support Online Tools and ResourcesCisco Bug Discussions Technical Documentation Ideas Cisco CLI Analyzer Support Community Help Data CenterApplication Centric Infrastructure Application Networking Intelligent Automation Server Networking Storage Networking Unified Computing Wide Area Application Services (WAAS) Other Subjects Small BusinessNetwork Storage Routers Security Surveillance Switches Voice and Conferencing Wireless Solutions and ArchitecturesBorderless Networks Collaboration Cisco User GroupsSeattle Cisco User Group (SEACUG) Silicon Valley Cisco User Group (SVCUG) Southern California Cisco User Group (SCCUG) Cisco Certifications Cisco.com Idea Center Cisco Cafe Expert CornerTop Contributors Leaderboards Cisco Live! Events Events Community CornerAwards & Recognition Behind the Scenes Feedback Forum Cisco Certifications Cisco Press Café Cisco On Demand Support & Downloads Community Resources Security Alerts Security Alerts News News Video Cisco Support YouTube Cisco YouTube Blogs Technical Do