"No proposal chosen" means that the encryption
settings on each end are not in sync. Yes, I know you said
they're identical, but that's what the error means and I believe
it's defined in an RFC somewhere. As cryptic as it sounds,
it's being as precise as it will get without saying something
verbose like "it says use DES on this side and 3DES on the other
side and so we don't agree."
Here's the rundown of settings (cross-platform)
that I know will tangle this up:
-
preshared key vs RSA key vs certificates
-
DES vs 3DES vs (who knows what else)
-
ESP vs AH vs ESP+AH at the same time
-
Perfect forward secrecy (PFS) on vs off
-
Diffie-Hellman group for PFS (Group 1? Group 2? Group
3?)
What I've most often seen overlooked is the
PFS/DH stuff. One side has it on, the other has it off, or the
two sides are using different DH groups.
Good luck. I haven't seen one of these yet that
didn't boil down to a mismatched setting between the two sides, and
that includes the Checkpoint, NetScreen, and Cisco
platforms.
Gentlemen:
I have a question for you regarding a VPN a client
of mine is attempting to set up.
Both VPNs have identical hardware (nokia 650's),
identical software (checkpoint 4.1, sp4). All encryption
settings are identical.
However, when the VPN ruleset is built, an error is
seen in the log on one end of the VPN that says "IKE log: received
notification from peer, no proposal chosen."
what is the root of errors of this nature
?
I will provide more relevant information as
necessary.
CF
Christopher A. Ferraro
Senior Systems
Engineer
Hubbard One
mobile:
www.hubbardone.com