received NO_PROPOSAL_CHOSEN error notify

Hi guys,

Imkep getting the following error trying to connect to one of my XG: received NO_PROPOSAL_CHOSEN error notify

I have the exact same configuration on another XG and it works fine. The pdf document does mention the error but says: refer to admin. No admin here.

Any experience with this? The client is 1.2.

  • Hello,

     

    Make these two changes to the .tgb file. 

    1) Look for this line: Transforms = AES256-SHA2_256-GRP2 and replace it Transforms = AES256-SHA2_256-ECP256.

    2) Look for this line: Transforms = TGBQM-ESP-AES256-SHA2_256-PFSGRP2-TUN-XF and replace it with Transforms = TGBQM-ESP-AES256-SHA2_256-PFSECP256-TUN-XF

     

    Now import the modified .tgb file and try to connect again.

    If you need to use the .scx file, then import the modified .tgb file in Sophos Connect Admin and make the change you need, save it and import the modified .scx file.

     

    Please let us know how it goes.

     

    Ramesh

     

     

     

     

  • In reply to rmk_2018:

    Hi Ramesh,

    Worked fine, thanks a million. Out of curiosity, why did this occur in the first place?

  • In reply to @wajdiaa:

    Hello,

     

    Thank you for letting us know. This is a bug in SFOS. Hence we had to use this work around in the client policy.

     

    Ramesh

  • In reply to rmk_2018:

    hello Ramesh,

     

    i am having the same issue however i can not seem to be able to edit the .tgb file. please can you help with any application can i use to edit it.

     

    thanks 

  • In reply to AYOKUNLE ADEYEMI:

    Hello,

     

    The tgb file is a regular text file and you can edit it with notepad. What is the version of SFOS you are using? Also the latest client in production is 1.4. I think you should upgrade the client first to 1.4 and try it. Then think about editing the tgb file.

     

    Please let me know how it goes.

     

    Regards,
    Ramesh

  • In reply to rmk_2018:

    hello Ramesh,

     

    Thank you for your reply!.

    i am using the client version 1.4 and my SFOS IS SFOS 17.5.8 MR-8.

     

    please find below part of the .tgb file:

     

    SAGE_CONNECT1-quick-mode]
    DOI = IPSEC
    EXCHANGE_TYPE = QUICK_MODE
    Suites = SAGE_CONNECT1-quick-mode-suite

    [SAGE_CONNECT1-quick-mode-suite]
    Protocols = TGBQM-ESP-AES256-SHA2_256-PFSGRP14-TUN

    [TGBQM-ESP-AES256-SHA2_256-PFSGRP14-TUN]
    PROTOCOL_ID = IPSEC_ESP
    Transforms = TGBQM-ESP-AES256-SHA2_256-PFSGRP14-TUN-XF

    [TGBQM-ESP-AES256-SHA2_256-PFSGRP14-TUN-XF]
    TRANSFORM_ID = AES
    KEY_LENGTH = 256,128:256
    AUTHENTICATION_ALGORITHM = HMAC_SHA2_256
    GROUP_DESCRIPTION = MODP_2048
    ENCAPSULATION_MODE = TUNNEL
    Life = Default-phase-2-lifetime

     

    as you can see in red mine is PFSGRP14 and not PFSGRP2

     

    i will appreciate your help in resolving this.

     

    thank you

  • In reply to AYOKUNLE ADEYEMI:

    OK. Why is it you are trying to change to PFCGRP2? I do not understand the reasoning behind it. Also the client should be able to connect with PFSGRP14

  • In reply to rmk_2018:

    hello Ramesh,

     

    i was just trying to follow your directions in the original post. i have tried PFCGRP14 numerous times and i am still getting the same error.

     

    full .tgb file below:

     

    # Do not edit this file. It is overwritten by VpnConf.
    # SIGNATURE MD5 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    # Creation Date : 2020-03-31 at 01:45:29
    # Written by CyberoamServer XG210_WP03_SFOS 17.5.9 MR-9
    # Client Version :
    # CyberoamVPNClient :3.11.008
    # IKE Service :3.10.08,02.13

    [General]
    Shared-SADB = Defined
    Retransmits = 5
    Exchange-max-time = 10
    Default-phase-1-lifetime = 18000,360:86400
    Bitblocking = 0
    Xauth-interval = 20
    DPD-interval = 60
    DPD_retrans = 3
    DPD_wait = 60

    [Default-phase-2-lifetime]
    LIFE_TYPE = SECONDS
    LIFE_DURATION = 3600,360:86400

    # ==================== PHASES 1 ====================

    [Phase 1]
    41.86.155.5 = SAGE_CONNECT-P1

    [SAGE_CONNECT-main-mode]
    DOI = IPSEC
    EXCHANGE_TYPE = ID_PROT
    Transforms = AES256-SHA2_256-GRP14

    [AES256-SHA2_256-GRP14]
    ENCRYPTION_ALGORITHM = AES_CBC
    KEY_LENGTH = 256,128:256
    HASH_ALGORITHM = SHA2_256
    GROUP_DESCRIPTION = MODP_2048
    AUTHENTICATION_METHOD = PRE_SHARED
    Life = LIFE_MAIN_MODE

    [SAGE_CONNECT-P1]
    Phase = 1
    Family = IPV4
    Address = 41.86.155.5
    Transport = udp
    Configuration = SAGE_CONNECT-main-mode
    Rconf = 1
    Authentication = "$create@321#P@55w0rd###@@@@@"
    Xauth = 0
    Xpopup = 1
    NATT_ENABLED = 1


    # ==================== PHASES 2 ====================

    [Phase 2]
    Manual-connections = SAGE_CONNECT-SAGE_CONNECT1-P2

    [SAGE_CONNECT-SAGE_CONNECT1-P2]
    Phase = 2
    ISAKMP-peer = SAGE_CONNECT-P1
    Remote-ID = SAGE_CONNECT1-remote-addr
    Configuration = SAGE_CONNECT1-quick-mode
    AutoStart = 0
    USBStart = 0

    # ==================== Ipsec ID ====================

    [SAGE_CONNECT1-remote-addr]
    ID-type = IPV4_ADDR_SUBNET
    Network = 0.0.0.0
    Netmask = 0.0.0.0

    # ==================== TRANSFORMS ====================

    [SAGE_CONNECT1-quick-mode]
    DOI = IPSEC
    EXCHANGE_TYPE = QUICK_MODE
    Suites = SAGE_CONNECT1-quick-mode-suite

    [SAGE_CONNECT1-quick-mode-suite]
    Protocols = TGBQM-ESP-AES256-SHA2_256-PFSGRP14-TUN

    [TGBQM-ESP-AES256-SHA2_256-PFSGRP14-TUN]
    PROTOCOL_ID = IPSEC_ESP
    Transforms = TGBQM-ESP-AES256-SHA2_256-PFSGRP14-TUN-XF

    [TGBQM-ESP-AES256-SHA2_256-PFSGRP14-TUN-XF]
    TRANSFORM_ID = AES
    KEY_LENGTH = 256,128:256
    AUTHENTICATION_ALGORITHM = HMAC_SHA2_256
    GROUP_DESCRIPTION = MODP_2048
    ENCAPSULATION_MODE = TUNNEL
    Life = Default-phase-2-lifetime

    best regards 

  • In reply to AYOKUNLE ADEYEMI:

    Hello Ramesh,

    Thank you for you help. could not have done it without you.

     

    The VPN is now up and running 

     

    Best Regards 

  • In reply to AYOKUNLE ADEYEMI:

    Hi

    i want o make changes but i don't where 

     

    when i change things from the .tgb i dont get the import menu from my xg

    when i already set it from xg i dont get the menu to change those 2 lines

     

    someone can explain how to apply changes!

  • In reply to cheikh ka:

    Hello Cheikh,

     

    Can you please specify what exactly you would like to change?

    ramesh

  • In reply to rmk_2018:

    Hi,

    I wanted to change 2 lines,

    1) Look for this line: Transforms = AES256-SHA2_256-GRP2 and replace it Transforms = AES256-SHA2_256-ECP256.

    2) Look for this line: Transforms = TGBQM-ESP-AES256-SHA2_256-PFSGRP2-TUN-XF and replace it with Transforms = TGBQM-ESP-AES256-SHA2_256-PFSECP256-TUN-XF

     

    But it's ok everything is works well

     

    Thanks you all