topic Re: VPN IPSec No Proposal Chosen in General Topics

VPN IPSec No Proposal Chosen

Naelwan — Thu, 24 Aug 2017 13:27:34 GMT

Hi,

I keep having issues with my IPSec sts VPN. Always have a No proposal chosen message on the Phase 2 proposal.

And then P2 proposal fails due to timeout.

I read that it could be IPSec crypto settings or proxy ID that don't match.

Proxy IDs are OK because when I put non-existing network, I don't have these messages.

Encryption settings seem also well configured.

Here is the Fortigate P2 that was working before :

Here is the Palo Alto config that i'm trying to make working :

Re: VPN IPSec No Proposal Chosen

TranceforLife — Thu, 24 Aug 2017 14:01:11 GMT

Did you try without PFS or untick option 5 from the Fortigate site? We need a full log output?

EDIT:

Reading more, it looks like you don't have to use any proxy IDs as both devices support route-based VPN

https://blog.webernetz.net/2015/01/26/ipsec-site-to-site-vpn-palo-alto-fortigate/

Re: VPN IPSec No Proposal Chosen

Naelwan — Thu, 24 Aug 2017 14:00:58 GMT

I tried without PFS and the result is the same.

I don't have access to the remote firewall but as I remember, it is supposed to accept both proposals on DHGroup 5 and DHGroup 14.

Here is the full log output :

2017-08-24 15:52:58.828 +0200 [PNTF]: { 3: 12}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: WAN_IP[500]-DST_WAN_IP[500] message id:0x8C47EF4D <====
2017-08-24 15:52:58.845 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:01.015 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:04.005 +0200 [PNTF]: { 3: }: notification message 36137:R-U-THERE-ACK, doi=1 proto_id=1 spi=596ffb652fb039fd 8ebc5e12d094fa99 (size=16).
2017-08-24 15:53:04.005 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:05.884 +0200 [PERR]: packet (5) shorter than isakmp header size.
2017-08-24 15:53:09.005 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:15.884 +0200 [PERR]: packet (5) shorter than isakmp header size.
2017-08-24 15:53:17.015 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:25.884 +0200 [PERR]: packet (5) shorter than isakmp header size.
2017-08-24 15:53:29.002 +0200 [PNTF]: { : 12}: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: WAN_IP[500]-DST_WAN_IP[500] message id:0x8C47EF4D <==== Due to negotiation timeout.
2017-08-24 15:53:34.015 +0200 [PNTF]: { 3: }: notification message 36137:R-U-THERE-ACK, doi=1 proto_id=1 spi=596ffb652fb039fd 8ebc5e12d094fa99 (size=16).

Re: VPN IPSec No Proposal Chosen

TranceforLife — Thu, 24 Aug 2017 14:04:19 GMT

Palo is an initiator. If you want more details we need responder site logs or configure Palo in passive mode.

Re: VPN IPSec No Proposal Chosen

BPry — Thu, 24 Aug 2017 14:27:02 GMT

@TranceforLife is right we'll need the responder site logs to see why it isn't working. Initiatior isn't going to tell you anything. I would remove the proxy-id as already mentioned, you don't actually need this and having proxy-id on can cause issues in and of itself when you can't tell exactly how the other end is configured.

Re: VPN IPSec No Proposal Chosen

Naelwan — Thu, 24 Aug 2017 14:29:08 GMT

If I remove the Proxy IDs, the P2 Proposal fails due to a timeout, but without "no proposal chosen" message.

I don't have an easy access to the remote firewall but I'll post its logs as soon as I can.

Note that I don't know what is the remote firewall. The Fortigate was the firewall that I replaced by the Palo. Its configuration was workin though.

Re: VPN IPSec No Proposal Chosen

TranceforLife — Thu, 24 Aug 2017 14:31:43 GMT

If you remove the configuration from one side, another side should do the same otherwise it is pointless as all P1 and P2 criteria must match.

Re: VPN IPSec No Proposal Chosen

Naelwan — Thu, 24 Aug 2017 14:34:55 GMT

I know that all parameters must match, that's why I'm trying to make the exact replica of my old Fortigate into the Palo.

The only thing that seems to be different for the P2 is that I can't select several DH groups.

Re: VPN IPSec No Proposal Chosen

Remo — Thu, 24 Aug 2017 17:40:35 GMT

What PAN-OS version do you have installed? What IKE version is configured?

You wrote that the tunnel was working already: did you do anything before it stopped working (may be a PAN-OS update)?

Re: VPN IPSec No Proposal Chosen

9t89m8fu — Fri, 25 Aug 2017 13:04:31 GMT

Have you tried Group 5 for PFS? Just because the Fortigate had both groups 14 and 5 enabled doesn't mean the other side will accept both

Re: VPN IPSec No Proposal Chosen

Naelwan — Tue, 29 Aug 2017 08:25:27 GMT

@Remo

PAN-OS version is 8.0.3

IKE v1 only.

@9t89m8fu

I've tried PFS 5 before but didn't work.

I've just tried again as a double check and ... it works.

I might have changed something else but can't remember what.

Thanks everyone for the help.

BR.