08-13-2021 02:17 PM
Test AVPN S2S network ... This should NOT be this hard... straight-up simple VPN setup.
NO_PROPOSAL_CHOSEN error is like a BS general error bucket non-informative log error... WTH !!!!
The trail and Error troubleshooting is insane - little diagnostic info available
my quest is a Phase I failure, but WHAT! What does NO_PROPOSAL_CHOSEN error suggest ...
Wan Site A 10.22.22.1
Lan Site A 10.1.0.1/24
Wan Site B 10.220.220.1
LAN Site B 10.1.1.1/24
Site A <-----> Site B
RV160W Wan Ping <-----> RV160 Wan Ping good
10.22.22.1 <---Ping--> 10.220.220.1
VPNS2S <-----> peer VPN Config Site B
Connect NO_PROPOSAL_CHOSEN error
Same log error from each site's RV160 logs
10.22.22.1 Wan Interface <-----> 10.220.220.1 Wan
10.1.0.1 Lan Interface <-----> 10.1.1.1 Lan Interface
S2S between both sites peer config inverse of each Wan/Lan
Site A
No. Name Enable Status Phase2 Enc/Auth/Grp Local Group Remote Group Remote Gateway Action
1 ospep Enable DOWN 3des-sha1-modp1024 10.1.0.1/24 10.1.1.1/24 10.220.220.1
Site B
1 ospep Enable DOWN 3des-sha1-modp1024 10.1.1.1/24 10.1.0.1/24 10.22.22.1
Both sites Matching Profiles
IPSec Profile
Name: Test
Keying Mode: Auto
IKE Version IEKv1
Phase I Options
DH Group: Group2 - 1024 Bit
Encryption: 3DES
Authentication: SHA1
SA LT: 28800
Phase II Options
Protocol Selection: ESP
Encryption: 2DES
Authentication: SHA1
SA LT: 3600
Perfect Forward Secrecy: Enabled
DH Group: Group2 - 1024 Bit
Basic Settings
S2S Site A
Enable
Connection Name: ospep
IPSec Profile: Test
Interface Wan
Remote Endpoint Static IP
IP Address: 10.220.220.1
IKE Authentication Method
Pre-shared Key sfc@testingnetwork12345
Show Pre-shared Key: not enable
Minimum Preshared Key Complexity: not enable
Local Group Setup
Local Identifier Type: Local WAN IP
Local Identifier: 10.22.22.1
Local IP Type: Subnet
IP Address: 10.1.0.1
Subnet Mask: 255.255.255.0
Local Group Setup
Local Identifier Type: Local WAN IP
Local Identifier: 10.22.22.1
Local IP Type: Subnet
IP Address: 10.1.0.1
Subnet Mask: 255.255.255.0
Remote Group Setup
Remote Identifier Type
Remote WAN IP
Remote Identifier
10.220.220.1
Remote IP Type
Subnet
IP Address
10.1.1.1
Subnet Mask
255.255.255.0
Aggressive Mode: not enabled
Advanced Settings
Checked: Compress (Support IP Payload Compression Protocol (IPComp))
Checked: NetBIOS Broadcast
Checked: Keep-Alive
Keep-Alive Monitoring Interval 10
Checked: DPD Enabled
Delay Time 10
Detection Timeout 30
DPD Action Restart
No Extended Authentication
No Failover settings
Site B is peer configured as above
Very basic setup ... Site A Log file
Log file debug mode...
2021-Aug-13, 16:52:31 TMT info vpn charon: 05[IKE] received NO_PROPOSAL_CHOSEN error notify
2021-Aug-13, 16:52:31 TMT info vpn charon: 05[ENC] parsed INFORMATIONAL_V1 request 4163274021 [ N(NO_PROP) ]
2021-Aug-13, 16:52:31 TMT info vpn charon: 05[NET] received packet: from 10.220.220.1[500] to 10.22.22.1[500] (40 bytes)
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[NET] sending packet: from 10.22.22.1[500] to 10.220.220.1[500] (196 bytes)
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] IKE_SA s2s_ospep[6014] state change: CREATED => CONNECTING
2021-Aug-13, 16:52:31 TMT info vpn charon: Last message '11[IKE] initiating M' repeated 1 times, supressed by syslog-ng on osptest
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] initiating Main Mode IKE_SA s2s_ospep[6014] to 10.220.220.1
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending FRAGMENTATION vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending Cisco Unity vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending DPD vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending XAuth vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating ISAKMP_NATD task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating ISAKMP_CERT_POST task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating MAIN_MODE task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating ISAKMP_CERT_PRE task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating ISAKMP_VENDOR task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating new tasks
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing QUICK_MODE task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing ISAKMP_NATD task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing ISAKMP_CERT_POST task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing MAIN_MODE task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing ISAKMP_CERT_PRE task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing ISAKMP_VENDOR task
2021-Aug-13, 16:52:31 TMT info vpn charon: 10[CFG] received stroke: initiate 's2s_ospep-1'
2021-Aug-13, 16:52:31 TMT info vpn charon: 12[IKE] IKE_SA s2s_ospep[6013] state change: CONNECTING => DESTROYING
2021-Aug-13, 16:52:31 TMT info vpn charon: 12[IKE] received NO_PROPOSAL_CHOSEN error notify
2021-Aug-13, 16:52:31 TMT info vpn charon: 12[ENC] parsed INFORMATIONAL_V1 request 96138045 [ N(NO_PROP) ]
2021-Aug-13, 16:52:31 TMT info vpn charon: 12[NET] received packet: from 10.220.220.1[500] to 10.22.22.1[500] (40 bytes)
2021-Aug-13, 16:52:31 TMT info vpn charon: 15[NET] sending packet: from 10.22.22.1[500] to 10.220.220.1[500] (196 bytes)
2021-Aug-13, 16:52:31 TMT info vpn charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
2021-Aug-13, 16:52:31 TMT info vpn charon: 15[IKE] IKE_SA s2s_ospep[6013] state change: CREATED => CONNECTING
08-13-2021 11:35 PM
Hello,
tough one. Have you tried anything higher than DH group 2 (which nowadays is considered a security risk) ?
08-15-2021 09:24 AM
Thank You for the stronger security tip. but its a VPN connectivity issue 1st and foremost, it makes no difference if a stronger security connection is used, if I cannot even establish a simple lower security VPN connection.
Its a simple Cisco default VPN configured RV160W to a RV160. If we take the Cisco Default configuration settings as the same on each Router besides the different site ipaddresses, it should be plug and play...
08-15-2021 11:14 AM
Hello,
what I meant to say was try different DH groups, maybe it works with a higher group...
Also, toggle the 'Perfect Forward Secrecy' (that is, enable and/or disable it on both sides) option. This is a Phase II option. Maybe it works with or without PFS...
08-15-2021 09:53 AM - edited 08-15-2021 09:57 AM
Hi,
Maybe try to change phase 2 options?
I would try to change the following values in Both RV160W and RV160:
Encryption, DH group, Authentication.
(It is important that the values are equal on both RV160W and RV160).
I have attached a link to the guide for making the change through the GUI, maybe this will give ideas to more people.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: