USG FLEX 200 no proposal error with Strongswan

Hi, i've made setting on VPN Gateway PHASE 1 as it was wrote in "

USG/VPN/ATP Series - How to establish client to site VPN with Linux StrongSwan  "

and have settings in ipsec. 
like "ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!"

but have no proposal error/


how can i solve it?

Accepted Solution

  • zyman2008
    zyman2008 Posts: 197  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023 Answer ✓
    Hi @AntonKotikov,
    Form the log, the Linux sent IKEv1, 3DES, MD5, DH2 to USG.
    24 2023-01-20 18:07:10 info IKE Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-MD5 PRF, HMAC-MD5-96, 1024 bit MODP; ).
    But you setup DES, MD5, DH2 in USG. So that it mismatch in Phase 1.

All Replies

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Is CBC supported by your current  StrongSwan configuration?
  • Never used strongswan before, so i dont know how to check or enable CBC, 
  • AntonKotikov
    AntonKotikov Posts: 5
    First Comment
    edited January 2023
    i think its default?


    ipsec listalgs | grep "CBC"
    " encryption: AES_CBC[aes] RC2_CBC[rc2] 3DES_CBC[openssl] CAMELLIA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl]
    DES_CBC[openssl] DES_ECB[openssl] NULL[openssl]
    HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc]
    AES_XCBC_96[xcbc]
    PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_FIPS_SHA"
  • i ve changed ipsec.conf and zyxel to 3des-md5 but still have errors

    28 2023-01-20 18:07:10 info IKE The cookie pair is : 0x6a4554594d278e71 / 0x0000000000000000
    27 2023-01-20 18:07:10 info IKE Recv Main Mode request from [83.220.236.2]
    26 2023-01-20 18:07:10 info IKE The cookie pair is : 0xd30514efaa027e44 / 0x6a4554594d278e71
    25 2023-01-20 18:07:10 info IKE Recv:[SA][VID][VID][VID][VID][VID]
    24 2023-01-20 18:07:10 info IKE Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-MD5 PRF, HMAC-MD5-96, 1024 bit MODP; ).
    23 2023-01-20 18:07:10 info IKE The cookie pair is : 0x6a4554594d278e71 / 0xd30514efaa027e44 [count=3]
    22 2023-01-20 18:07:10 info IKE [SA] : Tunnel [VP_Con_UBNT] Phase 1 proposal mismatch
    21 2023-01-20 18:07:10 info IKE [SA] : No proposal chosen
    20 2023-01-20 18:07:10 info IKE Send:[NOTIFY:NO_PROPOSAL_CHOSEN] 
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    [code]Tunnel [VP_Con_UBNT] Phase 1 proposal mismatch[/code]
    Says that gateway (zyxel) and phase 1 (strongswan) info do not match.
  • So it cant work with hmac version of MD5, or HMAC-SHA2, and FAQ from site is not good, how can i connect linux to FLEX 200 novadays?
  • zyman2008
    zyman2008 Posts: 197  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023 Answer ✓
    Hi @AntonKotikov,
    Form the log, the Linux sent IKEv1, 3DES, MD5, DH2 to USG.
    24 2023-01-20 18:07:10 info IKE Recv IKE sa: SA([0] protocol = IKE (1), 3DES, HMAC-MD5 PRF, HMAC-MD5-96, 1024 bit MODP; ).
    But you setup DES, MD5, DH2 in USG. So that it mismatch in Phase 1.

Security Highlight