Bintec RS230a VPN NO-PROPOSAL-CHOSEN

[Jfbintec]

Hi everybody,

I am trying to setup a VPN access between shrew soft client versions 2.2.2 (Standard Edition) and a Bintec R230a (or Bintec RS230a) with certificate authentication. I used OpenSSL, XCA (Freeware) and also Bintec client but I always have the same problem: when I try to connect my computer to VPN, I get this log (get by VPN Trace Shrew Soft):

14/02/17 14:39:22 DB : phase1 found

14/02/17 14:39:22 DB : phase1 ref increment ( ref count = 2, obj count = 1 )

14/02/17 14:39:22 ii : processing informational packet ( 102 bytes )

14/02/17 14:39:22 =< : cookies aa86417eb208a4ef:a112df24d3e33898

14/02/17 14:39:22 =< : message 7fc5b7a7

14/02/17 14:39:22 << : notification payload

14/02/17 14:39:22 ii : received peer NO-PROPOSAL-CHOSEN notification

14/02/17 14:39:22 ii : - xx.xx.xx.xx:500 -> 192.168.0.29:500

14/02/17 14:39:22 ii : - isakmp spi = aa86417eb208a4ef:a112df24d3e33898

14/02/17 14:39:22 ii : - data size 46

Of course, I check ports of my Bintec and they are open (500-4500). I use for this log an IKE config pull, but I try already with a static configuration IP. I check configuration phase-1 profile in my Bintec and in my client but it’s the same. I try a lot of encryption mode (AES-MD5…), auto mode with DH Exchange, Policy, and DNS... I think I try every configuration which we have in shrew soft client.

If that help you, I use a domain name and my Bintec is behind a modem. When I saw it’s doesn’t work, I used this tutorial:

http://www.neo-one.de/downloads/dokumente/Teldat%20[bintec%20IPSec]/IKEv2%20zwischen%20bintec%20IPSec%20Client%20und%20Gateway%20mit%20Zertifikaten.pdf

To simplify, I want use Authentication Method Mutual RSA but whatever I use, I have also the same error message: “NO-PROPOSAL-CHOSENâ€

[JackC]

do you looked after the log from the bintec? There is a lot more information as you can get from the ShrewSoft Client. Just connect over telnet -> log in -> type "debug all&". Then try to connect.

Do you updated the Bintec to the latest firmware?

I recommend to delete the configuration included Phase 1 and 2 and start from the beginning. “NO-PROPOSAL-CHOSEN” means that there is no Algorithem choosen in Phase 1 or 2. This can also be a bug on the bintec when creating a VPN. So upgrade to the latest firmware first.

[Jfbintec]

No logs appears in my bintec with your commands. : (

I will try with update the firmware.

Bearbeitet 18. Februar 2014 von Jfbintec

[Jfbintec]

No logs appears in my bintec with your commands. : (

I will try with update the firmware.

The same error message with the lastest firmware...

I also tried to create again Phase 1 and 2.

Bearbeitet 18. Februar 2014 von Jfbintec

[JackC]

debug all& shows realtime information on your bintec. After entering this command, try to connect. The connection should be displayed. If not, then your VPN connect to another device, but not your bintec.

[Jfbintec]

It's good, I found but the same message :

P1: peer 3 (...) sa 10 ®: failed ip x.x.x.x <- ip y.y.y.y (No proposal chosen)

[Crash2001]

Sieht schwer danach aus, dass bei ipsec Phase 2 der Negotiations fehlschlägt, weil keine übereinstimmenden Parameter vorhanden sind.

Authentication algorithm (MD5, SHA1)

Encryption algorithm (DES, 3DES, AES128, AES192, AES256)

Protocol (AH, ESP)

Du musst schauen, dass dies auf Client- und Serverseite gleich ist, damit eine Verbindung aufgebaut werden kann.

Siehe hier.

[Jfbintec]

"I check configuration phase-1 profile in my Bintec and in my client but it’s the same. I try a lot of encryption mode (AES-MD5…), auto mode with DH Exchange, Policy, and DNS..."

So, yes I already check that.

[JackC]

do you have configured the VPN over the GUI? As far as I know I had the same issue. I deleated the whole VPN, Phase 1 and Phase 2 config and setup again via console.

You can also check the parameter again via console:

- telnet "IP"

- Login

type "setup"

[Crash2001]

@ Jfbintec:

phase 1 seems to be OK, but it's hanging at phase 2.

[Jfbintec]

Yes, and I also configured via console.

[Jfbintec]

I don't reach phase 2. Are you sure ?

[Crash2001]

You don't reach phase 2 beacuse there are no matching entries and because of that it says "NO-PROPOSAL-CHOSEN" I think.

With the given entries there is no "profile" (?) that matches the other side and because of that no connection can be established because phase 2 cannot be initiated.

[Jfbintec]

@Crash2001

But when I tried everything, i change phase 1 with other configuration than Bintec but I have also the same message error.

(Sorry for my english)

[JackC]

do you set the correct phase 2 configuration for the correct VPN? Maybe there is another phase 2 configuration set in the vpn profile

[Crash2001]

[...] But when I tried everything, i change phase 1 with other configuration than Bintec but I have also the same message error.[...]

Phase 1 seems to work, but not phase 2. So what are you talking again and again about phase 1?

[Jfbintec]

Yes it's the good configuration phase 2. That's one week i'm on this message

[Jfbintec]

My phase 2 accept All Algorithm and I try all algorithm which I have in shrew soft client. But nothing changes.

[JackC]

then lets try to specify just one

[Jfbintec]

I also tried ^^" Without PFS Group, with it. IP Compression, no IP Compression...

[JackC]

I recommend to start from the beginning. Delete Phase 1 and 2. Delete your VPN Profile.

Configure Phase 1

Configure Phase 2

Configure VPN Profile

Connect Phase 1 and 2 to your VPN Profile.

[Jfbintec]

I start from the beginning again with console, I hope this time it works.

[Jfbintec]

Nothing changes :upps

[Crash2001]

Maybe the VPN client isn't compatible with the VPN server?

Have you checked to chose a phase 2 set that is supported on both sides and has explizit configuration and not all auto? (On some systems it need one side to chose the configuration set and without a choice (all on auto) it doesn't work.)

[Jfbintec]

I tried with Bintec Client but the same error appears.

Yes, I checked that but no moves.