Troubleshooting Tip: Understanding message 'no proposal chosen' in IKE debug log

fwilliams · ‎01-22-2023

Description

This article describes how to troubleshoot the message 'no proposal chosen' when it appears in IKE debug logs.

Scope

FortiGate v6.4 and v7.2.

Solution

When logs collected with 'ike -1' contain 'no proposal chosen' for example, it can be due to any of below:

Debug commands:

diagnose debug application ike -1

diagnose debug enable

Caution:

Note that the error message 'no proposal chosen' is NOT the same as 'no SA proposal chosen'. The latter ('no SA proposal chosen') is usually due to a mismatch in the phase 1 encrypt/auth algorithm.

Possible causes of 'no proposal chosen':

network-id configured on both peers: it has to match.

network-id is not configured/enabled on the other peer (on one peer).
The peers are running different IKE versions (one is on ikev1 and the other on ikev2). It does not matter, even if the encrypt/auth algorithm matches.

Specify the Local ID at the IPSec VPN Tunnel Phase 1:

config vpn ipsec phase1-interface

edit "VPN_Tunnel_name"

set localid-type address

set localid <IP_address of outgoing interface>

end

Disable the Perfect Forward Secrecy (PFS) at the IPSec VPN Tunnel Phase 2.

config vpn ipsec phase2-interface

edit "VPN_Tunnel_name"

set pfs disable

end