IPSec Phase 1 negotiation fails with "NO_PROPOSAL_CHOSEN" seen in System Logs - Encryption mismatch in Phase 1
12842
Created On 07/27/22 22:09 PM - Last Modified 07/28/22 21:05 PM
Symptom
- VPN Tunnel not coming up or went down
- System Logs showing "no proposal chosen."
- System Logs showing "<IKEGateway> unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings"
- CLI show command outputs on the two peer firewalls showing different Encryption algorithms (Example: AES-256 vs. 3DES)
- Packet Capture showing "NO_PROPOSAL_CHOSEN" in the IKE packets (UDP port 500)
Web UI
Navigate to Network > IKE Crypto Profile > edit IKE Crypto Profile > edit Encryption
System Logs
Navigate to Monitor > System Logs
CLI
On both VPN peers, run the below command(s) via CLI
>show vpn gateway name <name>
FW1> show vpn gateway name IKEGatewayTest1
GwID Name Peer-Address/ID Local Address/ID Proposals
1 IKEGatewayTest1 203.0.113.200 203.0.113.100 [PSK][DH20][AES256][SHA512]
FW2> show vpn gateway name IKEGatewayTest1
GwID Name Peer-Address/ID Local Address/ID Proposals
1 IKEGatewayTest1 203.0.113.100 203.0.113.200 [PSK][DH20][3DES][SHA512]
Wireshark
Take a packet capture on both VPN peers and open them in Wireshark side-by-side
ikemgr.log
Run the below command via CLI on both peers
>less mp-log ikemgr.log
2022-06-27 12:10:41 [ERR ]: Proposal Unmatched.! 2022-06-27 12:10:41 [PWRN]: [IKEGatewayTest1:360] IKEv2 proposal doesn't match, please check crypto setting on both sides. 2022-06-27 12:10:41 [PERR]: no proposal chosen. 2022-06-27 12:11:40 [PWRN]: [IKEGatewayTest1:354] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.Note: More information can be seen if ikemgr is put on debug level, but the packet capture as seen above is sufficient for diagnosing and resolving this issue
Environment
PAN-OS
Palo Alto Networks firewall configured with IPSec VPN Tunnel
Cause
This issue occurs when the two VPN peers have a mismatch in Encryption algorithm
Resolution
- Configure both of the VPN peers to have a matching Encryption algorithm
(In the example above, two Palo Alto Networks firewalls were used as VPN peers. If your VPN peer is a different vendor firewall, perform their equivalent/same Phase 1 Encryption configuration change on their firewall if they are the source of the mismatch)
- Perform a Commit
- Run the below commands a couple times each on both VPN peer firewall CLIs to get them to freshly initiate and form VPN
>clear vpn ike-sa gateway <name> >clear vpn ipsec-sa tunnel <name>