Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

VPN IPSec No Proposal Chosen

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN IPSec No Proposal Chosen

L1 Bithead

Hi, 

I keep having issues with my IPSec sts VPN. Always have a No proposal chosen message on the Phase 2 proposal.

And then P2 proposal fails due to timeout.

I read that it could be IPSec crypto settings or proxy ID that don't match.

Proxy IDs are OK because when I put non-existing network, I don't have these messages.

Encryption settings seem also well configured.

 

Here is the Fortigate P2 that was working before :

 

M6P2.png

 

Here is the Palo Alto config that i'm trying to make working :

 

crypto.pngIPsec tunnel.pngIPsec tunnel2.png

1 accepted solution

Accepted Solutions

L2 Linker

Have you tried Group 5 for PFS? Just because the Fortigate had both groups 14 and 5 enabled doesn't mean the other side will accept both

View solution in original post

10 REPLIES 10

L6 Presenter

Did you try without PFS or untick option 5 from the Fortigate site? We need a full log output? 

 

EDIT:

 

Reading more, it looks like you don't have to use any proxy IDs as both devices support route-based VPN

 

https://blog.webernetz.net/2015/01/26/ipsec-site-to-site-vpn-palo-alto-fortigate/

L1 Bithead

I tried without PFS and the result is the same.

 

I don't have access to the remote firewall but as I remember, it is supposed to accept both proposals on DHGroup 5 and DHGroup 14.

 

Here is the full log output :

Spoiler
2017-08-24 15:52:58.828 +0200 [PNTF]: { 3: 12}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: WAN_IP[500]-DST_WAN_IP[500] message id:0x8C47EF4D <====
2017-08-24 15:52:58.845 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:01.015 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:04.005 +0200 [PNTF]: { 3: }: notification message 36137:R-U-THERE-ACK, doi=1 proto_id=1 spi=596ffb652fb039fd 8ebc5e12d094fa99 (size=16).
2017-08-24 15:53:04.005 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:05.884 +0200 [PERR]: packet (5) shorter than isakmp header size.
2017-08-24 15:53:09.005 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:15.884 +0200 [PERR]: packet (5) shorter than isakmp header size.
2017-08-24 15:53:17.015 +0200 [PNTF]: { 3: }: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dd34eb2c(size=4).
2017-08-24 15:53:25.884 +0200 [PERR]: packet (5) shorter than isakmp header size.
2017-08-24 15:53:29.002 +0200 [PNTF]: { : 12}: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: WAN_IP[500]-DST_WAN_IP[500] message id:0x8C47EF4D <==== Due to negotiation timeout.
2017-08-24 15:53:34.015 +0200 [PNTF]: { 3: }: notification message 36137:R-U-THERE-ACK, doi=1 proto_id=1 spi=596ffb652fb039fd 8ebc5e12d094fa99 (size=16).

 

 

 

Palo is an initiator. If you want more details we need responder site logs or configure Palo in passive mode.

@TranceforLife is right we'll need the responder site logs to see why it isn't working. Initiatior isn't going to tell you anything. I would remove the proxy-id as already mentioned, you don't actually need this and having proxy-id on can cause issues in and of itself when you can't tell exactly how the other end is configured. 

If I remove the Proxy IDs, the P2 Proposal fails due to a timeout, but without "no proposal chosen" message.

 

I don't have an easy access to the remote firewall but I'll post its logs as soon as I can.

 

Note that I don't know what is the remote firewall. The Fortigate was the firewall that I replaced by the Palo. Its configuration was workin though.

If you remove the configuration from one side, another side should do the same otherwise it is pointless as all P1 and P2 criteria must match.

I know that all parameters must match, that's why I'm trying to make the exact replica of my old Fortigate into the Palo.

The only thing that seems to be different for the P2 is that I can't select several DH groups.

What PAN-OS version do you have installed? What IKE version is configured?

You wrote that the tunnel was working already: did you do anything before it stopped working (may be a PAN-OS update)?

L2 Linker

Have you tried Group 5 for PFS? Just because the Fortigate had both groups 14 and 5 enabled doesn't mean the other side will accept both

L1 Bithead

@Remo 

PAN-OS version is 8.0.3

IKE v1 only. 

 

@9t89m8fu

I've tried PFS 5 before but didn't work. 

I've just tried again as a double check and ... it works. 

I might have changed something else but can't remember what.

 

Thanks everyone for the help.

BR.

 

  • 1 accepted solution
  • 47909 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!