The log shows "IPSec Proposal does not match (Phase 1 and Phase 2)"

Description

IKE Responder: IKE proposal does not match (Phase 1)

Check the SAs of both SonicWalls. This indicates a Phase 1 encryption/authentication mismatch.

 

IKE Responder: IPSec Proposal does not match (Phase 2)

The initiating SonicWall sent an IPSec proposal that does not match the responding SonicWall during Phase 2 negotiations. There should be an additional error message in the responder log specifying the proposal item that did not match.

Sometimes you will see this error when you have a site-to-site VPN in Aggressive mode. In this setup, it usually means the name of the VPN SA was not the same as the unique firewall identifier (UFI) of the device on the other side. Each side must be the same as the UFI of the device on the opposite end.

Related Articles

  • What wireless cards and USB broadband modems are supported on firewalls and access points?
    Read More
  • How to export and import connection profiles in NetExtender
    Read More
  • Unable access High availability idle device using monitoring IP address
    Read More

Categories

Firewalls
NSa Series
Logging/Alerts
Firewalls
TZ Series
Logging/Alerts
Firewalls
NSv Series
Logging/Alerts
not finding your answers?
Ask the Community
was this article helpful?
YesNo