help with DH group number mismatch: 21 != 14

BobCat · February 27, 2025, 2:34pm

Good day.

I been trying to setup IKEv2 connection the past few weeks and was able to get this far.

Now im at the point where the logs shows “DH group number mismatch: 21 != 14” error.

The IT of the company i need to connect to sais i must use dh group21.

Dh group 21 means ecp521?

So why does it not working?

My config look like this.

/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=8h name="IKE2 VPN" nat-traversal=yes prf-algorithm=sha512
/ip ipsec peer
add address=(some ip) exchange-mode=ike2 name="IKE2 VPN" profile="IKE2 VPN"
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add disabled=yes enc-algorithms=aes-256-cbc name="IKE2 VPN" pfs-group=none
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc lifetime=8h name="IKE2 VPN" pfs-group=ecp521
/ip ipsec identity
add generate-policy=port-strict mode-config="IKE2 VPN" peer="IKE2 VPN" policy-template-group="IKE2 VPN" secret=password
/ip ipsec policy
add comment=temp dst-address=192.168.0.0/24 peer="IKE2 VPN" proposal="IKE2 VPN" src-address=10.55.1.116/29 tunnel=yes
add dst-address=10.10.10.0/24 peer="IKE2 VPN" proposal="IKE2 VPN" src-address=10.55.1.116/29 tunnel=yes
add disabled=yes dst-address=10.11.0.0/16 peer="IKE2 VPN" proposal="IKE2 VPN" src-address=10.55.1.116/29 tunnel=yes

BobCat · February 28, 2025, 8:16am

So i created pcap file and imported it into wireshark.

Under Payload: Key Exchange it shows DH Group #: 2048 bit MODP group (14)

Does this means the remote site is using DH group 14 and my site is using DH group 21?

jprietove · February 28, 2025, 8:46am

Try to check both DH groups and you will know

BobCat · February 28, 2025, 9:50am

Ok i wil lask them to check.

If i change the DH Group to ecp384 on my side then the error will change to DH group number mismatch: 20 != 14.

If i choose any other DH Group except ecp521 or ecp384 i will get error “can’t agree on IKE proposal, my config:”

THe remote site is using cisco.

jprietove · February 28, 2025, 9:59am

What I meant was to check several DH Group. The counter-part wants some DH-Group, and you can check several of them. They will agree in one DH-Group in common.
So, if you check ALL DH Group, the peers should agree and you will see which DH-Group is the one the counter-part wants.

/ip ipsec profile
add dh-group=dh-group="x25519,ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768" enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=8h name="IKE2 VPN" nat-traversal=yes prf-algorithm=sha512

BobCat · February 28, 2025, 10:18am

If i select all dh groups then mikrotik log will show DH group number mismatch: 20 != 14

/ip ipsec profile
add dh-group=ecp256,ecp384,ecp521,ec2n185,ec2n155,modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=8h name=\
"IKE2 VPN
" prf-algorithm=sha512

12:15:46 ipsec processing payload: NONCE 
12:15:46 ipsec processing payload: SA 
12:15:46 ipsec IKE Protocol: IKE 
12:15:46 ipsec  proposal #1 
12:15:46 ipsec   enc: aes256-cbc 
12:15:46 ipsec   prf: hmac-sha256 
12:15:46 ipsec   auth: sha256 
12:15:46 ipsec   dh: modp2048 
12:15:46 ipsec  proposal #2 
12:15:46 ipsec   enc: aes256-cbc 
12:15:46 ipsec   prf: hmac-sha256 
12:15:46 ipsec   auth: sha256 
12:15:46 ipsec   dh: modp1536 
12:15:46 ipsec  proposal #3 
12:15:46 ipsec   enc: aes256-cbc 
12:15:46 ipsec   prf: hmac-sha256 
12:15:46 ipsec   auth: sha256 
12:15:46 ipsec   dh: modp2048 
12:15:46 ipsec  proposal #4 
12:15:46 ipsec   enc: aes256-cbc 
12:15:46 ipsec   prf: hmac-sha256 
12:15:46 ipsec   auth: sha256 
12:15:46 ipsec   dh: modp1536 
12:15:46 ipsec  proposal #5 
12:15:46 ipsec   enc: aes256-cbc 
12:15:46 ipsec   prf: hmac-sha256 
12:15:46 ipsec   auth: sha256 
12:15:46 ipsec   dh: modp2048 
12:15:46 ipsec  proposal #6 
12:15:46 ipsec   enc: aes256-cbc 
12:15:46 ipsec   prf: hmac-sha256 
12:15:46 ipsec   auth: sha256 
12:15:46 ipsec   dh: modp1536 
12:15:46 ipsec  proposal #7 
12:15:46 ipsec   enc: aes256-cbc 
12:15:46 ipsec   prf: hmac-sha512 
12:15:46 ipsec   auth: sha512 
12:15:46 ipsec   dh: ecp384 
12:15:46 ipsec  proposal #8 
12:15:46 ipsec   enc: aes256-cbc 
12:15:46 ipsec   prf: hmac-sha512 
12:15:46 ipsec   auth: sha512 
12:15:46 ipsec   dh: ecp521 
12:15:46 ipsec  proposal #9 
12:15:46 ipsec   enc: aes256-cbc 
12:15:46 ipsec   prf: hmac-sha1 
12:15:46 ipsec   auth: sha1 
12:15:46 ipsec   dh: modp2048 
12:15:46 ipsec  proposal #10 
12:15:46 ipsec   enc: aes256-gcm 
12:15:46 ipsec   enc: aes192-gcm 
12:15:46 ipsec   enc: aes128-gcm 
12:15:46 ipsec   prf: hmac-sha512 
12:15:46 ipsec   prf: hmac-sha384 
12:15:46 ipsec   prf: hmac-sha256 
12:15:46 ipsec   prf: hmac-sha1 
12:15:46 ipsec   dh: ecp521 
12:15:46 ipsec   dh: ecp384 
12:15:46 ipsec   dh: ecp256 
12:15:46 ipsec   dh: modp4096 
12:15:46 ipsec   dh: modp3072 
12:15:46 ipsec   dh: modp2048 
12:15:46 ipsec matched proposal: 
12:15:46 ipsec  proposal #7 
12:15:46 ipsec   enc: aes256-cbc 
12:15:46 ipsec   prf: hmac-sha512 
12:15:46 ipsec   auth: sha512 
12:15:46 ipsec   dh: ecp384 
12:15:46 ipsec processing payload: KE 
12:15:46 ipsec DH group number mismatch: 20 != 14 
12:15:46 ipsec adding notify: INVALID_KE_PAYLOAD 
12:15:46 ipsec,debug => (size 0xa)

I wonder if i should try to update ROS version to lastest?
Running 6.49.13 longterm at the moment

Or if remote router has wrong settings.

They claim it is group 21 but why im getting group 14.

jprietove · February 28, 2025, 3:10pm

Ok, I think the problem is in PROPOSAL and not in Profile.

You have:

/ip ipsec proposal
set [ find default=yes ] disabled=yes
add disabled=yes enc-algorithms=aes-256-cbc name="IKE2 VPN" pfs-group=none
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc lifetime=8h name="IKE2 VPN" ***pfs-group=ecp521***

This means PFS Group 21, but maybe they want this to be PFS Group 14:

/ip ipsec proposal
set [ find default=yes ] disabled=yes
add disabled=yes enc-algorithms=aes-256-cbc name="IKE2 VPN" pfs-group=none
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc lifetime=8h name="IKE2 VPN" ***pfs-group=modp2048***

BobCat · February 28, 2025, 4:11pm

Hello JPrietove.

Unfortunately that did not solve the issue.

add auth-algorithms=sha512 enc-algorithms=aes-256-cbc lifetime=8h name=“IKE2 VPN” pfs-group=modp2048

…
Might this be the reason why it is not working…

Ether1 is connected to fiber router (ether1 172.25.170.1) and gateway of fiber router is 172.25.170.2
In the mikrotik log is show packets is being sent from 172.25.170.1 to (some ip of the remote ikev2 router)
…

I have tested the current settings between two mikrotiks and it does work.
The other mikrotik shows connection comes from the public ip assigned to the 172.25.170.1 mikrotik which is 41.65.X.X

The IT’s at the cisco router side suggested that i remove the fiber router and create PPPOE-OUT interface on router.
Then the packets will show its coming from the public ip instead of the wan port ip paddress.

jprietove · February 28, 2025, 5:04pm

Could you please post a network diagram, with IP addresses? Is your MikroTik behind NAT?

BobCat · February 28, 2025, 7:42pm

Network diagram

Mikrotik1 Fiber router
(ethet10 = 172.25.170.1) -----> 172.25.170.2

/ip route
add comment="default route" distance=1 gateway=172.25.170.2

and

/ip address
add address=192.168.0.1/24 interface=ether1 network=192.168.0.0
add address=172.25.170.1/24 interface=ether10 network=172.25.170.0

Yes router is currently behind nat.

===== sending 38 bytes from 172.25.170.1[500] to some_ip 500]

BobCat · March 4, 2025, 11:26am

Hello jprietove

Im glad to report that the tunnel is finally up and running.

Looks like it was setting on their side.

Thank you so much for trying to help me.