5

I have CISCO 2921 and Sonicwall NSA 3600. I am trying to setup Site to site VPN. I am getting: 

Received notify. NO_PROPOSAL_CHOSEN

in Sonicwall logs and the VPN is not setup.

It looks like the phase 1 is OK as I am getting:

Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). SONIC_WALL_IP, 500  CISCO_IP, 500 VPN Policy: test

in the sonicwall logs just before NO_PROPOSAL_CHOSEN message.

I have checked:

  • Authentication/Authorization algorithms on both side and they match(DES/SHA1)
  • Correct subnets are configured on both side of the connection(172.16.0.0 on Sonicwall side and 172.19.0.0 on Cisco side)

Both debug crypto isakmp and debug crypto ipsec on cisco doesn't give me any output.

Because WAN interface is setup as /28 there is a a bit of nat-ing set up but I think it is not relevant so I removed it from the below CISCO config example, I will add it when requested. Computers connected to 172.19.0.0 have internet access with a correct IP address so I think that nat-ing is irrelevant.

Can someone please help me with this?I might be missing some configuration or I have made a stupid mistake.

Relevant cisco config:

// Phase 1
crypto isakmp policy 1
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key SECRET address SONICWALL_IP

//Phase 2
crypto ipsec security-association lifetime seconds 28800

crypto ipsec transform-set MYSET esp-des esp-sha-hmac 

crypto map MYMAP 1 ipsec-isakmp 
 set peer SONICWALL_IP
 set transform-set MYSET 
 match address 166

// WAN interface
interface GigabitEthernet0/0
 description WAN
 ip address CISCO_PUBLIC_IP 255.255.255.240
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map MYMAP

//LAN interface
interface GigabitEthernet0/1/3
 switchport access vlan 72
 no ip address

interface Vlan72
 ip address 172.19.0.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly in

access-list 166 permit ip 172.19.0.0 0.0.255.255 172.16.0.0 0.0.255.255

Sonicwallis setup as:

enter image description here enter image description here

and the Network tab -> Remote Networks -> Choose destination network from list is set up as:

enter image description here

Kocur4d
  • 109
  • 1
  • 3
  • "Known good" IPsec VPN interoperability profiles are available here: http://www.vpnc.org/InteropProfiles/ - perhaps running through the Cisco IOS and SonicOS Enhanced ones would be helpful – Hyppy May 14 '15 at 15:24
  • Are you allowing packets with the protocol 50 (ESP) and UDP (port 500) on both sides? – fgbreel May 18 '15 at 19:18
  • Well, this document (http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14144-static.html) says, that (1) "the NAT takes place before the crypto check when the packet goes from inside to outside." and (2) "the static NAT command takes precedence over the generic NAT statement for all connections". So I would check your NAT rules carefully. From the same document, you could try 'debug crypto engine' in addition to the debug commands you have already tried. – Andrey Sapegin May 24 '15 at 15:53
  • Could you please also write which IOS version do you have? E.g., using 'show version' or 'show flash' commands. – Andrey Sapegin May 24 '15 at 15:57

2 Answers2

1

I had a simmilar issue and this document helped me out...

VPN: The log shows "Received Notify: No Proposal Chosen" (SW3902) - Affected SonicWALL Security Appliance

Another hint is to check the passphrase - and be sure that the shared secred has a minimum lenght of 6 characters.

Cadburry
  • 111
  • 4
  • Whilst this may theoretically answer the question, please provide context around links so others will have some idea what it is and why it’s there. If possible summarise or quote the most relevant part of an important link, in case the target site is unreachable or goes permanently offline. – – HBruijn May 19 '15 at 20:59
  • I will check it today. One thing after glancing over the link - I dont have a sonicwall on the other side and **debug crypto isakmp** and **debug crypto ipsec** on cisco doesn't provide any output at all. – Kocur4d May 21 '15 at 09:30
  • I redone it few times and it still fails on phase 2. Ports are open on both sides. I will need to check that NAT-ing on CISCO maybe it is braking something. – Kocur4d May 22 '15 at 08:27
0

NO_PROPOSAL_CHOSEN means a protocol or key mismatch. Try to enable "Perfect forward secrecy" and set it to "Group2" on your SonicWall.

shodanshok
  • 44,038
  • 6
  • 98
  • 162