IPSec Phase1 协商失败,显示“收到未验证的 NO_PROPOSAL_CHOSEN,您可能需要检查IKE设置”
35515
Created On 07/12/21 04:18 AM - Last Modified 05/17/23 03:28 AM
Symptom
安全协议VPN第一阶段不会出现。
帕洛阿尔托Firewall正在充当发起者。
系统日志显示ISAKMP消息 1 从PA Firewall然而,对于发起者 Cookie,协商失败“由于超时”。
Ikemgr.log 显示如下:
2021-07-08 19:50:07.402 -0700 [INFO]: { 4: }: test: IKEv2 SA test initiate start.
2021-07-08 19:50:07.402 -0700 [PNTF]: { 4: }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey; gateway test <====
====> Initiated SA: 10.129.83.2[500]-10.129.83.221[500] SPI:50962cd283aa42d7:0000000000000000 SN:1034 <====
2021-07-08 19:50:07.456 -0700 [PWRN]: { 4: }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe95527e480 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2021-07-08 19:50:12.052 -0700 [PWRN]: { 4: }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe9552e9770 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2021-07-08 19:50:22.052 -0700 [PWRN]: { 4: }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe9552e9770 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2021-07-08 19:50:42.052 -0700 [PWRN]: { 4: }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe95527e480 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
2021-07-08 19:51:22.052 -0700 [PWRN]: { 4: }: 10.129.83.2[500] - 10.129.83.221[500]:0x7fe9552e9770 [test:1034] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.Environment
- 帕洛阿尔托Firewall.
- 任何PAN-OS.
- 安全协议VPN.
- 阶段1。
Cause
当配置不匹配时,就会发生这种情况IKE本地和对等设备上的版本。
Resolution
验证IKE版本配置(在 Network > Network Profiles >IKE网关)在帕洛阿尔托Firewall(启动器)并将其与对等设备的配置匹配,或者您可以检查IKE对等设备上的版本以使其与本地相匹配。