Created on
01-22-2023
10:34 PM
Edited on
02-13-2025
12:18 AM
By
Jean-Philippe_P
Description | This article describes how to troubleshoot the message 'no proposal chosen' and 'no SA proposal chosen' when they appear in IKE debug logs. |
Scope | FortiGate. |
Solution |
When logs collected with 'ike -1' contain 'no proposal chosen' for example, it can be due to any of below:
Debug commands:
diagnose debug application ike -1 diagnose debug enable
Caution: Note that the error message 'no proposal chosen' differs from 'no SA proposal chosen'. The latter ('no SA proposal chosen') is usually due to a mismatch in the phase 1 configuration such as IKE mode (Aggressive/Main) and Encryption/Authentication algorithms. To resolve the issue, make sure the IKE mode and Phase 1 Proposal match on both sides.
Possible causes of 'no proposal chosen':
config vpn ipsec phase1-interface edit "VPN_Tunnel_name" set localid-type address set localid <IP_address of outgoing interface> end
Note: If the name of the Tunnel contains spaces, replace them with a backslash (\). For instance, if the VPN tunnel is named VPN to HUB. When modifying in the CLI:
config vpn ipsec phase1-interface (phase1-interface) # edit VPN\ to\ HUB
config vpn ipsec phase2-interface edit "VPN_Tunnel_name" set pfs disable end
In a Hub-Spoke or site-to-site topology if the PFS is enabled on the hub side or remote site, make sure it is enabled on the spoke or local site as well, or it will give this error 'No Proposal Chosen' when doing the IKE debugs on the spoke side
To verify the proposal below command:
vd: root/0 id/spi: 52 4dc149c62eac4ff4/77a8e531e508a031
No proposal was chosen error on the HUB and spoke setup.
Configuration:
HUB:
config vpn ipsec phase1-interface 9YoSwBsrv9oclF+F3EE8P6+8TnCmS6hY8G7iecX0FEs1ethBALvcCvreDpc/Gsp xffOFUqsyV6nrIP4qZRmG2PuokmHPNtyajAZir8d1RjIbAJQI9iQqyweJT cuPS3miE7QuqrJq7gDVjeS/bU5CAqZDAPUR0AxwnwED/NJ1**bleep**PYE7Q==
Spoke:
edit "COPP-WAN2" set network-overlay enable <---- HYWTZcrPEQUgO8RHx2oY8UJsGWpdWnXTNfO29QgBVk6wJ6TxTIBeRHH+t4sShpmhOBDNbp6qT/ YJgkCKR3k8MCdHOf0zpxehsJjFOaxVRxe7r+newiqabDnqiqWInbdIzJloSUW6FoB0g==
On the SPOKE side, network ID and overlay should be enabled to match with HUB.
Note: This error can occur when one of the sites has DDNS as a 'Remote Gateway' in the IPsec phase1 configuration. This happens when the DDNS Url resolution does not match the actual IP of the remote site and it has nothing to do with phase1 proposals.
2025-01-13 17:15:02.454729 ike V=root:0:6c0b2db8c4305686/0000000000000000:4357875: responder: main mode get 1st message...
In this case, the Wireshark capture will show the proposals correctly. However, the FortiGate 'iked' will ignore the proposal payload due to the value of SPI size. From v7.4.5 onwards, FortiGate requires the SPI size of the IKE SA proposal to be zero. If this value is non-zero, the proposal will be ignored. In Wireshark, the proposal payload will look like this: Payload: Proposal (2) # 1 Workaround: Set up FortiGate as the initiator in IKE negotiations. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.