D-Link DFL-800 Product Manual - Page 440
Could not find acceptable proposal / no proposal chosen, Incorrect pre-shared key
UPC - 790069282133
View all D-Link DFL-800 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 440 highlights
9.7.5. Specific Error Messages Chapter 9. VPN 1. Could not find acceptable proposal / no proposal chosen This is the most common IPsec related error message. It means that depending on which side initiates tunnel setup, the negotiations in either the IKE or the IPSec phase of setup failed since they were unable to find a matching proposal that both sides could agree on. Troubleshooting this error message can be involved since the reasons for this message can be multiple depending on where in the negotiation it occurred. • If the negotiation fails during phase-1 - IKE The IKE proposal list does not match. Double check that the IKE proposal list matches that of the remote side. A good idea is to use the ikesnoop verbose command in the console and get the tunnel to initiate the tunnel from the remote side. You will be able to then see what proposals the remote side is sending and then compare the results with your own IKE proposal list. At least ONE proposal has to match in order for it to pass phase-1. Don't forget that the lifetimes are also important as will be mentioned in Problem symptom-1. Note: In newer versions it is not possible to set the lifetime in KB for the IKE Phase, only seconds. • If the negotiation fails during phase-2 - IPsec The IPsec proposal list does not match. Double check that the IPsec proposal list matches that of the remote side. You can use the same method described above of using ikesnoop from when the remote side initiates the tunnel and compare it against your own proposal list. What is "extra" in the IPsec phase is that the networks are negotiated here, so even if the IPsec proposal list seem to match the problem may be with mismatching networks. The Local Network(s) on your side needs to be the Remote Network on the other side and vice versa. Remember that multiple networks will generate multiple IPsec SA's, one SA per network (or host if you use that option). The defined network size is also important in that it must have exactly the same size on both sides, as will be mentioned again later in the symptom section. There are also some settings on the IPsec tunnel's IKE tab that can be involved in a no-proposal chosen issue. Such as Main or Aggressive mode, DH Group (for the IKE phase) and PFS (for IPsec phase). 2. Incorrect pre-shared key A problem with the pre-shared key on either side has caused the tunnel negotiation to fail. This is perhaps the easiest of all the error messages to troubleshoot since it can be only one thing, and that is incorrect pre-shared key. Double-check that the pre-shared key is of the same type (Passphrase or Hex-key) and correctly added on both sides of the tunnel. Another reason for why NetDefendOS detects that the pre-shared key is incorrect could be because the wrong tunnel is triggering during tunnel negotiations. IPsec tunnels are processed from the top to the bottom of the NetDefendOS tunnel list and are initially matched against the remote gateway. An example is if there is a roaming tunnel that uses all-nets as its remote gateway. This tunnel will trigger before your defined tunnel if it is above it in the tunnel list. For example, consider the following IPsec tunnel definitions: Name VPN-1 VPN-2 L2TP VPN-3 Local Network lannet lannet ip_wan lannet Remote Network office1net office2net all-nets office3net Remote Gateway office1gw office2gw all-nets office3gw Since the tunnel L2TP in the above table is above the tunnel VPN-3, it will trigger a match before VPN-3 because of the all-nets remote gateway (all-nets will match any network). Since these two 440