Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

VPN Warning IKE Responder: IPsec proposal does not match (Phase 2)

Sorry if this is asked already, I didn't see it when searched.

My logs are filling up with this message, but all settings between the sites are a perfect match. Is this normal behavior during renegotiation? Does this indicate an issue?

The Article I found in the KB states "IKE Responder: IPSec Proposal does not match (Phase 2)

The initiating SonicWall sent an IPSec proposal that does not match the responding SonicWall during Phase 2 negotiations. There should be an additional error message in the responder log specifying the proposal item that did not match."

However, as I stated earlier, all settings are the same on both sides. Is there a suite of proposals that are sent until a match is found, and is this logging all the failed matches?

The tunnel is UP and passing traffic, but the logs are full of these entries.

Category: Entry Level Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Baudet I can't recall seeing this message without a reason, did you look into the details of the log entry which might give a hint? Is the local and remote network configuration correct on both sides? Is this a Tunnel betwwen two SonicWalls? What Firmware we're talking about?

    --Michael@BWC

  • BaudetBaudet Newbie ✭

    These are two SonicWall units, TZ500 at remote site, and NSA3600 at HQ.

    The firmware on the TZ is 6.5.4.9-93n was recently updated last week. The 3600 has 6.5.4.7-83. I can's say as there were or were not any entries like this before the TZ update, as it was not really looked at until a different issue caused us to dig into it. Local and Remote network groups correspond. There was a different log entry stating it could not find a policy for a network, but that was resolved. It was an 'extra' network in the local group of one that was not in the remote group of the other.

  • BaudetBaudet Newbie ✭

    -Michael@BWC

    I am also receiving a log entry on the same TZ for a S2S that connect it to our DR site. "Received notify: INVALID_ID_INFO". Again, like with the first, all VPN settings match.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    I'am running a similar setup, at least the VPN messages are not firmware related in general. Did you checked with the Log Details of that log entry?

    --Michael@BWC

  • BaudetBaudet Newbie ✭

    I did, they are both basically empty. Just the General pane has any info. Truly nothing useful.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Baudet the INVALID_ID_INFO happens on Phase 1 or 2?

    You're running a MainMode or IKEv2 Tunnel? Local/Remote networks could cause this as well if different on one side, did you checked the subnetmasks as well, just in case?

    I always prefer TunnelInterfaces for SNWL-to-SNWL setups, it's easier to debug, because networks are plain route based.

    --Michael@BWC

  • BaudetBaudet Newbie ✭

    @Michael@BWC

    Yes, main mode is config on all of the tunnels. I will look into the link you sent, and double check the objects again. But I am pretty sure they are all a match.

Sign In or Register to comment.