USG FLEX 200 no proposal error with Strongswan
AntonKotikov
Posts: 5
in Security
Hi, i've made setting on VPN Gateway PHASE 1 as it was wrote in "USG/VPN/ATP Series - How to establish client to site VPN with Linux StrongSwan "
and have settings in ipsec.
like "ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!"
but have no proposal error/
how can i solve it?
USG/VPN/ATP Series - How to establish client to site VPN with Linux StrongSwan "
and have settings in ipsec. like "ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!"
but have no proposal error/
how can i solve it?
0
Accepted Solution
-
Hi @AntonKotikov,
Form the log, the Linux sent IKEv1, 3DES, MD5, DH2 to USG.24 2023-01-20 18:07:10 info IKE Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-MD5 PRF, HMAC-MD5-96, 1024 bit MODP; ).But you setup DES, MD5, DH2 in USG. So that it mismatch in Phase 1.
0
Master Member
All Replies
-
Is CBC supported by your current StrongSwan configuration?0
-
Never used strongswan before, so i dont know how to check or enable CBC,0
-
i think its default?
ipsec listalgs | grep "CBC"
" encryption: AES_CBC[aes] RC2_CBC[rc2] 3DES_CBC[openssl] CAMELLIA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl]DES_CBC[openssl] DES_ECB[openssl] NULL[openssl]HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc]AES_XCBC_96[xcbc]PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_FIPS_SHA"0 -
i ve changed ipsec.conf and zyxel to 3des-md5 but still have errors
28 2023-01-20 18:07:10 info IKE The cookie pair is : 0x6a4554594d278e71 / 0x000000000000000027 2023-01-20 18:07:10 info IKE Recv Main Mode request from [83.220.236.2]26 2023-01-20 18:07:10 info IKE The cookie pair is : 0xd30514efaa027e44 / 0x6a4554594d278e7125 2023-01-20 18:07:10 info IKE Recv:[SA][VID][VID][VID][VID][VID]24 2023-01-20 18:07:10 info IKE Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-MD5 PRF, HMAC-MD5-96, 1024 bit MODP; ).23 2023-01-20 18:07:10 info IKE The cookie pair is : 0x6a4554594d278e71 / 0xd30514efaa027e44 [count=3]22 2023-01-20 18:07:10 info IKE [SA] : Tunnel [VP_Con_UBNT] Phase 1 proposal mismatch21 2023-01-20 18:07:10 info IKE [SA] : No proposal chosen20 2023-01-20 18:07:10 info IKE Send:[NOTIFY:NO_PROPOSAL_CHOSEN]0 -
[code]Tunnel [VP_Con_UBNT] Phase 1 proposal mismatch[/code]
Says that gateway (zyxel) and phase 1 (strongswan) info do not match.0 -
So it cant work with hmac version of MD5, or HMAC-SHA2, and FAQ from site is not good, how can i connect linux to FLEX 200 novadays?0
-
Hi @AntonKotikov,
Form the log, the Linux sent IKEv1, 3DES, MD5, DH2 to USG.24 2023-01-20 18:07:10 info IKE Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-MD5 PRF, HMAC-MD5-96, 1024 bit MODP; ).But you setup DES, MD5, DH2 in USG. So that it mismatch in Phase 1.
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 296 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
