IPsec SA negotiation failed because no matching IPsec transform sets were found

Symptom

  1. The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet.

  2. The following IKE debugging message appeared:

    The attributes are unacceptable.
    

    Or:

    Construct notification packet: NO_PROPOSAL_CHOSEN.
    

Analysis

Certain IPsec policy settings are incorrect.

Solution

  1. Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets.

  2. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets.