IPSec VPN Issues (after upgrade to 7.0.1-5018)
Teleporter
Newbie ✭
We have a TZ470 with two IPSec IKEv2 Tunnel running to two different 3rd-Party firewalls. We have had both tunnels running with the 7.0.1-R1456 firmware. After the upgrade to 7.0.1 both tunnels are not working anymore. We get the errors below. In the package monitor, I can also see the TZ respond with a message "no proposal chosen". All the things we see indicate a mismatch of phase 1 proposals, which makes no sense to us.
What we find strange is that we did not change anything at the config on any side of a tunnel. we also deleted the policies and re-created them.
Category: Entry Level Firewalls
0
Answers
@Teleporter
recommended to downgrade to the working Firmware until you get the fix or patch from support.
Clearly the responder doesn't like your IKE ID... Try changing it to the documented settings (you have them documented right?) or just your WAN IP address. Ask the third party to see what the firewall is sending as its IKE ID and what its expecting.
Other wise follow Ajishals recommendation.
Thanks a lot @TKWITS
In fact when I change the Peer ID of a working tunnel, I get pretty similar results. We will to talk to the people managing the 3rd-party firewalls.
We have tried many many many things now. The only way that brought us one of the tunnels back to work was a downgrade to R1296, deleting a tunnel and creating it again. The other tunnel is still not working properly, for reasons we don't know...
@Teleporter
I hope above solution will help you to resolve the VPN tunnel issue.
@Teleporter Have you updated to the latest 5030 firmware yet? Any VPN issues?