IKE Phase 1 negotiations fail - "Proposal Mismatch" error message in event log IKE Phase 2 negotiations fail - "No proposal Chosen" error message in event log What is the purpose of the "set IKE accept-all-proposal" CLI command?
The " color="blue">set ike color="blue">accept-all-proposal" may be used when an administrator has no access or information about the VPN configuration of the device at the remote end.
This CLI command should be used with caution as it may lessen the VPNsecurity. Once enabled this command is set for all IKE gateways configured on the implemented NetScreen device. We recommend this command be used temporarily to determine the P1 & P2 proposals used to establish VPN tunnel in question. Once that information is obtained, we highly suggest disabling that feature.
In order to determine what proposal was accepted during the IKE Phase 1 negotiations, please use the following CLI command: color="blue">get ike color="blue">cookie [Enter]
To determine the IKE Phase 2 proposal, use the following CLI command : color="blue">get sa color="blue">[Enter]
Once the P1 & P2 proposals have been determined from the established VPN tunnel, reconfigure the IKE gateway with the matching P1 proposal and the matching VPN tunnel P2 proposal, then "disable" this command by entering: color="blue">unset ike color="blue">accept-all-proposal [Enter]
Here is the problem or goal:
- What is the purpose of the "set IKE accept-all-proposal" CLI command?
Problem Environment:
- IKE Phase 1 negotiations fail - "Proposal Mismatch" error message in event log
- IKE Phase 2 negotiations fail - "No proposal Chosen" error message in event log
Applicable Products:
- NetScreen-5
- NetScreen-5XP
- NetScreen-5XT
- NetScreen-5GT
- NetScreen-10
- NetScreen-25
- NetScreen-50
- NetScreen-100
- NetScreen-204
- NetScreen-208
- NetScreen- 500
- NetScreen-1000
- NetScreen-5200
- NetScreen-5400
- NetScreen-Remote