I have a router (RB1100AHx4) that is configured with multiple IPSec tunnels. Each tunnel is having its own proposal like this:
Code: Select all
/ip ipsec proposal
set [ find default=yes ] enc-algorithms="aes-256-cbc,aes-256-ctr,aes-256-gcm,a\
es-128-cbc,aes-128-ctr,aes-128-gcm,3des" lifetime=1h
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=PEER1 \
pfs-group=modp2048
add enc-algorithms=aes-128-cbc lifetime=1h name=PEER2 pfs-group=modp2048
add enc-algorithms=3des lifetime=1h name=L2TP
Code: Select all
08:55:15 ipsec,info respond new phase 1 (Identity Protection): peer.one.ip[500]<=>peer.two.ip[500]
08:55:15 ipsec received MS NT5 ISAKMPOAKLEY ID version: 9
08:55:15 ipsec received Vendor ID: RFC 3947
08:55:15 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
08:55:15 ipsec received Vendor ID: FRAGMENTATION
08:55:15 ipsec Fragmentation enabled
08:55:15 ipsec peer.two.ip Selected NAT-T version: RFC 3947
08:55:15 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 4:SHA
08:55:15 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 2048-bit MODP group:384-bit random ECP group
08:55:15 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 4:SHA
08:55:15 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 2048-bit MODP group:256-bit random ECP group
08:55:15 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 4:SHA
08:55:15 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
08:55:15 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 4:SHA
08:55:15 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
08:55:15 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 4:SHA
08:55:15 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 2048-bit MODP group:1024-bit MODP group
08:55:15 ipsec,error no suitable proposal found.
08:55:15 ipsec,error peer.two.ip failed to get valid proposal.
08:55:15 ipsec,error peer.two.ip failed to pre-process ph1 packet (side: 1, status 1).
08:55:15 ipsec,error peer.two.ip phase1 negotiation failed.
I think Im doing something wrong there, because on other installations it is working, this installation is variing in the count of tunnels and the type of PEER1 tunnel. It is only SHA256 tunnel I'm running.
Can you point me where I should look to resolve it?
Best Regards,
Jan