IPSec Phase 1 negotiation fails with "NO_PROPOSAL_CHOSEN" seen in System Logs - Encryption mismatch in Phase 1

IPSec Phase 1 negotiation fails with "NO_PROPOSAL_CHOSEN" seen in System Logs - Encryption mismatch in Phase 1

12848
Created On 07/27/22 22:09 PM - Last Modified 07/28/22 21:05 PM


Symptom


  • VPN Tunnel not coming up or went down
  • System Logs showing "no proposal chosen."
  • System Logs showing "<IKEGateway> unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings"
  • CLI show command outputs on the two peer firewalls showing different Encryption algorithms (Example: AES-256 vs. 3DES)
  • Packet Capture showing "NO_PROPOSAL_CHOSEN" in the IKE packets (UDP port 500)

Web UI
Navigate to Network > IKE Crypto Profile > edit IKE Crypto Profile > edit Encryption
Encryption mismatch in Web GUI

System Logs
Navigate to Monitor > System Logs
Comparing System Logs for Phase 1 Encryption
CLI
On both VPN peers, run the below command(s) via CLI

>show vpn gateway name <name>
FW1> show vpn gateway name IKEGatewayTest1
GwID   Name          Peer-Address/ID                Local Address/ID                 Proposals    
1   IKEGatewayTest1   203.0.113.200                    203.0.113.100            [PSK][DH20][AES256][SHA512]
FW2> show vpn gateway name IKEGatewayTest1
GwID   Name          Peer-Address/ID                Local Address/ID                 Proposals    
1   IKEGatewayTest1   203.0.113.100                    203.0.113.200            [PSK][DH20][3DES][SHA512]


Wireshark
Take a packet capture on both VPN peers and open them in Wireshark side-by-side
Comparing Wireshark for Phase 1 Encryption mismatch

ikemgr.log
Run the below command via CLI on both peers

>less mp-log ikemgr.log
2022-06-27 12:10:41 [ERR ]: Proposal Unmatched.!
2022-06-27 12:10:41 [PWRN]: [IKEGatewayTest1:360] IKEv2 proposal doesn't match, please check crypto setting on both sides.
2022-06-27 12:10:41 [PERR]: no proposal chosen.
2022-06-27 12:11:40 [PWRN]: [IKEGatewayTest1:354] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
Note: More information can be seen if ikemgr is put on debug level, but the packet capture as seen above is sufficient for diagnosing and resolving this issue


Environment


PAN-OS
Palo Alto Networks firewall configured with IPSec VPN Tunnel


Cause


This issue occurs when the two VPN peers have a mismatch in Encryption algorithm

Resolution


  1. Configure both of the VPN peers to have a matching Encryption algorithm​​
matching encryption phase 1 gui screenshot
(In the example above, two Palo Alto Networks firewalls were used as VPN peers. If your VPN peer is a different vendor firewall, perform their equivalent/same Phase 1 Encryption configuration change on their firewall if they are the source of the mismatch)
  1. Perform a Commit
  2. Run the below commands a couple times each on both VPN peer firewall CLIs to get them to freshly initiate and form VPN
>clear vpn ike-sa gateway <name>
>clear vpn ipsec-sa tunnel <name>
 
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wl9BCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language