[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] ike vpn question
Title: Message "No
proposal chosen" means that the encryption settings on each end are not in
sync. Yes, I know you said they're identical, but that's what the error
means and I believe it's defined in an RFC somewhere. As cryptic as it
sounds, it's being as precise as it will get without saying something verbose
like "it says use DES on this side and 3DES on the other side and so we don't
agree."
Here's
the rundown of settings (cross-platform) that I know will tangle this
up:
-
preshared key vs RSA key vs certificates
- DES
vs 3DES vs (who knows what else)
- ESP
vs AH vs ESP+AH at the same time
-
Perfect forward secrecy (PFS) on vs off
-
Diffie-Hellman group for PFS (Group 1? Group 2? Group
3?)
What
I've most often seen overlooked is the PFS/DH stuff. One side has it
on, the other has it off, or the two sides are using different DH
groups.
Good
luck. I haven't seen one of these yet that didn't boil down to a
mismatched setting between the two sides, and that includes the Checkpoint,
NetScreen, and Cisco platforms.
|