IPSec phase one IKE negotiation failed
- 0 Followed
- 0Collected ,10Browsed
Problem Description
The on-site headquarters configured main mode IPsec for the branch, but phase 1 failed to establish after completion. Checking the IKE SA status shows Unknown.
dis ike sa
Connection-ID Local Remote Flag DOI
------------------------------------------------------------------------------------
4 10.xxx.xxx.2 10.xxx.xxx.254/500 Unknown IPsec
Process Analysis
Collect debug
Headquarters:
*Jun 9 10:50:39:660 2025 IDC_5G_RT IKE/7/ERROR: vrf = 0, local = 10.xxx.xxx.254, remote = 10.xxx.xxx.2/500
No acceptable transform.
*Jun 9 10:50:39:660 2025 IDC_5G_RT IKE/7/ERROR: vrf = 0, local = 10.xxx.xxx.254, remote = 10.xxx.xxx.2/500
Failed to parse the IKE SA payload.
*Jun 9 10:50:39:660 2025 IDC_5G_RT IKE/7/ERROR: vrf = 0, local = 10.xxx.xxx.254, remote = 10.xxx.xxx.2/500
Failed to negotiate IKE SA.
IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND1.
Branch: *Jun 9 10:50:39:660 2025 IDC_5G_RT IKE/7/ERROR: vrf = 0, local = 10.xxx.xxx.254, remote = 10.xxx.xxx.2/500
No acceptable transform.
*Jun 9 10:50:39:660 2025 IDC_5G_RT IKE/7/ERROR: vrf = 0, local = 10.xxx.xxx.254, remote = 10.xxx.xxx.2/500
Failed to parse the IKE SA payload.
*Jun 9 10:50:39:660 2025 IDC_5G_RT IKE/7/PACKET: vrf = 0,local = 10.xxx.xxx.254, remote = 10.xxx.xxx.2/500
Construct notification packet: NO_PROPOSAL_CHOSEN.
Acknowledge configurations on both ends:
Headquarters:
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
Branch:
ike proposal 100
authentication-method rsa-signature
encryption-algorithm 3des-cbc
authentication-algorithm md5
Solution
The issue was resolved after deleting “authentication-method rsa-signature” on both sides and restoring the default configuration