"No proposal chosen" means that the encryption settings on each
end are not in sync. Yes, I know you said they're identical, but
that's what the error means and I believe it's defined in an RFC
somewhere. As cryptic as it sounds, it's being as precise as it
will get without saying something verbose like "it says use DES on this
side and 3DES on the other side and so we don't
agree."
Here's the rundown of settings (cross-platform) that I know
will tangle this up:
- preshared key vs RSA key vs certificates
- DES vs 3DES vs (who knows what else)
- ESP vs AH vs ESP+AH at the same time
- Perfect forward secrecy (PFS) on vs off
- Diffie-Hellman group for PFS (Group 1? Group 2?
Group 3?)
What I've most often seen overlooked is the PFS/DH
stuff. One side has it on, the other has it off, or the two sides
are using different DH groups.
Good luck. I haven't seen one of these yet that didn't boil
down to a mismatched setting between the two sides, and that includes
the Checkpoint, NetScreen, and Cisco platforms.
Gentlemen:
I have a question for you regarding a VPN a client of mine is
attempting to set up.
Both VPNs have identical hardware (nokia 650's), identical
software (checkpoint 4.1, sp4). All encryption settings are
identical.
However, when the VPN ruleset is built, an error is seen in the
log on one end of the VPN that says "IKE log: received notification
from peer, no proposal chosen."
what is the root of errors of this nature ?
I will provide more relevant information as
necessary.
CF
Christopher A. Ferraro
Senior Systems
Engineer
Hubbard One
mobile:
www.hubbardone.com