IPsec connection attempt fails with No Proposals Chosen
Applies to
- ONTAP 9
- IPSEC
- Libreswan
- Strongswan
Issue
- Initiating new IPsec connections fails with error "No Proposals Chosen"
- Libreswan Pluto logs show:
netapp.transport" #1: initiating v2 parent SA
Jul 2 10:50:06 d00000-a-20526 pluto[26683]: "netapp.transport" #1: local IKE proposals for netapp.transport (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_384;INTEG=NONE;DH=ECP_384
Jul 2 10:50:06 d00000-a-20526 pluto[26683]: "netapp.transport" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Jul 2 10:50:06 d00000-a-20526 pluto[26683]: "netapp.transport" #1: STATE_PARENT_I1: received unauthenticated v2N_NO_PROPOSAL_CHOSEN
- Packet trace shows:
Frame 2: 80 bytes on wire (640 bits), 80 bytes captured (640 bits) Internet Protocol Version 4, Src: 10.7.44.xx, Dst: 10.7.26.xx User Datagram Protocol, Src Port: 500, Dst Port: 500 Internet Security Association and Key Management Protocol
Initiator SPI: b21063e9777cedc9
Exchange type: IKE_SA_INIT (34)
Payload: Notify (41) - NO_PROPOSAL_CHOSEN
Notify Message Type: NO_PROPOSAL_CHOSEN (14) ~~~
- ONTAP Charon logs show:
Jul 3 09:19:27.456 11[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Jul 3 09:19:27.457 11[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384