Site2Site Tunnel with Opnsense causes NO_PROPOSAL_CHOOSEN

Question

Hi all, Sophos XG 330 with up to date FW

I am trying to build a site2site tunnel with an opnsense. All setup seems OK but:

XG330_WP02_SFOS 18.5.5 MR-5-Build509# tail -f ipsec_conn/ipsec_Test.log

[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]

[NET] sending packet: from sophos-external-ip[500] to opnsense-external-ip[500] (524 bytes)

[NET] received packet: from opnsense-external-ip[500] to sophos-external-ip[500] (40 bytes)

[ENC] parsed INFORMATIONAL_V1 request 2213450293 [ N(NO_PROP) ]

[IKE] informational: received NO_PROPOSAL_CHOSEN error notify

[IKE] IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER

[IKE] ### destroy: 0x7fab3c004540

[IKE] IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

Policy is here:

Any hints?

opnsense has same error:

04[ENC] <99> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
04[IKE] <99> no IKE config found for Opnsense-IP...Sophos-IP, sending NO_PROPOSAL_CHOSEN
04[ENC] <99> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

This thread was automatically locked due to age.

Raphael Alganes · Answer

Hi GernotMeyer , 
 Thanks for reaching out to Sophos Community and hope you are well 
 The error &lsquo;NO_PROPOSAL_CHOSEN&rsquo; means that there is a mismatch of the IPsec policies. This error is showing for IKEv1 and v2 alike. Please review IPsec policies and the connection has to be reconfigured on either of the ends. 
 Cheers,

Site2Site Tunnel with Opnsense causes NO_PROPOSAL_CHOOSEN

Top Replies