VPN Warning IKE Responder: IPsec proposal does not match (Phase 2)
Sorry if this is asked already, I didn't see it when searched.
My logs are filling up with this message, but all settings between the sites are a perfect match. Is this normal behavior during renegotiation? Does this indicate an issue?
The Article I found in the KB states "IKE Responder: IPSec Proposal does not match (Phase 2)
The initiating SonicWall sent an IPSec proposal that does not match the responding SonicWall during Phase 2 negotiations. There should be an additional error message in the responder log specifying the proposal item that did not match."
However, as I stated earlier, all settings are the same on both sides. Is there a suite of proposals that are sent until a match is found, and is this logging all the failed matches?
The tunnel is UP and passing traffic, but the logs are full of these entries.
Answers
@Baudet I can't recall seeing this message without a reason, did you look into the details of the log entry which might give a hint? Is the local and remote network configuration correct on both sides? Is this a Tunnel betwwen two SonicWalls? What Firmware we're talking about?
--Michael@BWC
These are two SonicWall units, TZ500 at remote site, and NSA3600 at HQ.
The firmware on the TZ is 6.5.4.9-93n was recently updated last week. The 3600 has 6.5.4.7-83. I can's say as there were or were not any entries like this before the TZ update, as it was not really looked at until a different issue caused us to dig into it. Local and Remote network groups correspond. There was a different log entry stating it could not find a policy for a network, but that was resolved. It was an 'extra' network in the local group of one that was not in the remote group of the other.
-Michael@BWC
I am also receiving a log entry on the same TZ for a S2S that connect it to our DR site. "Received notify: INVALID_ID_INFO". Again, like with the first, all VPN settings match.
I'am running a similar setup, at least the VPN messages are not firmware related in general. Did you checked with the Log Details of that log entry?
--Michael@BWC
I did, they are both basically empty. Just the General pane has any info. Truly nothing useful.
@Baudet the INVALID_ID_INFO happens on Phase 1 or 2?
You're running a MainMode or IKEv2 Tunnel? Local/Remote networks could cause this as well if different on one side, did you checked the subnetmasks as well, just in case?
I always prefer TunnelInterfaces for SNWL-to-SNWL setups, it's easier to debug, because networks are plain route based.
--Michael@BWC
@Michael@BWC
Yes, main mode is config on all of the tunnels. I will look into the link you sent, and double check the objects again. But I am pretty sure they are all a match.