Is it possible to establish an IPsec connection to a UniFi UDM-SE (80.219.241.177, DDNS) using a private IP address of 10.4.160.114 (Mobile, Swisscom)? My configuration always fails with a “received NO PROPOSAL CHOSEN notify error,” even though the parameters for phases 1 and 2 match exactly.
If both devices are behind a UniFi Express on the WAN side, this site-to-site connection works perfectly.
Hello,
Have you tried testing the connection with a different key exchange type than the one you are currently using (for example, IKEv2)? For troubleshooting purposes, it would also be worth trying more common proposals such as AES128 / SHA1 / MODP2048 on both tunnel ends to see if it makes a difference.
If possible, could you also share your setup’s topology, full IPsec logs, or any additional information from both sides of the tunnel?
Also, to mention, please do not share any private/sensitive data (like public IPs, MACs, passwords, etc.) on the forum.
Best regards,
Hello
Thank you for your feedback.
I’ve tried every conceivable variant and double-checked 100 times ;-(
And as I said, if both devices are behind a UniFi Express on the WAN side, all tested variants work.
Is it generally a problem if only one of the two devices has a publicly accessible IP address? Because in my opinion, that’s the only difference between the working and the non-working configuration.
Attached a link to a pdf with the details. I really hope this helps.
Best regards
Hello,
Apologies for the delayed response. After reviewing your IPsec configurations, here are a few things that might be worth trying:
- Enable Compatibility mode and/or Flush conntrack in the Advanced IPsec Connection settings.
- Set both IKE lifetime values (for Phase 1 and Phase 2) to e.g., 24h.
- Remove the private RUT IP from the UDM IPsec configuration under Remote IP/Hostname.
Let us know if there’s any change in behavior.
Best regards,
This topic was automatically closed after 60 days. New replies are no longer allowed.