Jfbintec Geschrieben 17. Februar 2014 Geschrieben 17. Februar 2014 Hi everybody, I am trying to setup a VPN access between shrew soft client versions 2.2.2 (Standard Edition) and a Bintec R230a (or Bintec RS230a) with certificate authentication. I used OpenSSL, XCA (Freeware) and also Bintec client but I always have the same problem: when I try to connect my computer to VPN, I get this log (get by VPN Trace Shrew Soft): 14/02/17 14:39:22 DB : phase1 found 14/02/17 14:39:22 DB : phase1 ref increment ( ref count = 2, obj count = 1 ) 14/02/17 14:39:22 ii : processing informational packet ( 102 bytes ) 14/02/17 14:39:22 =< : cookies aa86417eb208a4ef:a112df24d3e33898 14/02/17 14:39:22 =< : message 7fc5b7a7 14/02/17 14:39:22 << : notification payload 14/02/17 14:39:22 ii : received peer NO-PROPOSAL-CHOSEN notification 14/02/17 14:39:22 ii : - xx.xx.xx.xx:500 -> 192.168.0.29:500 14/02/17 14:39:22 ii : - isakmp spi = aa86417eb208a4ef:a112df24d3e33898 14/02/17 14:39:22 ii : - data size 46 Of course, I check ports of my Bintec and they are open (500-4500). I use for this log an IKE config pull, but I try already with a static configuration IP. I check configuration phase-1 profile in my Bintec and in my client but it’s the same. I try a lot of encryption mode (AES-MD5…), auto mode with DH Exchange, Policy, and DNS... I think I try every configuration which we have in shrew soft client. If that help you, I use a domain name and my Bintec is behind a modem. When I saw it’s doesn’t work, I used this tutorial: http://www.neo-one.de/downloads/dokumente/Teldat%20[bintec%20IPSec]/IKEv2%20zwischen%20bintec%20IPSec%20Client%20und%20Gateway%20mit%20Zertifikaten.pdf To simplify, I want use Authentication Method Mutual RSA but whatever I use, I have also the same error message: “NO-PROPOSAL-CHOSEN†Zitieren
JackC Geschrieben 18. Februar 2014 Geschrieben 18. Februar 2014 do you looked after the log from the bintec? There is a lot more information as you can get from the ShrewSoft Client. Just connect over telnet -> log in -> type "debug all&". Then try to connect. Do you updated the Bintec to the latest firmware? I recommend to delete the configuration included Phase 1 and 2 and start from the beginning. “NO-PROPOSAL-CHOSEN” means that there is no Algorithem choosen in Phase 1 or 2. This can also be a bug on the bintec when creating a VPN. So upgrade to the latest firmware first. Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 (bearbeitet) No logs appears in my bintec with your commands. : ( I will try with update the firmware. Bearbeitet 18. Februar 2014 von Jfbintec Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 (bearbeitet) No logs appears in my bintec with your commands. : ( I will try with update the firmware. The same error message with the lastest firmware... I also tried to create again Phase 1 and 2. Bearbeitet 18. Februar 2014 von Jfbintec Zitieren
JackC Geschrieben 18. Februar 2014 Geschrieben 18. Februar 2014 debug all& shows realtime information on your bintec. After entering this command, try to connect. The connection should be displayed. If not, then your VPN connect to another device, but not your bintec. Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 It's good, I found but the same message : P1: peer 3 (...) sa 10 ®: failed ip x.x.x.x <- ip y.y.y.y (No proposal chosen) Zitieren
Crash2001 Geschrieben 18. Februar 2014 Geschrieben 18. Februar 2014 Sieht schwer danach aus, dass bei ipsec Phase 2 der Negotiations fehlschlägt, weil keine übereinstimmenden Parameter vorhanden sind. Authentication algorithm (MD5, SHA1) Encryption algorithm (DES, 3DES, AES128, AES192, AES256) Protocol (AH, ESP) Du musst schauen, dass dies auf Client- und Serverseite gleich ist, damit eine Verbindung aufgebaut werden kann. Siehe hier. Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 "I check configuration phase-1 profile in my Bintec and in my client but it’s the same. I try a lot of encryption mode (AES-MD5…), auto mode with DH Exchange, Policy, and DNS..." So, yes I already check that. Zitieren
JackC Geschrieben 18. Februar 2014 Geschrieben 18. Februar 2014 do you have configured the VPN over the GUI? As far as I know I had the same issue. I deleated the whole VPN, Phase 1 and Phase 2 config and setup again via console. You can also check the parameter again via console: - telnet "IP" - Login type "setup" Zitieren
Crash2001 Geschrieben 18. Februar 2014 Geschrieben 18. Februar 2014 @ Jfbintec: phase 1 seems to be OK, but it's hanging at phase 2. Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 Yes, and I also configured via console. Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 I don't reach phase 2. Are you sure ? Zitieren
Crash2001 Geschrieben 18. Februar 2014 Geschrieben 18. Februar 2014 You don't reach phase 2 beacuse there are no matching entries and because of that it says "NO-PROPOSAL-CHOSEN" I think. With the given entries there is no "profile" (?) that matches the other side and because of that no connection can be established because phase 2 cannot be initiated. Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 @Crash2001 But when I tried everything, i change phase 1 with other configuration than Bintec but I have also the same message error. (Sorry for my english) Zitieren
JackC Geschrieben 18. Februar 2014 Geschrieben 18. Februar 2014 do you set the correct phase 2 configuration for the correct VPN? Maybe there is another phase 2 configuration set in the vpn profile Zitieren
Crash2001 Geschrieben 18. Februar 2014 Geschrieben 18. Februar 2014 [...] But when I tried everything, i change phase 1 with other configuration than Bintec but I have also the same message error.[...]Phase 1 seems to work, but not phase 2. So what are you talking again and again about phase 1? Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 Yes it's the good configuration phase 2. That's one week i'm on this message Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 My phase 2 accept All Algorithm and I try all algorithm which I have in shrew soft client. But nothing changes. Zitieren
JackC Geschrieben 18. Februar 2014 Geschrieben 18. Februar 2014 then lets try to specify just one Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 I also tried ^^" Without PFS Group, with it. IP Compression, no IP Compression... Zitieren
JackC Geschrieben 18. Februar 2014 Geschrieben 18. Februar 2014 I recommend to start from the beginning. Delete Phase 1 and 2. Delete your VPN Profile. Configure Phase 1 Configure Phase 2 Configure VPN Profile Connect Phase 1 and 2 to your VPN Profile. Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 I start from the beginning again with console, I hope this time it works. Zitieren
Jfbintec Geschrieben 18. Februar 2014 Autor Geschrieben 18. Februar 2014 Nothing changes :upps Zitieren
Crash2001 Geschrieben 19. Februar 2014 Geschrieben 19. Februar 2014 Maybe the VPN client isn't compatible with the VPN server? Have you checked to chose a phase 2 set that is supported on both sides and has explizit configuration and not all auto? (On some systems it need one side to chose the configuration set and without a choice (all on auto) it doesn't work.) Zitieren
Jfbintec Geschrieben 19. Februar 2014 Autor Geschrieben 19. Februar 2014 I tried with Bintec Client but the same error appears. Yes, I checked that but no moves. Zitieren
Empfohlene Beiträge
Dein Kommentar
Du kannst jetzt schreiben und Dich später registrieren. Wenn Du ein Konto hast, melde Dich jetzt an, um unter Deinem Benutzernamen zu schreiben.