VPN IPSec No Proposal Chosen

Reply
L1 Bithead

VPN IPSec No Proposal Chosen

Hi, 

I keep having issues with my IPSec sts VPN. Always have a No proposal chosen message on the Phase 2 proposal.

And then P2 proposal fails due to timeout.

I read that it could be IPSec crypto settings or proxy ID that don't match.

Proxy IDs are OK because when I put non-existing network, I don't have these messages.

Encryption settings seem also well configured.

 

Here is the Fortigate P2 that was working before :

 

M6P2.png

 

Here is the Palo Alto config that i'm trying to make working :

 

crypto.pngIPsec tunnel.pngIPsec tunnel2.png

L6 Presenter

Re: VPN IPSec No Proposal Chosen

Did you try without PFS or untick option 5 from the Fortigate site? We need a full log output? 

 

EDIT:

 

Reading more, it looks like you don't have to use any proxy IDs as both devices support route-based VPN

 

https://blog.webernetz.net/2015/01/26/ipsec-site-to-site-vpn-palo-alto-fortigate/

Highlighted
L1 Bithead

Re: VPN IPSec No Proposal Chosen

I tried without PFS and the result is the same.

 

I don't have access to the remote firewall but as I remember, it is supposed to accept both proposals on DHGroup 5 and DHGroup 14.

 

Here is the full log output :

Spoiler
2017-08-24 15:52:58.828 +0200 [PNTF]: { 3: 12}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: WAN_IP[500]-DST_WAN_IP[500] message id:0x8C47EF4D <====
2017-08-24 15:52:58.845 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:01.015 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:04.005 +0200 [PNTF]: { 3: }: notification message 36137:R-U-THERE-ACK, doi=1 proto_id=1 spi=596ffb652fb039fd 8ebc5e12d094fa99 (size=16).
2017-08-24 15:53:04.005 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:05.884 +0200 [PERR]: packet (5) shorter than isakmp header size.
2017-08-24 15:53:09.005 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:15.884 +0200 [PERR]: packet (5) shorter than isakmp header size.
2017-08-24 15:53:17.015 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:25.884 +0200 [PERR]: packet (5) shorter than isakmp header size.
2017-08-24 15:53:29.002 +0200 [PNTF]: { : 12}: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: WAN_IP[500]-DST_WAN_IP[500] message id:0x8C47EF4D <==== Due to negotiation timeout.
2017-08-24 15:53:34.015 +0200 [PNTF]: { 3: }: notification message 36137:R-U-THERE-ACK, doi=1 proto_id=1 spi=596ffb652fb039fd 8ebc5e12d094fa99 (size=16).

 

 

 

L6 Presenter

Re: VPN IPSec No Proposal Chosen

Palo is an initiator. If you want more details we need responder site logs or configure Palo in passive mode.

L7 Applicator

Re: VPN IPSec No Proposal Chosen

@TranceforLife is right we'll need the responder site logs to see why it isn't working. Initiatior isn't going to tell you anything. I would remove the proxy-id as already mentioned, you don't actually need this and having proxy-id on can cause issues in and of itself when you can't tell exactly how the other end is configured. 

L1 Bithead

Re: VPN IPSec No Proposal Chosen

If I remove the Proxy IDs, the P2 Proposal fails due to a timeout, but without "no proposal chosen" message.

 

I don't have an easy access to the remote firewall but I'll post its logs as soon as I can.

 

Note that I don't know what is the remote firewall. The Fortigate was the firewall that I replaced by the Palo. Its configuration was workin though.

L6 Presenter

Re: VPN IPSec No Proposal Chosen

If you remove the configuration from one side, another side should do the same otherwise it is pointless as all P1 and P2 criteria must match.

L1 Bithead

Re: VPN IPSec No Proposal Chosen

I know that all parameters must match, that's why I'm trying to make the exact replica of my old Fortigate into the Palo.

The only thing that seems to be different for the P2 is that I can't select several DH groups.

L7 Applicator

Re: VPN IPSec No Proposal Chosen

What PAN-OS version do you have installed? What IKE version is configured?

You wrote that the tunnel was working already: did you do anything before it stopped working (may be a PAN-OS update)?

L2 Linker

Re: VPN IPSec No Proposal Chosen

Have you tried Group 5 for PFS? Just because the Fortigate had both groups 14 and 5 enabled doesn't mean the other side will accept both

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!