IPSec Phase 2 Negotiation fails with "IKE protocol notification message received: received notify type NO_PROPOSAL_CHOSEN" - Encryption mismatch in Phase 2

IPSec Phase 2 Negotiation fails with "IKE protocol notification message received: received notify type NO_PROPOSAL_CHOSEN" - Encryption mismatch in Phase 2

33502
Created On 08/02/22 18:40 PM - Last Modified 08/04/22 22:01 PM


Symptom


  • VPN Tunnel not coming up or went down
  • System Logs showing "IKE protocol notification message received: received notify type NO_PROPOSAL_CHOSEN"
  • System Logs showing "message lacks IDr payload"
  • CLI show command outputs on the two peer firewalls showing different Encryption algorithms (Example: AES-256 vs. 3DES)
  • >less mp-log ikemgr.log showing "IKEv2 proposal doesn't match, please check crypto setting on both sides."
  • >less mp-log ikemgr.log showing "<IKEGateway> unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings"
  • This Encryption mismatch in Phase 2 (IPSec Crypto Profile) won't be visible in a packet capture (unless pcap is manually decrypted), so it is best to just use CLI commands / checking both sides' configurations manually to identify and resolve this mismatched configuration

Web UI
Navigate to Network > IPSec Crypto Profile > edit IPSec Crypto Profile > edit Encryption
Comparing Web UI Encryption Phase 2

CLI
On both VPN peers, run the below command(s) via CLI 
>show vpn gateway name <name>
FW1> show vpn gateway name IKEGatewayTest1
GwID   Name          Peer-Address/ID                Local Address/ID                 Proposals    
1   IKEGatewayTest1   203.0.113.200                    203.0.113.100            [PSK][DH20][AES256][SHA512]
FW2> show vpn gateway name IKEGatewayTest1
GwID   Name          Peer-Address/ID                Local Address/ID                 Proposals    
1   IKEGatewayTest1   203.0.113.100                    203.0.113.200            [PSK][DH20][3DES][SHA512]


System Logs
Navigate to Monitor > System Logs
Comparing System Logs for Phase 2 Encryption mismatch

Wireshark
Take a packet capture on both VPN peers and open them in Wireshark side-by-side
Comparing Wireshark for Phase 2 Encryption mismatchNote: This will not appear in Wireshark by default. You must have dump-level ikemgr logs from both VPN peers to decrypt the packets in Wireshark. This can be done using the steps here (if VPN peer is third-party, use their process to capture the encryption keys at same time)

ikemgr.log
Run the below command via CLI on both peers

>less mp-log ikemgr.log

2022-06-27 12:10:41 [ERR ]:  Proposal Unmatched.!
2022-06-27 12:10:41 [PWRN]: [IKEGatewayTest1:360] IKEv2 proposal doesn't match, please check crypto setting on both sides.
2022-06-27 12:10:41 [PERR]: no proposal chosen.
2022-06-27 12:11:40 [PWRN]: [IKEGatewayTest1:354] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.

 

Environment


  • PAN-OS
  • Palo Alto Networks firewall configured with IPSec VPN Tunnel

Cause


This issue occurs when the two VPN peers have a mismatch in Encryption algorithm

Resolution


  1. Configure both sides of the VPN to have a matching Encryption algorithm
Comparing matching Phase 2 Encryption in Web UI
(If your VPN peer is a different vendor firewall, perform their equivalent/same Phase 2 Encryption configuration change on their firewall if they are the source of the mismatch)
  1. Perform a Commit
  2. Run the below commands a couple times each on both the VPN peer firewall CLIs to get them to freshly initiate and form:
>clear vpn ike-sa gateway <name>
>clear vpn ipsec-sa tunnel <name>


Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlDDCAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language