The log shows "IPSec Proposal does not match (Phase 1 and Phase 2)"

Description

IKE Responder: IKE proposal does not match (Phase 1)

Check the SAs of both SonicWalls. This indicates a Phase 1 encryption/authentication mismatch.

 

IKE Responder: IPSec Proposal does not match (Phase 2)

The initiating SonicWall sent an IPSec proposal that does not match the responding SonicWall during Phase 2 negotiations. There should be an additional error message in the responder log specifying the proposal item that did not match.

Sometimes you will see this error when you have a site-to-site VPN in Aggressive mode. In this setup, it usually means the name of the VPN SA was not the same as the unique firewall identifier (UFI) of the device on the other side. Each side must be the same as the UFI of the device on the opposite end.

Related Articles

  • SonicWall NSv XS FAQ
    Read More
  • SMA1000: TOTP Two-Factor Authentication Failure — 'Invalid code' Due to Time Sync Mismatch
    Read More
  • What are the different ways to restart NSv on Proxmox platform?
    Read More

Categories

Firewalls
NSa Series
Logging/Alerts
Firewalls
NSv Series
Logging/Alerts
Firewalls
TZ Series
Logging/Alerts
not finding your answers?
Ask the Community
Chat