The error “no proposal chosen” indicates that the VPN gateway did not find a matching proposal for the IKE Phase 1 negotiation. This phase is responsible for establishing a secure channel between the VPN peers, using a pre-shared secret or a certificate. The proposal consists of parameters such as encryption algorithm, hash algorithm, Diffie-Hellman group, and lifetime. If the VPN gateway does not receive a proposal that matches its own configuration, it will reject the connection attempt and log the error “no proposal chosen” 1.
To troubleshoot this issue, one should verify that the VPN peers have the same IKE Phase 1 settings, such as:
The same pre-shared secret or certificate
The same encryption algorithm (e.g., AES-256)
The same hash algorithm (e.g., SHA-256)
The same Diffie-Hellman group (e.g., Group 14)
The same lifetime (e.g., 86400 seconds)
One can use the command vpn tu on the VPN gateway to view the current IKE Phase 1 settings and compare them with the other peer. Alternatively, one can use the SmartConsole to check the VPN community properties and the gateway object properties for the IKE Phase 1 settings 2.
References: 1: Troubleshooting the “no proposal chosen” error - Check Point Software 2: Support, Support Requests, Training … - Check Point Software
