The log shows "IPSec Proposal does not match (Phase 1 and Phase 2)"

Description

IKE Responder: IKE proposal does not match (Phase 1)

Check the SAs of both SonicWalls. This indicates a Phase 1 encryption/authentication mismatch.

 

IKE Responder: IPSec Proposal does not match (Phase 2)

The initiating SonicWall sent an IPSec proposal that does not match the responding SonicWall during Phase 2 negotiations. There should be an additional error message in the responder log specifying the proposal item that did not match.

Sometimes you will see this error when you have a site-to-site VPN in Aggressive mode. In this setup, it usually means the name of the VPN SA was not the same as the unique firewall identifier (UFI) of the device on the other side. Each side must be the same as the UFI of the device on the opposite end.

Related Articles

  • How to use the NSM Firewall Migration App
    Read More
  • Gen 6 NSv to Gen 7 NSv Upgrades
    Read More
  • How to Collect Debug CSE Logs on a SonicWall Firewall.
    Read More

Categories

Firewalls
NSa Series
Logging/Alerts
Firewalls
NSv Series
Logging/Alerts
Firewalls
TZ Series
Logging/Alerts
not finding your answers?
Ask the Community
Chat