Issues with phase 1 of ipsec

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Issues with phase 1 of ipsec

L1 Bithead

Hi, i've been having an issue with getting the phase 1 of our ipsec tunnel to a customer up who is using a watchguard firewall.

As far as i can see our phase 1 settings match up, but i keep getting the no proposal chosen error in the logs.

I've attached screenshots of the settings and also a packet capture receive result.


I've been a bit stumped as to what is causing this, any help is appreciated.

Frame 1: 606 bytes on wire (4848 bits), 606 bytes captured (4848 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May 16, 2023 18:26:15.435886000 AUS Eastern Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1684225575.435886000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 606 bytes (4848 bits)
Capture Length: 606 bytes (4848 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: JuniperN_0a:88:02 (ec:94:d5:0a:88:02), Dst: PaloAlto_e0:40:46 (b4:0c:25:e0:40:46)
Destination: PaloAlto_e0:40:46 (b4:0c:25:e0:40:46)
Address: PaloAlto_e0:40:46 (b4:0c:25:e0:40:46)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: JuniperN_0a:88:02 (ec:94:d5:0a:88:02)
Address: JuniperN_0a:88:02 (ec:94:d5:0a:88:02)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 82.134.94.166, Dst: 203.62.215.80
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 592
Identification: 0xa966 (43366)
000. .... = Flags: 0x0
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 53
Protocol: UDP (17)
Header Checksum: 0x867b [validation disabled]
[Header checksum status: Unverified]
Source Address: 82.134.94.166
Destination Address: 203.62.215.80
User Datagram Protocol, Src Port: 500, Dst Port: 500
Source Port: 500
Destination Port: 500
Length: 572
Checksum: 0xe35d [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
[Timestamps]
[Time since first frame: 0.000000000 seconds]
[Time since previous frame: 0.000000000 seconds]
UDP payload (564 bytes)
Internet Security Association and Key Management Protocol
Initiator SPI: 6a0111cdd6da6b20
Responder SPI: 0000000000000000
Next payload: Security Association (33)
Version: 2.0
0010 .... = MjVer: 0x2
.... 0000 = MnVer: 0x0
Exchange type: IKE_SA_INIT (34)
Flags: 0x08 (Initiator, No higher version, Request)
.... 1... = Initiator: Initiator
...0 .... = Version: No higher version
..0. .... = Response: Request
Message ID: 0x00000000
Length: 564
Payload: Security Association (33)
Next payload: Key Exchange (34)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 244
Payload: Proposal (2) # 1
Next payload: Proposal (2)
Reserved: 00
Payload length: 36
Proposal number: 1
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 3
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
Transform Attribute (t=14,l=2): Key Length: 256
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 0100
Key Length: 256
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 384-bit random ECP group (20)
Payload: Proposal (2) # 2
Next payload: Proposal (2)
Reserved: 00
Payload length: 36
Proposal number: 2
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 3
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
Transform Attribute (t=14,l=2): Key Length: 192
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 00c0
Key Length: 192
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 384-bit random ECP group (20)
Payload: Proposal (2) # 3
Next payload: Proposal (2)
Reserved: 00
Payload length: 36
Proposal number: 3
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 3
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
Transform Attribute (t=14,l=2): Key Length: 128
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 0080
Key Length: 128
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 384-bit random ECP group (20)
Payload: Proposal (2) # 4
Next payload: Proposal (2)
Reserved: 00
Payload length: 44
Proposal number: 4
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 4
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform Attribute (t=14,l=2): Key Length: 256
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 0100
Key Length: 256
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA2_512 (7)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Reserved: 00
Transform ID (INTEG): AUTH_HMAC_SHA2_512_256 (14)
Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 384-bit random ECP group (20)
Payload: Proposal (2) # 5
Next payload: Proposal (2)
Reserved: 00
Payload length: 44
Proposal number: 5
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 4
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform Attribute (t=14,l=2): Key Length: 256
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 0100
Key Length: 256
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA1 (2)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Reserved: 00
Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 384-bit random ECP group (20)
Payload: Proposal (2) # 6
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 44
Proposal number: 6
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 4
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Reserved: 00
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform Attribute (t=14,l=2): Key Length: 256
1... .... .... .... = Format: Type/Value (TV)
Type: Key Length (14)
Value: 0100
Key Length: 256
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Reserved: 00
Transform ID (PRF): PRF_HMAC_SHA2_384 (6)
Payload: Transform (3)
Next payload: Transform (3)
Reserved: 00
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Reserved: 00
Transform ID (INTEG): AUTH_HMAC_SHA2_384_192 (13)
Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
Reserved: 00
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Reserved: 00
Transform ID (D-H): 384-bit random ECP group (20)
Payload: Key Exchange (34)
Next payload: Nonce (40)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 104
DH Group #: 384-bit random ECP group (20)
Reserved: 0000
Key Exchange Data: 43706ad558cb690e8384e4f50f70544d9ec325ec1c28fa488603aee93ad766ea8f3f1c52…
Payload: Nonce (40)
Next payload: Notify (41)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 68
Nonce DATA: ac019f7c06b30dc654fe6329d8c70d05bbd67c673cc7c956e01ad9ee3b391ed17ca31fb3…
Payload: Notify (41) - NAT_DETECTION_SOURCE_IP
Next payload: Notify (41)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 28
Protocol ID: RESERVED (0)
SPI Size: 0
Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)
Notification DATA: 6532b44f0602bced66bc1d97d41e4e328c5afb1a
Payload: Notify (41) - NAT_DETECTION_DESTINATION_IP
Next payload: Vendor ID (43)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 28
Protocol ID: RESERVED (0)
SPI Size: 0
Notify Message Type: NAT_DETECTION_DESTINATION_IP (16389)
Notification DATA: 4fc80883e00a06e245e15ef7b39b074df5958c71
Payload: Vendor ID (43) : Unknown Vendor ID
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 64
Vendor ID: bfc22e9856ba993611c11e48a6d20807a95bedb393026a49e60fac327bb9601b566b3439…
Vendor ID: Unknown Vendor ID



2 REPLIES 2

Community Team Member

Hi @Nick_Leon ,

 

The no proposal error isn't limited to phase 1.  Did you check the IPSec settings as well :

 

IPSec Phase 2 Negotiation fails with "IKE protocol notification message received: received notify ty... 

 

Some dump-level ikemgr logs might prove helpful as well to shed more light on the actual problem:

How to Troubleshoot IPSec VPN connectivity issues 

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L4 Transporter

Hello,

Can you change the ikemgr logging level to 'dump' and get the logs?

It will give more details.

 

Anoopkumar
Network Security Engineer
  • 2487 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!