Hi,
I’m trying to establish a VPN between IOS9.2 and a Mikrotik. This used to work a couple of years ago but now I’m getting the following errors;
jan/19 11:56:48 ipsec,debug rejected authmethod: DB(prop#1:trns#2):Peer(prop#1:trns#3) = pre-shared key:GSS-API on Kerberos 5
jan/19 11:56:48 ipsec,debug rejected hashtype: DB(prop#1:trns#2):Peer(prop#1:trns#3) = SHA:MD5
jan/19 11:56:48 ipsec,debug rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#4) = pre-shared key:GSS-API on Kerberos 5
jan/19 11:56:48 ipsec,debug rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = SHA:MD5
jan/19 11:56:48 ipsec,debug rejected authmethod: DB(prop#1:trns#2):Peer(prop#1:trns#4) = pre-shared key:GSS-API on Kerberos 5
jan/19 11:56:48 ipsec,debug rejected hashtype: DB(prop#1:trns#2):Peer(prop#1:trns#4) = SHA:MD5
jan/19 11:56:48 ipsec,debug rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
jan/19 11:56:48 ipsec,debug rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#5) = pre-shared key:GSS-API on Kerberos 5
jan/19 11:56:48 ipsec,debug rejected enctype: DB(prop#1:trns#2):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
jan/19 11:56:48 ipsec,debug rejected authmethod: DB(prop#1:trns#2):Peer(prop#1:trns#5) = pre-shared key:GSS-API on Kerberos 5
jan/19 11:56:48 ipsec,debug rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = AES-CBC:3DES-CBC
jan/19 11:56:48 ipsec,debug rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#6) = pre-shared key:GSS-API on Kerberos 5
jan/19 11:56:48 ipsec,debug rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = SHA:MD5
jan/19 11:56:48 ipsec,debug rejected enctype: DB(prop#1:trns#2):Peer(prop#1:trns#6) = AES-CBC:3DES-CBC
jan/19 11:56:48 ipsec,debug rejected authmethod: DB(prop#1:trns#2):Peer(prop#1:trns#6) = pre-shared key:GSS-API on Kerberos 5
jan/19 11:56:48 ipsec,debug rejected hashtype: DB(prop#1:trns#2):Peer(prop#1:trns#6) = SHA:MD5
jan/19 11:56:48 ipsec,debug rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = AES-CBC:DES-CBC
jan/19 11:56:48 ipsec,debug rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#7) = pre-shared key:GSS-API on Kerberos 5
jan/19 11:56:48 ipsec,debug rejected enctype: DB(prop#1:trns#2):Peer(prop#1:trns#7) = AES-CBC:DES-CBC
jan/19 11:56:48 ipsec,debug rejected authmethod: DB(prop#1:trns#2):Peer(prop#1:trns#7) = pre-shared key:GSS-API on Kerberos 5
jan/19 11:56:48 ipsec,debug rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = AES-CBC:DES-CBC
jan/19 11:56:48 ipsec,debug rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#8) = pre-shared key:GSS-API on Kerberos 5
jan/19 11:56:48 ipsec,debug rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = SHA:MD5
jan/19 11:56:48 ipsec,debug rejected enctype: DB(prop#1:trns#2):Peer(prop#1:trns#8) = AES-CBC:DES-CBC
jan/19 11:56:48 ipsec,debug rejected authmethod: DB(prop#1:trns#2):Peer(prop#1:trns#8) = pre-shared key:GSS-API on Kerberos 5
jan/19 11:56:48 ipsec,debug rejected hashtype: DB(prop#1:trns#2):Peer(prop#1:trns#8) = SHA:MD5
jan/19 11:56:48 ipsec,debug no suitable proposal found.
jan/19 11:56:48 ipsec,error failed to get valid proposal.
jan/19 11:56:48 ipsec,error failed to pre-process ph1 packet (side: 1, status 1).
jan/19 11:56:48 ipsec,error phase1 negotiation failed.
My config is as follows:
/ip ipsec peer> pri
Flags: X - disabled, D - dynamic
0 ;;; Road warrior
address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="secret" generate-policy=port-override
policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 enc-algorithm=aes-192,aes-256 dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5
/ip ipsec proposal> pri
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-192-cbc,aes-256-cbc lifetime=30m pfs-group=modp1024
Can anyone suggest why this might be coming up with the phase1 error?