Zum Inhalt springen

Bintec RS230a VPN NO-PROPOSAL-CHOSEN


Empfohlene Beiträge

Geschrieben

Hi everybody,

I am trying to setup a VPN access between shrew soft client versions 2.2.2 (Standard Edition) and a Bintec R230a (or Bintec RS230a) with certificate authentication. I used OpenSSL, XCA (Freeware) and also Bintec client but I always have the same problem: when I try to connect my computer to VPN, I get this log (get by VPN Trace Shrew Soft):

14/02/17 14:39:22 DB : phase1 found

14/02/17 14:39:22 DB : phase1 ref increment ( ref count = 2, obj count = 1 )

14/02/17 14:39:22 ii : processing informational packet ( 102 bytes )

14/02/17 14:39:22 =< : cookies aa86417eb208a4ef:a112df24d3e33898

14/02/17 14:39:22 =< : message 7fc5b7a7

14/02/17 14:39:22 << : notification payload

14/02/17 14:39:22 ii : received peer NO-PROPOSAL-CHOSEN notification

14/02/17 14:39:22 ii : - xx.xx.xx.xx:500 -> 192.168.0.29:500

14/02/17 14:39:22 ii : - isakmp spi = aa86417eb208a4ef:a112df24d3e33898

14/02/17 14:39:22 ii : - data size 46

Of course, I check ports of my Bintec and they are open (500-4500). I use for this log an IKE config pull, but I try already with a static configuration IP. I check configuration phase-1 profile in my Bintec and in my client but it’s the same. I try a lot of encryption mode (AES-MD5…), auto mode with DH Exchange, Policy, and DNS... I think I try every configuration which we have in shrew soft client.

If that help you, I use a domain name and my Bintec is behind a modem. When I saw it’s doesn’t work, I used this tutorial:

http://www.neo-one.de/downloads/dokumente/Teldat%20[bintec%20IPSec]/IKEv2%20zwischen%20bintec%20IPSec%20Client%20und%20Gateway%20mit%20Zertifikaten.pdf

To simplify, I want use Authentication Method Mutual RSA but whatever I use, I have also the same error message: “NO-PROPOSAL-CHOSENâ€

Geschrieben

do you looked after the log from the bintec? There is a lot more information as you can get from the ShrewSoft Client. Just connect over telnet -> log in -> type "debug all&". Then try to connect.

Do you updated the Bintec to the latest firmware?

I recommend to delete the configuration included Phase 1 and 2 and start from the beginning. “NO-PROPOSAL-CHOSEN” means that there is no Algorithem choosen in Phase 1 or 2. This can also be a bug on the bintec when creating a VPN. So upgrade to the latest firmware first.

Geschrieben (bearbeitet)
No logs appears in my bintec with your commands. : (

I will try with update the firmware.

The same error message with the lastest firmware...

I also tried to create again Phase 1 and 2.

Bearbeitet von Jfbintec
Geschrieben

debug all& shows realtime information on your bintec. After entering this command, try to connect. The connection should be displayed. If not, then your VPN connect to another device, but not your bintec.

Geschrieben

Sieht schwer danach aus, dass bei ipsec Phase 2 der Negotiations fehlschlägt, weil keine übereinstimmenden Parameter vorhanden sind.

Authentication algorithm (MD5, SHA1)

Encryption algorithm (DES, 3DES, AES128, AES192, AES256)

Protocol (AH, ESP)

Du musst schauen, dass dies auf Client- und Serverseite gleich ist, damit eine Verbindung aufgebaut werden kann.

Siehe hier.

Geschrieben

"I check configuration phase-1 profile in my Bintec and in my client but it’s the same. I try a lot of encryption mode (AES-MD5…), auto mode with DH Exchange, Policy, and DNS..."

So, yes I already check that.

Geschrieben

do you have configured the VPN over the GUI? As far as I know I had the same issue. I deleated the whole VPN, Phase 1 and Phase 2 config and setup again via console.

You can also check the parameter again via console:

- telnet "IP"

- Login

type "setup"

Geschrieben

You don't reach phase 2 beacuse there are no matching entries and because of that it says "NO-PROPOSAL-CHOSEN" I think.

With the given entries there is no "profile" (?) that matches the other side and because of that no connection can be established because phase 2 cannot be initiated.

Geschrieben
[...] But when I tried everything, i change phase 1 with other configuration than Bintec but I have also the same message error.[...]
Phase 1 seems to work, but not phase 2. So what are you talking again and again about phase 1?
Geschrieben

I recommend to start from the beginning. Delete Phase 1 and 2. Delete your VPN Profile.

Configure Phase 1

Configure Phase 2

Configure VPN Profile

Connect Phase 1 and 2 to your VPN Profile.

Geschrieben

Maybe the VPN client isn't compatible with the VPN server?

Have you checked to chose a phase 2 set that is supported on both sides and has explizit configuration and not all auto? (On some systems it need one side to chose the configuration set and without a choice (all on auto) it doesn't work.)

Dein Kommentar

Du kannst jetzt schreiben und Dich später registrieren. Wenn Du ein Konto hast, melde Dich jetzt an, um unter Deinem Benutzernamen zu schreiben.

Gast
Auf dieses Thema antworten...

×   Du hast formatierten Text eingefügt.   Formatierung wiederherstellen

  Nur 75 Emojis sind erlaubt.

×   Dein Link wurde automatisch eingebettet.   Einbetten rückgängig machen und als Link darstellen

×   Dein vorheriger Inhalt wurde wiederhergestellt.   Editor leeren

×   Du kannst Bilder nicht direkt einfügen. Lade Bilder hoch oder lade sie von einer URL.

Fachinformatiker.de, 2024 by SE Internet Services

fidelogo_small.png

Schicke uns eine Nachricht!

Fachinformatiker.de ist die größte IT-Community
rund um Ausbildung, Job, Weiterbildung für IT-Fachkräfte.

Fachinformatiker.de App

Download on the App Store
Get it on Google Play

Kontakt

Hier werben?
Oder sende eine E-Mail an

Social media u. feeds

Jobboard für Fachinformatiker und IT-Fachkräfte

×
×
  • Neu erstellen...