cOS Core IPsec IKEv1 "No_Proposal_Chosen" error in 14.00.10

Last modified on 4 Aug, 2023. Revision 9
After upgrading to cOS Core 14.00.10 from any cOS Core version earlier than 14.00.10, a previously working IKEv1 IPsec tunnel stopped working. This article will describe why this happened and provides some ways to solve the problem until a new firmware version with a correction is available.
Applicable for
cOS Core 14.00.10
Not applicable for
cOS Core 14.00.11 and above
Status OK
Author
Peter Nilsson


Description

In cOS Core version 14.00.10, the default High proposal list for IKE and IPsec was updated to also include AES-GCM as Encryption Algorithm. This should not have caused any problems as the change was to add an additional algorithm to the High proposal list without changing or removing existing algorithms. But unfortunately one case that slipped through testing was if IKEv1 was used for either Initiator or Terminator (and the default High proposal list is not always used in all test scenarios). AES-GCM is an IKEv2 only algorithm and will not work for IKEv1.

The problem

Normally, when an IPsec tunnel is initiated or terminated, one matching proposal is enough for both sides (Initiator/Terminator) to agree on which algorithms and proposals to use in order to establish the tunnel. However, due to this problem, even if the remote endpoint (being the initiator) sends, for example, the standard AES (which should be fine), cOS Core would reply with “No_Proposal_Chosen” because it erroneously fails to match the proposal due to AES-GCM being allowed in the proposal list.

If cOS Core attempts to be the initiator no output will be printed in the “ike -snoop” log as the IKE snoop only listens for incoming or sending IKE negotiations, in this case the problem happens / is detected before any packets are being processed so the IKE snoop output will be empty but the normal log would give a clear log entry of what the problem is. Below is a log Example on how it can look if an IKEv1 tunnel tries to be the initiator and AES-GCM is in the proposal list:

2023-06-26 12:33:17 IPSEC 01802022 Warning(4) event=ike_sa_failed action=no_ike_sa statusmsg="AES-GCM IKEv1 IKE cipher error" reason="AES-GCM can not be used as IKE cipher in IKEv1" local_peer="192.168.98.14:4500 ID (null)"
remote_peer="192.168.98.10:4500 ID (null)" spi_i=0x3458be918a9bf6d9 spi_r=0x0000000000000000 initiator=TRUE ipsec_if=IPsec_To_VSG-HA

Solution

The solutions to the problem are straightforward:

  1. Create a new IKE and IPsec proposal list and remove AES-GCM from the selection and use that proposal list on the affected tunnel(s).
  2. Alternatively modify the default HIGH proposal list and remove AES-GCM from it.
  3. Change to use IKEv2 instead of IKEv1.

If possible, #3 is recommended as IKEv2 is superior to IKEv1.

Once cOS Core version 14.00.11 is released, this issue will no longer be a problem as AES-GCM will be excluded for both incoming and outgoing negotiations if IKEv1 is used (defect ID : COP-24366).


Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Fetching IPs for cOS Core IP pools from a firewall's own DHCP server
24 Mar, 2023 core ipsec ippool dhcp
Setup of a Layer-3 bridge over IPsec in cOS Core
12 Apr, 2023 core proxyarp arp ipsec routing
Configuring public certificates in NetWall firewalls
18 Mar, 2024 core certificate oneconnect ipsec vpn
How to use the same network on both sides of an IPsec tunnel
23 Nov, 2022 core ipsec
cOS Core L2TP server setup with Windows Server CA certificates
21 Feb, 2023 ipsec certificate windows ca core
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
Certificate update in InControl global domain on certificate that is used on firewall(s)
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
Setting up OSPF with IPsec in cOS Core
16 Apr, 2024 core routing ospf ipsec
Using "all-nets" as source/destination network in IPsec tunnels
17 Jun, 2021 core ipsec routing
Setting up cOS Core as an L2TP/IPsec client
8 Mar, 2023 core l2tp ipsec
cOS Core Lan to Lan IPsec tunnel setup with PSK
20 Feb, 2023 core vpn ipsec
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Split tunneling in cOS Core with Windows L2TP/IPsec clients
29 Mar, 2023 ipsec core windows vpn l2tp
Connecting to IPsec endpoints from behind a NetWall firewall
5 Apr, 2023 ipsec core
Windows 10 IKEv2 only proposes Diffie-Hellman group 2, 1024 bit - how do I configure it to use group 14, 2048 bit?
16 Sep, 2020 vpn ipsec ikev2 windows howto dh
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
IPsec: Does cOS Core support Pseudo-Random Functions (PRFs) according to RFC-4868?
14 Dec, 2022 core ipsec
cOS Core IKEv2 tunnel setup with certificates for iOS clients
5 Apr, 2023 core nps ipsec radius legacy
IKEv2 roaming VPN in cOS Core without client certificate installation
14 Mar, 2023 core ipsec vpn ikev2 certificate
"Disabling IPsec tunnel..." warning when deploying a configuration change
23 Aug, 2022 core ipsec license memory
Tunneling IPv6 over IPv4 networks using cOS Core IPsec
15 Mar, 2023 core ipsec ipv6
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
Route failover with IPsec tunnels in cOS Core
13 Feb, 2023 ipsec core routing failover
Split tunneling with cOS Core L2TP/IPsec using an MS DHCP server
28 Mar, 2023 dhcp ipsec core



Tagscoreipsectroubleshootike