Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » IPsec between Control 8.3.3 and Vshield Edge not working (Get No-proposal_chosen error when trying to set up an IPsec between Kerio Control and Vshield Edge)
  •  
Richard B.

Messages: 3
Karma: 0
Send a private message to this user
Hi,

I am trying to establish a IPSec connection between my Kerio Control (version 8.3.3 build 2342 Software appliance) firewall and a VMware Vshield Edge that is running at the supplier of a Saas program we are using.

I cannot get it working. The logfile says;

------
[09/Sep/2014 12:01:26] {charon} charon: 03[CFG] received stroke: initiate 'tunnel_4_4_2_1'
[09/Sep/2014 12:01:26] {charon} charon: 02[IKE] initiating Main Mode IKE_SA tunnel_4_1_1_1[33216] to xx.xx.xxx.xxx
[09/Sep/2014 12:01:26] {charon} charon: 02[IKE] initiating Main Mode IKE_SA tunnel_4_1_1_1[33216] to [09/Sep/2014 03:46:48] {charon} charon: 10[ENC] generating QUICK_MODE request 3494673272 [ HASH SA No ID ID ]
[09/Sep/2014 03:46:48] {charon} charon: 10[NET] sending packet: from xx.xx.xxx.xxx[500] to xx.xx.xxx.xxx[500]
[09/Sep/2014 03:46:52] {charon} charon: 05[IKE] sending retransmit 1 of request message ID 3494673272, seq 7
[09/Sep/2014 03:46:52] {charon} charon: 05[NET] sending packet: from xx.xx.xxx.xxx[500] to xx.xx.xxx.xxx[500]
[09/Sep/2014 03:46:54] {charon} charon: 03[NET] received packet: from xx.xx.xxx.xxx[500] to xx.xx.xxx.xxx[500]
[09/Sep/2014 03:46:54] {charon} charon: 03[ENC] parsed QUICK_MODE request 1975742702 [ HASH SA No KE ID ID ]
[09/Sep/2014 03:46:54] {charon} charon: 03[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
[09/Sep/2014 03:46:54] {charon} charon: 03[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CB C_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
[09/Sep/2014 03:46:54] {charon} charon: 03[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
[09/Sep/2014 03:46:59] {charon} charon: 10[IKE] giving up after 1 retransmits
-------

I assume the log reports a succesfull IKE negotiation but Phase 2 does not work.

The "MODP_1024" section is missing in the configured proposal. Is the problem that Kerio does not support Diffie Hellman Groups for phase 2 (and why??)

I hoped my problem was solved when PFS was introduced in version 8.2. Unfortunately not.

Can anyone help.
  •  
Richard B.

Messages: 3
Karma: 0
Send a private message to this user
Hi all,

Unfortunately no one seems to be able to solve my problem.

Can someone at least give an answer to the "The "MODP_1024" section is missing in the configured proposal. Is the problem that Kerio does not support Diffie Hellman Groups for phase 2 (and why??)" part.

Is it true that Control does noet support DH for phase 2, and why is that?

Richard
  •  
spetit

Messages: 7
Karma: 0
Send a private message to this user
HI,
do you have solved your Issue ?
i've a similar issue...
  •  
Richard B.

Messages: 3
Karma: 0
Send a private message to this user
Unfortunately not.

I stopped trying a year ago. I used an extra firewall (PFsense) to set up the tunnel with the Vshield Edge.

The last thing I know is that the remote site (the Vshield) was not able to switch off PFS for the 2nd phase (which is offcourse a good thing, but Kerio is not able to use PFS for this phase!). Hopefully things have changed since then but I am affraid not as I read their KB (google: "Configuring IPsec VPN tunnel (Kerio Control and another device)" I am not allowed to post links yet)

Please let me know if you get any further.

Richard.

[Updated on: Mon, 19 October 2015 09:26]

  •  
spetit

Messages: 7
Karma: 0
Send a private message to this user
Hi Richard
thanks

i've edit winroute.cfg to force IKE and ESP mode, and lifetime values.
PFS was already disabled on Cisco'access point.
that's seems to be better... but i still have some issue disconnecting on Phase2... disconnecting a few second.
Debug's logs are very helpful.
i'm in the right way...
Previous Topic: Guest network and DHCP
Next Topic: Multiple L2TP connections
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Apr 30 11:03:08 CEST 2017

Total time taken to generate the page: 0.00722 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.