Bintec RS230a VPN NO-PROPOSAL-CHOSEN

[Fl0]

Hi,

P1: peer 3 (...) sa 10 ®: failed ip x.x.x.x <- ip y.y.y.y (No proposal chosen)

The Phase 1 Negotation fails. As I can see you use the ID type "IP".

You should use the ID type "ASN.1-DN (Distinguished Name)" if you use certificates.

Try to set the identical ID type on both sides (bintec & client) and check again.

Otherwise take a look at the following FAQ from bintec:

IPSec phase 1 authentication details

"

The authentication of IPSec peers will fail when different proposals (AES, 3DES, Blowfish,...) and/or different modes (id-protect, aggressive) are used. The example below shows the error message of a failed IPSec connection:

11:32:45 INFO/IPSEC: P1: peer 1 (PSKs) sa 5306 (I): failed id der_asn1_dn(any:0,[0..99]=C=de, ST=Bavaria, L=Nuremberg, O=Support, CN=R1200) -> ip 111.222.111.222 (No proposal chosen)

In case of different modes (id-protect, aggressive) the solution is to choose an "id-protect" profile for "IKE (Phase 1) Defaults".

"

If it's not working, you should post a longer debug.

[Jfbintec]

Hi,

Badly, it didn't work. I paste you my log of my shrew soft client on pastebin for more simplicity: [Logtalk] Log Bintec R230a VPN Certificate - Pastebin.com

My log bintec speak about vendor id and no proposal chosen, no more...

[ardcore]

Get rid of the certificate and try to use a PSK instead. Your log clearly states multiple problems like:

14/02/21 09:11:09 !! : failed to generate local asn1-dn id from 'vpncert'

Try to get a working phase1 with PSKs, fix the problems and after that if you really need to use certificates convert back to them.