IPSec Phase 2 Negotiation fails with "IKE protocol notification message received: received notify type NO_PROPOSAL_CHOSEN" - Authentication mismatch in Phase 2
22711
Created On 08/02/22 18:45 PM - Last Modified 08/05/22 20:00 PM
Symptom
- VPN Tunnel not coming up or went down
- System Logs showing "IKE protocol notification message received: received notify type NO_PROPOSAL_CHOSEN"
- System Logs showing "message lacks IDr payload"
- CLI show command outputs on the two peer firewalls showing different Authentication algorithms (Example: SHA-512 vs. SHA-256)
- >less mp-log ikemgr.log showing "IKEv2 proposal doesn't match, please check crypto setting on both sides."
- >less mp-log ikemgr.log showing "<IKEGateway> unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings"
- This Authentication mismatch in Phase 2 (IPSec Crypto Profile) won't be visible in a packet capture (unless pcap is manually decrypted), so it is best to just use CLI commands / checking both sides' configurations manually to identify and resolve this mismatched configuration
Web UI
Navigate to Network > IPSec Crypto Profile > edit IPSec Crypto Profile > edit Authentication
CLI
On both VPN peers, run the below command(s) via CLI
>show vpn tunnel
FW1> show vpn tunnel
TnID Name Gateway Local Proxy IP Ptl:Port Remote Proxy IP Ptl:Port Proposals
1 VPNTunnel10 IKEGatewayTest1 0.0.0.0/0 0:0 0.0.0.0/0 0:0 ESP tunl [DH20][AES192][SHA384] 3600-sec 0-kb
FW2> show vpn tunnel
TnID Name Gateway Local Proxy IP Ptl:Port Remote Proxy IP Ptl:Port Proposals
1 VPNTunnel10 IKEGatewayTest1 0.0.0.0/0 0:0 0.0.0.0/0 0:0 ESP tunl [DH20][AES192][SHA512] 3600-sec 0-kb
System Logs
Navigate to Monitor > System Logs
Wireshark
Take a packet capture on both VPN peers and open them in Wireshark side-by-side
Note: This will not appear in Wireshark by default. You must have dump-level ikemgr logs from both VPN peers to decrypt the packets in Wireshark. This can be done using the steps here
ikemgr.log
Run the below command via CLI on both peers
>less mp-log ikemgr.log
2022-06-27 12:10:41 [ERR ]: Proposal Unmatched.! 2022-06-27 12:10:41 [PWRN]: [IKEGatewayTest1:360] IKEv2 proposal doesn't match, please check crypto setting on both sides. 2022-06-27 12:10:41 [PERR]: no proposal chosen. 2022-06-27 12:11:40 [PWRN]: [IKEGatewayTest1:354] unauthenticated NO_PROPOSAL_CHOSEN received, you may need to check IKE settings.
Environment
- PAN-OS
- Palo Alto Networks firewall configured with IPSec VPN Tunnel
Cause
This issue occurs when the two VPN peers have a mismatch in Authentication algorithm
Resolution
- Configure both sides of the VPN to have a matching Authentication algorithm
(If your VPN peer is a different vendor firewall, perform their equivalent/same Phase 2 Authentication configuration change on their firewall if they are the source of the mismatch)
- Perform a Commit
- Run the below commands a couple times each on both the VPN peer firewall CLIs to get them to freshly initiate and form:
>clear vpn ike-sa gateway <name> >clear vpn ipsec-sa tunnel <name>