The log shows "IPSec Proposal does not match (Phase 1 and Phase 2)"

Description

IKE Responder: IKE proposal does not match (Phase 1)

Check the SAs of both SonicWalls. This indicates a Phase 1 encryption/authentication mismatch.

 

IKE Responder: IPSec Proposal does not match (Phase 2)

The initiating SonicWall sent an IPSec proposal that does not match the responding SonicWall during Phase 2 negotiations. There should be an additional error message in the responder log specifying the proposal item that did not match.

Sometimes you will see this error when you have a site-to-site VPN in Aggressive mode. In this setup, it usually means the name of the VPN SA was not the same as the unique firewall identifier (UFI) of the device on the other side. Each side must be the same as the UFI of the device on the opposite end.

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
NSa Series
Logging/Alerts
Firewalls
NSv Series
Logging/Alerts
Firewalls
TZ Series
Logging/Alerts
not finding your answers?
Ask the Community