FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff
Staff
Article Id 243552
Description This article describes how to troubleshoot the message 'no proposal chosen' when it appears in IKE debug logs.
Scope FortiGate v6.4 and v7.2.
Solution

When logs collected with 'ike -1' contain 'no proposal chosen' for example, it can be due to any of below:

 

Debug commands:

 

diagnose debug application ike -1

diagnose debug enable

 

Caution:

Note that the error message 'no proposal chosen' is NOT the same as 'no SA proposal chosen'. The latter ('no SA proposal chosen') is usually due to a mismatch in the phase 1 encrypt/auth algorithm.

 

fwilliams_0-1674390417285.png

 

Possible causes of 'no proposal chosen':

 

fwilliams_1-1674390439830.png

 

  1. network-id configured on both peers: it has to match.

 

fwilliams_2-1674390463656.png

 

  1. network-id is not configured/enabled on the other peer (on one peer).
  2. The peers are running different IKE versions (one is on ikev1 and the other on ikev2). It does not matter, even if the encrypt/auth algorithm matches.

 

fwilliams_3-1674390491896.png

 

  1. Specify the Local ID at the IPSec VPN Tunnel Phase 1:

 

config vpn ipsec phase1-interface

    edit "VPN_Tunnel_name"

        set localid-type address

        set localid <IP_address of outgoing interface>

    end

 

  1. Disable the Perfect Forward Secrecy (PFS) at the IPSec VPN Tunnel Phase 2. 

 

config vpn ipsec phase2-interface

    edit "VPN_Tunnel_name"

        set pfs disable

    end

 

To verify the proposal below command:


diagnose vpn ike gateway list

vd: root/0
name: krpton
version: 1
interface: port2 4
addr: 10.5.146.11:500 -> 10.5.136.56:500
tun_id: 10.5.136.56/::10.5.136.56
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 84594s ago
peer-id: 10.5.136.56
peer-id-auth: no
pending-queue: 0
IKE SA: created 1/3 established 1/3 time 0/6/10 ms
IPsec SA: created 0/2 established 0/1 time 0/0/0 ms

id/spi: 52 4dc149c62eac4ff4/77a8e531e508a031
direction: responder
status: established 6501-6501s ago = 0ms
proposal: aes128-sha256                                  <<<<<<<<<<<
key: 435d55bdb95b4796-2426203a826f2057
QKD: no
lifetime/rekey: 86400/79628
DPD sent/recv: 00000000/00000000
peer-id: 10.5.136.56

 

No proposal was chosen error on the HUB and spoke setup.

 

Configuration:

 

HUB:

 

config vpn ipsec phase1-interface
    edit "COPP-WAN2"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set comments "VPN: COPP-WAN2 [Created by IPSEC Template]"
        set npu-offload disable
        set network-overlay enable
        set network-id 203
        set ipv4-start-ip 192.168.203.10
        set ipv4-end-ip 192.168.203.250
        set ipv4-netmask 255.255.255.0
        set psksecret ENC 8bQ397W7b23yoWM/9VorW/9YoSwBsrv9oclF+F3EE8P6+8TnCmS6hY8G7iecX0FEs1ethBALvcCvreDpc/GspxffOFUqsyV6nrIP4qZRmG2PuokmHPNtyajAZir8d1RjIbAJQI9iQqyweJTcuPS3miE7QuqrJq7gDVjeS/bU5CAqZDAPUR0AxwnwED/NJ1**bleep**PYE7Q==
        set dpd-retryinterval 60
    next
end

 

SPOKE:

 

edit "COPP-WAN2"
    set interface "lan2"
    set ike-version 2
    set peertype any
    set net-device enable
    set mode-cfg enable
    set proposal aes256-sha256
    set add-route disable

    set network-overlay enable      <<<<<<<<<<<<<<<<<<<<<<<<
    set network-id 203     <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    set remote-gw 2.2.2.2
    set psksecret ENC JRLMxnJWDJkBeO0vEHx7SSP0UxUhDb41ErzMCBbgfoVc9cKgwXe6h39FeHYWTZcrPEQUgO8RHx2oY8UJsGWpdWnXTNfO29QgBVk6wJ6TxTIBeRHH+t4sShpmhOBDNbp6qT/YJgkCKR3k8MCdHOf0zpxehsJjFOaxVRxe7r+newiqabDnqiqWInbdIzJloSUW6FoB0g==
    set dpd-retryinterval 60
next
end

 

On the SPOKE side network ID and overlay should be enabled to match with HUB.