When logs collected with 'ike -1' contain 'no proposal chosen' for example, it can be due to any of below:
Debug commands:
diagnose debug application ike -1
diagnose debug enable
Caution:
Note that the error message 'no proposal chosen' is NOT the same as 'no SA proposal chosen'. The latter ('no SA proposal chosen') is usually due to a mismatch in the phase 1 encrypt/auth algorithm.
Possible causes of 'no proposal chosen':
- network-id configured on both peers: it has to match.
- network-id is not configured/enabled on the other peer (on one peer).
- The peers are running different IKE versions (one is on ikev1 and the other on ikev2). It does not matter, even if the encrypt/auth algorithm matches.
- Specify the Local ID at the IPSec VPN Tunnel Phase 1:
config vpn ipsec phase1-interface
edit "VPN_Tunnel_name"
set localid-type address
set localid <IP_address of outgoing interface>
end
- Disable the Perfect Forward Secrecy (PFS) at the IPSec VPN Tunnel Phase 2.
config vpn ipsec phase2-interface
edit "VPN_Tunnel_name"
set pfs disable
end
To verify the proposal below command:
diagnose vpn ike gateway list
vd: root/0 name: krpton version: 1 interface: port2 4 addr: 10.5.146.11:500 -> 10.5.136.56:500 tun_id: 10.5.136.56/::10.5.136.56 remote_location: 0.0.0.0 network-id: 0 transport: UDP created: 84594s ago peer-id: 10.5.136.56 peer-id-auth: no pending-queue: 0 IKE SA: created 1/3 established 1/3 time 0/6/10 ms IPsec SA: created 0/2 established 0/1 time 0/0/0 ms
id/spi: 52 4dc149c62eac4ff4/77a8e531e508a031 direction: responder status: established 6501-6501s ago = 0ms proposal: aes128-sha256 <<<<<<<<<<< key: 435d55bdb95b4796-2426203a826f2057 QKD: no lifetime/rekey: 86400/79628 DPD sent/recv: 00000000/00000000 peer-id: 10.5.136.56
No proposal was chosen error on the HUB and spoke setup.
Configuration:
HUB:
config vpn ipsec phase1-interface edit "COPP-WAN2" set type dynamic set interface "wan1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes256-sha256 set add-route disable set dpd on-idle set comments "VPN: COPP-WAN2 [Created by IPSEC Template]" set npu-offload disable set network-overlay enable set network-id 203 set ipv4-start-ip 192.168.203.10 set ipv4-end-ip 192.168.203.250 set ipv4-netmask 255.255.255.0 set psksecret ENC 8bQ397W7b23yoWM/9VorW/9YoSwBsrv9oclF+F3EE8P6+8TnCmS6hY8G7iecX0FEs1ethBALvcCvreDpc/GspxffOFUqsyV6nrIP4qZRmG2PuokmHPNtyajAZir8d1RjIbAJQI9iQqyweJTcuPS3miE7QuqrJq7gDVjeS/bU5CAqZDAPUR0AxwnwED/NJ1**bleep**PYE7Q== set dpd-retryinterval 60 next end
SPOKE:
edit "COPP-WAN2" set interface "lan2" set ike-version 2 set peertype any set net-device enable set mode-cfg enable set proposal aes256-sha256 set add-route disable
set network-overlay enable <<<<<<<<<<<<<<<<<<<<<<<< set network-id 203 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< set remote-gw 2.2.2.2 set psksecret ENC JRLMxnJWDJkBeO0vEHx7SSP0UxUhDb41ErzMCBbgfoVc9cKgwXe6h39FeHYWTZcrPEQUgO8RHx2oY8UJsGWpdWnXTNfO29QgBVk6wJ6TxTIBeRHH+t4sShpmhOBDNbp6qT/YJgkCKR3k8MCdHOf0zpxehsJjFOaxVRxe7r+newiqabDnqiqWInbdIzJloSUW6FoB0g== set dpd-retryinterval 60 next end
On the SPOKE side network ID and overlay should be enabled to match with HUB.
|