RV160 Site to Site VPN 15[IKE] received NO_PROPOSAL_CHOSEN error

markrichard · ‎08-13-2021

Test AVPN S2S network ... This should NOT be this hard... straight-up simple VPN setup.

NO_PROPOSAL_CHOSEN error is like a BS general error bucket non-informative log error... WTH !!!!

The trail and Error troubleshooting is insane - little diagnostic info available

my quest is a Phase I failure, but WHAT! What does NO_PROPOSAL_CHOSEN error suggest ...

Wan Site A 10.22.22.1

Lan Site A 10.1.0.1/24

Wan Site B 10.220.220.1

LAN Site B 10.1.1.1/24

Site A <-----> Site B

RV160W Wan Ping <-----> RV160 Wan Ping good

10.22.22.1 <---Ping--> 10.220.220.1

VPNS2S <-----> peer VPN Config Site B

Connect NO_PROPOSAL_CHOSEN error

Same log error from each site's RV160 logs

10.22.22.1 Wan Interface <-----> 10.220.220.1 Wan

10.1.0.1 Lan Interface <-----> 10.1.1.1 Lan Interface

S2S between both sites peer config inverse of each Wan/Lan

Site A

No. Name Enable Status Phase2 Enc/Auth/Grp Local Group Remote Group Remote Gateway Action
1 ospep Enable DOWN 3des-sha1-modp1024 10.1.0.1/24 10.1.1.1/24 10.220.220.1

Site B

1 ospep Enable DOWN 3des-sha1-modp1024 10.1.1.1/24 10.1.0.1/24 10.22.22.1

Both sites Matching Profiles

IPSec Profile

Name: Test

Keying Mode: Auto

IKE Version IEKv1

Phase I Options

DH Group: Group2 - 1024 Bit

Encryption: 3DES

Authentication: SHA1

SA LT: 28800

Phase II Options

Protocol Selection: ESP

Encryption: 2DES

Authentication: SHA1

SA LT: 3600

Perfect Forward Secrecy: Enabled

DH Group: Group2 - 1024 Bit

Basic Settings

S2S Site A

Enable

Connection Name: ospep

IPSec Profile: Test

Interface Wan

Remote Endpoint Static IP

IP Address: 10.220.220.1

IKE Authentication Method

Pre-shared Key sfc@testingnetwork12345

Show Pre-shared Key: not enable

Minimum Preshared Key Complexity: not enable

Local Group Setup
Local Identifier Type: Local WAN IP
Local Identifier: 10.22.22.1
Local IP Type: Subnet

IP Address: 10.1.0.1
Subnet Mask: 255.255.255.0

Local Group Setup
Local Identifier Type: Local WAN IP
Local Identifier: 10.22.22.1
Local IP Type: Subnet
IP Address: 10.1.0.1
Subnet Mask: 255.255.255.0

Remote Group Setup
Remote Identifier Type

Remote WAN IP
Remote Identifier
10.220.220.1
Remote IP Type

Subnet
IP Address
10.1.1.1
Subnet Mask
255.255.255.0
Aggressive Mode: not enabled

Advanced Settings

Checked: Compress (Support IP Payload Compression Protocol (IPComp))
Checked: NetBIOS Broadcast
Checked: Keep-Alive
Keep-Alive Monitoring Interval 10

Checked: DPD Enabled
Delay Time 10
Detection Timeout 30
DPD Action Restart

No Extended Authentication

No Failover settings

Site B is peer configured as above

Very basic setup ... Site A Log file

Log file debug mode...

2021-Aug-13, 16:52:31 TMT info vpn charon: 05[IKE] received NO_PROPOSAL_CHOSEN error notify
2021-Aug-13, 16:52:31 TMT info vpn charon: 05[ENC] parsed INFORMATIONAL_V1 request 4163274021 [ N(NO_PROP) ]
2021-Aug-13, 16:52:31 TMT info vpn charon: 05[NET] received packet: from 10.220.220.1[500] to 10.22.22.1[500] (40 bytes)
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[NET] sending packet: from 10.22.22.1[500] to 10.220.220.1[500] (196 bytes)
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] IKE_SA s2s_ospep[6014] state change: CREATED => CONNECTING
2021-Aug-13, 16:52:31 TMT info vpn charon: Last message '11[IKE] initiating M' repeated 1 times, supressed by syslog-ng on osptest
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] initiating Main Mode IKE_SA s2s_ospep[6014] to 10.220.220.1
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending draft-ietf-ipsec-nat-t-ike-02n vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending FRAGMENTATION vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending Cisco Unity vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending DPD vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] sending XAuth vendor ID
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating ISAKMP_NATD task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating ISAKMP_CERT_POST task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating MAIN_MODE task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating ISAKMP_CERT_PRE task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating ISAKMP_VENDOR task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] activating new tasks
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing QUICK_MODE task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing ISAKMP_NATD task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing ISAKMP_CERT_POST task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing MAIN_MODE task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing ISAKMP_CERT_PRE task
2021-Aug-13, 16:52:31 TMT info vpn charon: 11[IKE] queueing ISAKMP_VENDOR task
2021-Aug-13, 16:52:31 TMT info vpn charon: 10[CFG] received stroke: initiate 's2s_ospep-1'
2021-Aug-13, 16:52:31 TMT info vpn charon: 12[IKE] IKE_SA s2s_ospep[6013] state change: CONNECTING => DESTROYING
2021-Aug-13, 16:52:31 TMT info vpn charon: 12[IKE] received NO_PROPOSAL_CHOSEN error notify
2021-Aug-13, 16:52:31 TMT info vpn charon: 12[ENC] parsed INFORMATIONAL_V1 request 96138045 [ N(NO_PROP) ]
2021-Aug-13, 16:52:31 TMT info vpn charon: 12[NET] received packet: from 10.220.220.1[500] to 10.22.22.1[500] (40 bytes)
2021-Aug-13, 16:52:31 TMT info vpn charon: 15[NET] sending packet: from 10.22.22.1[500] to 10.220.220.1[500] (196 bytes)
2021-Aug-13, 16:52:31 TMT info vpn charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
2021-Aug-13, 16:52:31 TMT info vpn charon: 15[IKE] IKE_SA s2s_ospep[6013] state change: CREATED => CONNECTING

Georg Pauwen · ‎08-13-2021

Hello,

tough one. Have you tried anything higher than DH group 2 (which nowadays is considered a security risk) ?

markrichard · ‎08-15-2021

Thank You for the stronger security tip. but its a VPN connectivity issue 1st and foremost, it makes no difference if a stronger security connection is used, if I cannot even establish a simple lower security VPN connection.

Its a simple Cisco default VPN configured RV160W to a RV160. If we take the Cisco Default configuration settings as the same on each Router besides the different site ipaddresses, it should be plug and play...

Georg Pauwen · ‎08-15-2021

Hello,

what I meant to say was try different DH groups, maybe it works with a higher group...

Also, toggle the 'Perfect Forward Secrecy' (that is, enable and/or disable it on both sides) option. This is a Phase II option. Maybe it works with or without PFS...

pman · ‎08-15-2021

Hi,

Maybe try to change phase 2 options?

I would try to change the following values in Both RV160W and RV160:

Encryption, DH group, Authentication.

(It is important that the values are equal on both RV160W and RV160).

I have attached a link to the guide for making the change through the GUI, maybe this will give ideas to more people.

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/Configuring_VPN_Setup_Wizard_on_the_RV160_and_RV260.html