On 2023-02-23, Thomas Bohl <openbsd-misc-518...@aloof.de> wrote: > I have several OpenBSD 7.2 connected to a commercial VPN-Router (LANCOM > 1781EW+) using iked. It works, except every time the Child SA > negotiation starts, iked answers NO_PROPOSAL_CHOSEN to the router. Which > leads to closed connections and a new IKE SA negotiation. > I don't understand this because the proposal looks supported to me.
Child SA failing after the initial tunnel comes up usually relates to a mismatch with PFS (DH groups). > I got desperate and tried adding this to iked.conf, which didn't help: > > childsa group modp2048 \ > childsa group modp2048 noesn\ > childsa enc aes-256-gcm group modp2048 \ > childsa enc aes-256-gcm group modp2048 noesn \ > childsa enc aes-256 group modp2048 \ > childsa enc aes-256 group modp2048 noesn \ > childsa enc aes-256-gcm group modp2048 prf hmac-sha2-256 \ > childsa enc aes-256-gcm group modp2048 prf hmac-sha2-256 noesn \ > childsa enc aes-256 group modp2048 prf hmac-sha2-256 \ > childsa enc aes-256 group modp2048 prf hmac-sha2-256 noesn \ > childsa enc aes-256 group modp2048 prf hmac-sha1 \ > childsa enc aes-256 group modp2048 prf hmac-sha1 noesn \ > > Any ideas? Try adding some non-modp2048 options. Maybe look at the SA installed from the initial negotiation (ipsecctl -vvsa) for ideas. -- Please keep replies on the mailing list.
