Appendix C System messages 175

2Manually verify the tunnel-related certificate fingerprints. Perform this procedure any time you suspect tampering.

ISAKMP messages

ISAKMP [13] No proposal chosen in message from xxx (a.b.c.d)

In many cases, a Session:IPsec message precedes the ISAKMP message. If the Session:IPsec message indicates an error, then the Session message describes the cause and required action. If there is no Session:IPsec error message, see the following list of causes and solutions for explanations.

Description: The encryption types proposed by branch office xxx do not match the encryption types configured locally.

Action: Check the encryption types on both sides to make sure they match. If necessary, reconfigure the encryption on one system.

Description: The requested authentication method (for example, RSA* Digital Signature) is not enabled.

Action: Enable all required authentication types. Make sure the unneeded types are disabled.

Description: One side of the connection is configured to support dynamic routing while the other side is configured for static routing, where branch office is xxx.

Action: Configure both sides to use the same routing type.

Description: Both sides are configured to support static routing. However, the local and remote network definitions of the two sides do not match, where branch office is xxx.

Action: Configure both sides to have matching local and remote network definitions.

Description: The Perfect Forward Secrecy (PFS) setting of the two sides do not match. Branch office xxx does not have PFS enabled, while PFS is required by the local settings.

Nortel VPN Router Troubleshooting

Page 175
Image 175
Nortel Networks NN46110-602 manual Isakmp messages, Isakmp 13 No proposal chosen in message from xxx a.b.c.d