Apple MacBook built in VPN client: NO_PROPOSAL_CHOSEN

WStoffel1 · ‎06-03-2013

trying to get a mac with OS X connected to VPN on an ASA, with the built in mac vpn client. The tunnel group (connection profile) is named MAC. Unfortunately I only have ASDM access to this box.

Here's the relevant config:

sh run cryp

crypto ipsec transform-set transformer esp-des esp-md5-hmac

crypto ipsec transform-set dessha esp-des esp-sha-hmac

crypto ipsec transform-set nmh esp-3des esp-md5-hmac

crypto ipsec transform-set chum esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto dynamic-map dynmap 99 set transform-set transformer

crypto map netopia 99 ipsec-isakmp dynamic dynmap

crypto map netopia 100 set security-association lifetime seconds 28800

crypto map netopia interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp policy 4

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 5

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 15

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 99

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

sh run tunn

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group MAC type remote-access

tunnel-group MAC general-attributes

address-pool pptp

default-group-policy MAC

tunnel-group MAC ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

tunnel-group MAC ppp-attributes

authentication ms-chap-v2

Here's the debug logs:

RECV PACKET from 184.x.x.19

ISAKMP Header

Initiator COOKIE: f9 a3 b6 57 5b 02 b8 a6

Responder COOKIE: 00 00 00 00 00 00 00 00

Next Payload: Security Association

Version: 1.0

Exchange Type: Aggressive Mode

Flags: (none)

MessageID: 00000000

Length: 735

Payload Security Association

Next Payload: Key Exchange

Reserved: 00

Payload Length: 292

DOI: IPsec

Situation:(SIT_IDENTITY_ONLY)

Payload Proposal

Next Payload: None

Reserved: 00

Payload Length: 280

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI Size: 0

# of transforms: 8

Payload Transform

Next Payload: Transform

Reserved: 00

Payload Length: 36

Transform #: 1

Transform-Id: KEY_IKE

Reserved2: 0000

Life Type: seconds

Life Duration (Hex): 0e 10

Encryption Algorithm: AES-CBC

Key Length: 256

Authentication Method: XAUTH_INIT_PRESHRD

Hash Algorithm: SHA1

Group Description: Group 2

Payload Transform

Next Payload: Transform

Reserved: 00

Payload Length: 36

Transform #: 2

Transform-Id: KEY_IKE

Reserved2: 0000

Life Type: seconds

Life Duration (Hex): 0e 10

Encryption Algorithm: AES-CBC

Key Length: 128

Authentication Method: XAUTH_INIT_PRESHRD

Hash Algorithm: SHA1

Group Description: Group 2

Payload Transform

Next Payload: Transform

Reserved: 00

Payload Length: 36

Transform #: 3

Transform-Id: KEY_IKE

Reserved2: 0000

Life Type: seconds

Life Duration (Hex): 0e 10

Encryption Algorithm: AES-CBC

Key Length: 256

Authentication Method: XAUTH_INIT_PRESHRD

Hash Algorithm: MD5

Group Description: Group 2

Payload Transform

Next Payload: Transform

Reserved: 00

Payload Length: 36

Transform #: 4

Transform-Id: KEY_IKE

Reserved2: 0000

Life Type: seconds

Life Duration (Hex): 0e 10

Encryption Algorithm: AES-CBC

Key Length: 128

Authentication Method: XAUTH_INIT_PRESHRD

Hash Algorithm: MD5

Group Description: Group 2

Payload Transform

Next Payload: Transform

Reserved: 00

Payload Length: 32

Transform #: 5

Transform-Id: KEY_IKE

Reserved2: 0000

Life Type: seconds

Life Duration (Hex): 0e 10

Encryption Algorithm: 3DES-CBC

Authentication Method: XAUTH_INIT_PRESHRD

Hash Algorithm: SHA1

Group Description: Group 2

Payload Transform

Next Payload: Transform

Reserved: 00

Payload Length: 32

Transform #: 6

Transform-Id: KEY_IKE

Reserved2: 0000

Life Type: seconds

Life Duration (Hex): 0e 10

Encryption Algorithm: 3DES-CBC

Authentication Method: XAUTH_INIT_PRESHRD

Hash Algorithm: MD5

Group Description: Group 2

Payload Transform

Next Payload: Transform

Reserved: 00

Payload Length: 32

Transform #: 7

Transform-Id: KEY_IKE

Reserved2: 0000

Life Type: seconds

Life Duration (Hex): 0e 10

Encryption Algorithm: DES-CBC

Authentication Method: XAUTH_INIT_PRESHRD

Hash Algorithm: SHA1

Group Description: Group 2

Payload Transform

Next Payload: None

Reserved: 00

Payload Length: 32

Transform #: 8

Transform-Id: KEY_IKE

Reserved2: 0000

Life Type: seconds

Life Duration (Hex): 0e 10

Encryption Algorithm: DES-CBC

Authentication Method: XAUTH_INIT_PRESHRD

Hash Algorithm: MD5

Group Description: Group 2

Payload Key Exchange

Next Payload: Nonce

Reserved: 00

Payload Length: 132

Data:

14 96 b9 14 61 a7 89 10 7d 55 3a d3 dd a1 16 03

d7 6c d7 bb ed 72 5c 7f 53 e4 22 0c d3 f2 a2 60

06 b3 9a 1e 53 af eb e7 4d 41 78 43 bd 89 3f f7

df 54 37 ee f4 8d 7c 95 57 51 a8 c4 79 18 4e e8

b9 08 fc aa e6 d6 91 12 71 cf 25 cc a2 b0 d6 26

c8 b8 d1 79 8a b3 0b ba 8e 66 c9 3e 36 f5 19 4e

06 4b 52 b0 30 b5 a1 01 a0 6d 81 c7 99 ea 8c 7a

5d 07 e0 ba 7d 46 4c 20 6b 3c ef 25 67 23 43 3e

Payload Nonce

Next Payload: Identification

Reserved: 00

Payload Length: 20

Data:

99 dd f2 d9 f9 6c d9 ea 9e b6 14 2a ee 66 8d f4

Payload Identification

Next Payload: Vendor ID

Reserved: 00

Payload Length: 19

ID Type: ID_KEY_ID (11)

Protocol ID (UDP/TCP, etc...): 0

Port: 0

ID Data: MAC

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 24

Data (In Hex):

40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

80 00 00 00

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

4d f3 79 28 e9 fc 4f d1 b3 26 21 70 d5 15 c6 62

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

8f 8d 83 82 6d 24 6b 6f c7 a8 a6 a4 28 c1 1d e8

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

43 9b 59 f8 ba 67 6c 4c 77 37 ae 22 ea b8 f5 82

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

4d 1e 0e 13 6d ea fa 34 c4 f3 ea 9f 02 ec 72 85

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

80 d0 bb 3d ef 54 56 5e e8 46 45 d4 c8 5c e3 ee

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

99 09 b6 4e ed 93 7c 65 73 de 52 ac e9 52 fa 6b

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f

Payload Vendor ID

Next Payload: None

Reserved: 00

Payload Length: 20

Data (In Hex):

af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00

Jun 03 15:09:21 [IKEv1]: IP = 184.x.x.19, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 735

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing SA payload

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing ke payload

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing ISA_KE payload

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing nonce payload

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing ID payload

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, Received Fragmentation VID

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, Received NAT-Traversal RFC VID

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, Received NAT-Traversal ver 03 VID

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, Received NAT-Traversal ver 02 VID

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload

Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, Received DPD VID

Jun 03 15:09:21 [IKEv1]: IP = 184.x.x.19, Connection landed on tunnel_group MAC

Jun 03 15:09:21 [IKEv1]: Group = MAC, IP = 184.x.x.19, No valid authentication type found for the tunnel group

Jun 03 15:09:21 [IKEv1 DEBUG]: Group = MAC, IP = 184.x.x.19, processing IKE SA payload

Jun 03 15:09:21 [IKEv1]: IP = 184.x.x.19, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 332

ISAKMP Header

Initiator COOKIE: f9 a3 b6 57 5b 02 b8 a6

Responder COOKIE: 97 f5 29 90 eb 85 10 ae

Next Payload: Notification

Version: 1.0

Exchange Type: Informational

Flags: (none)

MessageID: 00000000

Length: 332

Payload Notification

Next Payload: None

Reserved: 00

Payload Length: 304

DOI: IPsec

Protocol-ID: Reserved

Spi Size: 0

Notify Type: NO_PROPOSAL_CHOSEN

Data:

04 00 24 01 01 00 00 00 01 00 00 00 00 00 18 01

01 01 00 08 28 00 00 00 02 00 00 00 00 00 00 00

90 f5 eb ca 60 5c 60 09 18 0f 4f c8 71 c1 3d 08

90 f5 eb ca 80 da 28 c9 00 00 00 00 00 00 00 00

01 10 04 00 00 00 00 00 dd 88 04 cb f8 f8 eb ca

f8 f8 eb ca 09 00 00 00 58 0f 4f c8 57 07 0b 09

90 f5 eb ca 00 00 00 00 84 0f 4f c8 00 00 00 00

f9 a3 b6 57 5b 02 b8 a6 8b 00 00 00 26 00 00 00

a0 9e 26 09 00 00 00 00 68 0f 4f c8 8c cf 4e c8

90 cf 4e c8 00 00 00 00 88 0f 4f c8 5b 6b 3e 08

60 5c 60 09 f8 f8 eb ca 0c 00 00 00 90 f5 eb ca

00 00 00 00 84 0f 4f c8 40 70 fc ca bc d2 4e c8

c0 d2 4e c8 90 91 3a cb 88 11 4f c8 92 60 3f 08

60 5c 60 09 f8 f8 eb ca 0c 00 00 00 90 f5 eb ca

00 00 00 00 90 91 3a cb 78 56 34 12 78 56 34 12

78 56 34 12 78 56 34 12 78 56 34 12 78 56 34 12

78 56 34 12 78 56 34 12 78 56 34 00 00 00 00 00

00 00 00 00 ff ff ff ff 1a 00 00 00 00 00 00 00

58 26 de c9

Jun 03 15:09:21 [IKEv1 DEBUG]: Group = MAC, IP = 184.x.x.19, All SA proposals found unacceptable

Jun 03 15:09:21 [IKEv1]: IP = 184.x.x.19, All IKE SA proposals found unacceptable!

Jun 03 15:09:21 [IKEv1 DEBUG]: Group = MAC, IP = 184.x.x.19, IKE AM Responder FSM error history (struct &0xcaebf590) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM

Jun 03 15:09:21 [IKEv1 DEBUG]: Group = MAC, IP = 184.x.x.19, IKE SA AM:9029f597 terminating: flags 0x01000001, refcnt 0, tuncnt 0

Jun 03 15:09:21 [IKEv1 DEBUG]: Group = MAC, IP = 184.x.x.19, sending delete/delete with reason message

Jun 03 15:09:21 [IKEv1]: Group = MAC, IP = 184.x.x.19, Removing peer from peer table failed, no match!

Jun 03 15:09:21 [IKEv1]: Group = MAC, IP = 184.x.x.19, Error: Unable to remove PeerTblEntry

ISAKMP Header

Initiator COOKIE: b1 8c 61 aa 2d 6b 4f 9b

Responder COOKIE: 1d ae c6 38 2b 57 db 89

Next Payload: Hash

Version: 1.0

Exchange Type: Quick Mode

Flags: (Encryption)

MessageID: 70D7F9EA

Length: 164

PS:::::Anyone know where to find the meaning if the FSM history codes? (EV_START_AM-->AM_START, EV_START_AM and so on...)

WStoffel1 · ‎06-04-2013

Just an update since I have Windows clients connecting to this group and they have no issues. I captured packets on the outside interface and I see a huge difference between Windows Client version 5.0.07.0290 and the IKE proposals on the Mac.

Specifically none of my IKE policies match up for the Mac Book because authentication method is:

Transform IKE Attribute Type (t=3,l=2) Authentication-Method : XAUTHInitPreShared

with a value of 65001

Where as on the Windows clients it's:

Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK

with a value of 1

The only config on the built in Mac client is to set a shared secret and it matches with the preshared key set on the ASA. Also I've tried several combinations of settings for IKE authentication to no avail:

tunnel-group MAC ipsec-attributes

radius-sdi-xauth

isakmp ikev1-user-authentication xauth

Or setting it to disabled (which is how it's set for the Windows clients and is working)...

That's where I'm stuck so any thoughts would be helpful.

WStoffel1 · ‎06-04-2013

RESOLVED!

Here's the key:

tunnel-group MAC ipsec-attributes

isakmp ikev1-user-authentication xauth

Then in the Mac client you need the user name a pwd field PRE filled in, in the configuration of the connection. It will not prompt you, it just fails unless it sends that info in the initial connection. For now a username in the local aaa database works, but I'll point it to the Radius server in the final config.