Hi all,
I have an RB1200 and trying to setup IPSec VPN to a WatchGuard. Everything seems to be setup correctly, except when the tunnel tries to get established, I see the bellow in the logs:
Request for establishing IPsec-SA was queued due to no phase 1 found.
Phase2 negociation failed due to time up waiting for phase1. ESP
The watchguard is setup correctly with the Phase1 and Phase2 and allowed gateway (mikrotik)
Anyone have an idea?
The configuration on the two routers doesn’t match, at least for the phase 1 configuration. Double check everything. If you need a second/third/fourth pair of eyes on that post the configurations here.
I’ve looked at everything and found 1 thing on the watchguard. I fixed that.
Now im getting further, but still getting errors. Here is the new error:
fatal NO-PROPOSAL-CHOSEN notify message, phase1 should be deleted.
notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0065e8e11 (size=4)
That means the phase 1 proposals each router has configured don’t have a match between them, so they can’t pick one and stop negotiating. At least one phase 1 proposal must match exactly.
For the life of me i cannot get this working…
NO PROPOSAL CHOSEN is Phase1 correct? which is Gateway communication?
Im setup as SHA-Group1 which is on the MT as modp768…
But still getting this error
The only thing im not sure of is the IPsec policy screen on the MT…
Action is encrypt, Level is require… what is this level?
‘require’ would apply encryption.
I guess “no proposal chosen” could also apply to there not being a matching phase 2 policy. It depends on the device generating the log.
modp768 is a Diffie-Hellman group (DH1), and has nothing to do with SHA1, which is a hashing algorithm.
It really would be easiest if you just posted the configuration from both devices.
Phase 1 is configured under “/ip ipsec peer”. These settings must match:
Phase 1 is used to authenticate the peers to one another and generate the keying material for phase 2. It has nothing to do with actually encrypting any traffic between the two peers - it’s just for setting that up as the next step.
Phase 2 is configured under “/ip ipsec proposal” and is linked to under “/ip ipsec policy”. These settings must match, and they have NOTHING to do with the settings in phase 1:
Again: It really would be easiest if you just posted the configuration from both devices.
nebver mind… got it working now…
Thanks for your help
THIS SHOULD BE IN THE MANUAL
Added to the wiki parameters that should match in every phase.
Hello, I have the same problem can you explain how you solved it?