Page 1 of 2 12 LastLast
Results 1 to 10 of 15
  1. #1
    Untangler
    Join Date
    Dec 2008
    Posts
    37

    Default NO_PROPOSAL_CHOSEN messages

    HI,

    Setting up my IPsec for the first time, I see these messages NO_PROPOSAL_CHOSEN in the log. Where in the Untangle UI do I enter the proposal configuration?

    thanks!
    Stefan

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,813

    Default

    What type of device is doing IPsec on the other end? Is this on the Untangle IPsec log or the other device?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Dec 2008
    Posts
    37

    Default

    This message in the Untangle ( v9.3 ) IPsec log. I think the other side is windows but I have asked for verification.

    I do have this information below ( provided to me along with the IP addresses and shared secret ), but I don't know where or if I should enter it into the Untangle UI )..

    thanks,
    Stefan

    Phase 1 Proposal:
    Encryption Algorithm: AES256
    Hash Algorithm: SHA-1
    Lifetime: 28,800 seconds
    Phase 2 Proposal:
    PFS: DH Group 2
    Encapsulation: ESP
    Encryption Algorithm: AES256
    Authentication Algorithm: SHA
    Lifetime: 3600 seconds

  4. #4
    Untangler
    Join Date
    Dec 2008
    Posts
    37

    Default

    Sorry, the other side of the VPN is a

    Juniper Netscreen 208 Firewall.

    thanks,
    Stefan

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,813

    Default

    I don't believe Windows L2TP over IPSec is possible to configure with Untangle IPsec since only site to site is supported on Untangle.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangler
    Join Date
    Dec 2008
    Posts
    37

    Default

    sorry our posts crossed, it is a Juniper Netscreen 208 Firewall

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,813

    Default

    This might help.
    http://kb.juniper.net/InfoCenter/ind...tent&id=KB6168

    " Chances are, one side has nopfs, while the other side has perfect forward secrecy enabled."
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangler
    Join Date
    Dec 2008
    Posts
    37

    Default

    ohh that is a good clue, I did have PFC selected in Untangle. However, I unchecked that, clicked apply but see the same behavior. Do I need to do something more to get the IPsec client to pick up this changed configuration?

    thanks,
    Stefan

  9. #9
    Untangler
    Join Date
    Dec 2008
    Posts
    37

    Default

    Here is the more complete log ( after disabling PFS ) and disable and reenabling the tunnel. I don't know if this is past IKE phase 2 or still at IKE phase 1.

    thanks,
    Stefan

    Sep 24 18:48:34 hostname ipsec__plutorun: Starting Pluto subsystem...
    Sep 24 18:48:34 hostname pluto[8755]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:8755
    Sep 24 18:48:34 hostname pluto[8755]: SAref support [enabled]
    Sep 24 18:48:34 hostname pluto[8755]: SAbind support [disabled]: Invalid argument
    Sep 24 18:48:34 hostname pluto[8755]: Setting NAT-Traversal port-4500 floating to off
    Sep 24 18:48:34 hostname pluto[8755]: port floating activation criteria nat_t=0/port_float=1
    Sep 24 18:48:34 hostname pluto[8755]: NAT-Traversal support [disabled]
    Sep 24 18:48:34 hostname pluto[8755]: using /dev/urandom as source of random entropy
    Sep 24 18:48:34 hostname pluto[8755]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
    Sep 24 18:48:34 hostname pluto[8755]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
    Sep 24 18:48:34 hostname pluto[8755]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
    Sep 24 18:48:34 hostname pluto[8755]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
    Sep 24 18:48:34 hostname pluto[8755]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
    Sep 24 18:48:34 hostname pluto[8755]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
    Sep 24 18:48:34 hostname pluto[8755]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
    Sep 24 18:48:34 hostname pluto[8755]: no helpers will be started, all cryptographic operations will be done inline
    Sep 24 18:48:34 hostname pluto[8755]: Using Linux 2.6 IPsec interface code on 2.6.26-2-untangle-686 (experimental code)
    Sep 24 18:48:35 hostname pluto[8755]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
    Sep 24 18:48:35 hostname pluto[8755]: ike_alg_add(): ERROR: Algorithm already exists
    Sep 24 18:48:35 hostname pluto[8755]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
    Sep 24 18:48:35 hostname pluto[8755]: ike_alg_add(): ERROR: Algorithm already exists
    Sep 24 18:48:35 hostname pluto[8755]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
    Sep 24 18:48:35 hostname pluto[8755]: ike_alg_add(): ERROR: Algorithm already exists
    Sep 24 18:48:35 hostname pluto[8755]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
    Sep 24 18:48:35 hostname pluto[8755]: ike_alg_add(): ERROR: Algorithm already exists
    Sep 24 18:48:35 hostname pluto[8755]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
    Sep 24 18:48:35 hostname pluto[8755]: ike_alg_add(): ERROR: Algorithm already exists
    Sep 24 18:48:35 hostname pluto[8755]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
    Sep 24 18:48:35 hostname pluto[8755]: myid malformed: empty string ""
    Sep 24 18:48:35 hostname pluto[8755]: Changed path to directory '/etc/ipsec.d/cacerts'
    Sep 24 18:48:35 hostname pluto[8755]: Changed path to directory '/etc/ipsec.d/aacerts'
    Sep 24 18:48:35 hostname pluto[8755]: Changed path to directory '/etc/ipsec.d/ocspcerts'
    Sep 24 18:48:35 hostname pluto[8755]: Changing to directory '/etc/ipsec.d/crls'
    Sep 24 18:48:35 hostname pluto[8755]: Warning: empty directory
    Sep 24 18:48:35 hostname pluto[8755]: added connection description "UT0_xpressbet"
    Sep 24 18:48:35 hostname pluto[8755]: listening for IKE messages
    Sep 24 18:48:35 hostname pluto[8755]: adding interface utun/utun 192.0.2.43:500
    Sep 24 18:48:35 hostname pluto[8755]: adding interface dummy0/dummy0 192.0.2.42:500
    Sep 24 18:48:35 hostname pluto[8755]: adding interface eth1/eth1 172.16.0.1:500
    Sep 24 18:48:35 hostname pluto[8755]: adding interface eth0/eth0 216.150.136.94:500
    Sep 24 18:48:35 hostname pluto[8755]: adding interface lo/lo 127.0.0.1:500
    Sep 24 18:48:35 hostname pluto[8755]: loading secrets from "/etc/ipsec.secrets"
    Sep 24 18:48:35 hostname pluto[8755]: "UT0_xbt" #1: initiating Main Mode
    Sep 24 18:48:35 hostname pluto[8755]: "UT0_xbt" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
    Sep 24 18:48:35 hostname pluto[8755]: "UT0_xbt" #1: received and ignored informational message

  10. #10
    Untangler
    Join Date
    Dec 2008
    Posts
    37

    Default

    Talked with Andrew there at Untangle,

    I am thinking maybe it's an issue as described in here

    http://kb.juniper.net/InfoCenter/ind...ent&id=KB10123

    Esp the part about lifetime..

    Here is the information I have from the company who is hosting the Juniper device I am trying to connect to.

    Phase 1 Proposal:
    Encryption Algorithm: AES256
    Hash Algorithm: SHA-1
    Lifetime: 28,800 seconds
    Phase 2 Proposal:
    PFS: DH Group 2
    Encapsulation: ESP
    Encryption Algorithm: AES256
    Authentication Algorithm: SHA
    Lifetime: 3600 seconds

    thanks!
    Stefan

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2