Error Fatal No-proposal-chosen Notify Message
instructions: Windows Mac Red Hat Linux Ubuntu Click URL instructions: Right-click on ad, choose "Copy Link", then paste here → (This may not be possible with some types of ads) More information about our ad policies X You seem to have CSS turned off. Please don't fill out this field. You seem to have CSS turned off. Please don't fill out this field. Briefly describe the problem (required): Upload screenshot of ad (required): Select a file, or drag & drop file here. ✔ ✘ Please provide the ad click URL, if possible: Home Browse IPsec Tools Mailing Lists IPsec Tools Brought to you by: mit_warlord Summary Files Reviews Support Wiki Mailing Lists Tickets ▾ Bugs Support Requests Patches Feature Requests Code ipsec-tools-announce ipsec-tools-commits ipsec-tools-devel ipsec-tools-users ipsec-tools-users [Ipsec-tools-users] Cannot establish IPSec connection From: Ioannis Zapitis
next » Print Pages: [1] Go Down Author Topic: One stubborn IPSEC Tunnel (Read 8674 times) 0 Members and 1 Guest are viewing this topic. fastcon68 Sr. Member Posts: 593 Karma: +1/-0 One stubborn IPSEC Tunnel « on: June 09, 2009, 10:32:27 pm » I have IPSEC tunnel that will not come up. I am getting the following error message:Jun 9 22:58:18 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Jun 9 22:58:08 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. I do not have a SAD or SPD for this connection, Jun 9 23:01:33 racoon: [TNIC - https://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-users/thread/201204032155.37604.michaelkintzios@gmail.com/ New Bern Location ]: ERROR: pfkey DELETE received: ESP 208.xx.xx.204[0]->67.xx.xx.16[0] spi=192852376(0xb7eb198) Jun 9 23:01:33 racoon: INFO: unsupported PF_KEY message REGISTER Jun 9 23:01:26 racoon: [TNIC - New Bern Location ]: INFO: initiate new phase 2 negotiation: 208.xx.xx.204[500]<=>67.xx.xx.16[500] Jun 9 23:00:15 racoon: [TNIC - New Bern Location ]: ERROR: 67.76.142.16 give up to get IPsec-SA due to time up to wait. Jun 9 22:59:45 racoon: [TNIC https://forum.pfsense.org/index.php?topic=16877.0 - New Bern Location ]: INFO: initiate new phase 2 negotiation: 208.x.xx.204[500]<=>67.xx.xx.16[500] Jun 9 22:59:31 racoon: [TNIC - New Bern Location ]: ERROR: 67.76.142.16 give up to get IPsec-SA due to time up to wait. Jun 9 22:59:01 racoon: [TNIC - New Bern Location ]: INFO: initiate new phase 2 negotiation: 208.xx.xx.204[500]<=>67.xx.xx.16[500] Jun 9 22:58:38 racoon: [TNIC - New Bern Location ]: ERROR: 67.xx.xx.16 give up to get IPsec-SA due to time up to wait. Jun 9 22:58:18 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Jun 9 22:58:08 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Jun 9 22:58:08 racoon: [TNIC - New Bern Location ]: INFO: initiate new phase 2 negotiation: 208.xx.xx.204[500]<=>67.xx.xx.16[500] Jun 9 22:58:07 racoon: [TNIC - New Bern Location ]: INFO: ISAKMP-SA established 208.xx.xx.204[500]-67.xx.xx.16[500] spi:2378faabb929edd1:948837c0e6833ca3 Jun 9 22:58:07 racoon: INFO: begin Identity Protection mode. Jun 9 22:58:07 racoon: [TNIC - New Bern Location ]: INFO: initiate new phase 1 negotiation: 208.xx.xx.204[500]<=>67.xx.xxx.16[500] Any idea my this one connection is not working?RC Logged jimp Administrator Hero Member Posts: 18918 Karma: +916/-7 Re: One stubborn IPSEC Tunnel « Reply #1 on: June 09, 2009, 10:50:30 pm
Active topics Forum Register Login Remember me Announcements RouterOS RouterOS v6 RC and v7 BETA RouterOS v7 http://forum.mikrotik.com/viewtopic.php?t=49216 Beginner Basics General Forwarding Protocols Wireless Networking Scripting Virtualization Other topics The Dude RouterBOARD hardware The User Manager SwOS Training Home Forum index RouterOS http://osdir.com/ml/network.ipsec.tools.devel/2007-11/msg00017.html General L R Ipsec can not establish to cisco Post Reply Print view lima7 just joined Topic Author Posts: 12 Joined: Sun Oct 03, error fatal 2010 3:47 am Reputation: 0 Ipsec can not establish to cisco 0 Quote #1 Tue Feb 15, 2011 12:04 pm [rmkroot@SG-GT] /ip> ipsec peer prFlags: X - disabled 0 address=202.134.7.6/32:500 auth-method=pre-shared-key secret="xxxxxxxxx" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=1m dpd-maximum-failures=1 [rmkroot@SG-GT] /ip> ipsec policy prFlags: X error fatal no-proposal-chosen - disabled, D - dynamic, I - inactive 0 src-address=10.10.12.96/27:any dst-address=192.168.2.3/32:any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=202.134.5.6 sa-dst-address=202.134.7.6 proposal=default priority=0 [rmkroot@SG-GT] /ip> ipsec proposal prFlags: X - disabled 0 name="default" auth-algorithms=md5,sha1 enc-algorithms=3des lifetime=30m pfs-group=none15:48:38 ipsec begin Identity Protection mode. 15:48:38 ipsec ISAKMP-SA established 202.134.5.6[500]- 202.134.7.6[500] spi:17416654cc65ca55:96be00baf5a386e5 15:48:39 ipsec initiate new phase 2 negotiation: 202.134.5.6[500]<=>202.134.7.6[500] 15:48:39 ipsec fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. 15:48:39 ipsec Message: '0 b= @ b= a l H a a '. 15:49:08 ipsec initiate new phase 2 negotiation: 202.134.5.6[500]<=>202.134.7.6[500] 15:49:08 ipsec fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. 15:49:08 ipsec Message: '0 b% D b= a l a a '. 15:49:09 ipsec 202.134.7.6 give up to get IPsec-SA due to time up to wait. 15:49:09 ipsec IPsec-SA expired: ESP/Tunnel 202.134.7.6[0]->202.134.5.6[0] spi=89663660(0x55828ac) 15:49:38 ipsec 202.134.7.6 give up to get IPsec-SA due to time up to wait. 15:49:38 ipsec IPsec-SA expired:
# obey, strict, or claim >>> > > Good :-) > > But of course, that means you needs a valid configuration :-) > > > Even with "obey" the situation doesn't change... >>> sainfo anonymous >>> { >>> pfs_group 2; >>> encryption_algorithm 3des; >>> authentication_algorithm hmac_sha1; >>> compression_algorithm deflate; >>> } >>> > > You have no lifetime on phase2 ? > > I tried with these values for phase 2: lifetime time 8192 secs; lifetime time 28800 secs; nothing changes, I always get: 2007-11-25 17:49:45: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. 2007-11-25 17:49:45: DEBUG: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=0 spi=00000000(size=4). > And could you also dump your SPD ? > > > I have a gif device that tunnels the data and these are the spd rules: spdadd 10.150.212.80/28 10.150.212.64/28 ipencap -P out ipsec esp/tunnel/10.150.212.82-10.150.212.66/require; spdadd 10.150.212.64/28 10.150.212.80/28 ipencap -P in ipsec esp/tunnel/10.150.212.66-10.150.212.82/require; > Your FreeBSD is the initiator, right ? > Yes. > Your isakmpd.conf uses lots of defaults, which are probably not the > same as racoon's defaults, so having a look at an isakmpd debug (or at > peer's debug if available) could help you finding what's wrong in your > configuration. > > > Ok, I'll try with isakmpd debug (I can't do anything abount cisco). I've posted the complete log, could you please see if there's something helpful there? >>> Can anyone help me with this? It seems that the cisco doesn't accept >>> authentication algorithm >>> for phase 2, but it may be a completely different problem... >>> > > Cisco doesn't accept "something related to your phase2 proposal". > > Yes, I surmised as much :-) > It could be an algorithm, a lifetime (or a lack of lifetime...), a > network mismatch (double check your SPD entries). > > the spd are the same as with isakmpd, I don't think there's a problem there... Thanks again... ---------------