Set up a ikev2 site to site I keep getting error
-
Hello, I was trying to make a site to site tunnel but I keep getting logs like this one.
What is no acceptable INTEGRITY_ALGORITHM found, no acceptable ENCRYPTION_ALGORITHM found, received proposals unacceptable ?
What are safe values that should work?charon 11[NET] <1135> received packet: from REMOTE_PEER[49554] to LOCAL_PEER[500] (476 bytes)
charon 11[ENC] <1135> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V ]
charon 11[CFG] <1135> looking for an IKEv2 config for LOCAL_PEER...REMOTE_PEER
charon 11[CFG] <1135> candidate: %any...%any, prio 24
charon 11[CFG] <1135> found matching ike config: %any...%any with prio 24
charon 11[ENC] <1135> received unknown vendor ID: blablabla1
charon 11[ENC] <1135> received unknown vendor ID: blablabla2
charon 11[ENC] <1135> received unknown vendor ID: blablabla3
charon 11[IKE] <1135> REMOTE_PEER is initiating an IKE_SA
charon 11[IKE] <1135> IKE_SA (unnamed)[1135] state change: CREATED => CONNECTING
charon 11[CFG] <1135> selecting proposal:
charon 11[CFG] <1135> no acceptable INTEGRITY_ALGORITHM found
charon 11[CFG] <1135> selecting proposal:
charon 11[CFG] <1135> no acceptable ENCRYPTION_ALGORITHM found
charon 11[CFG] <1135> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
charon 11[CFG] <1135> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
charon 11[CFG] <1135> looking for IKEv2 configs for LOCAL_PEER...REMOTE_PEER
charon 11[CFG] <1135> candidate: %any...%any, prio 24
charon 11[IKE] <1135> remote host is behind NAT
charon 11[IKE] <1135> received proposals unacceptable
charon 11[ENC] <1135> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
charon 11[NET] <1135> sending packet: from LOCAL_PEER[500] to REMOTE_PEER[49554] (36 bytes)
charon 11[IKE] <1135> IKE_SA (unnamed)[1135] state change: CONNECTING => DESTROYING -
@Hoygen83 said in Set up a ikev2 site to site I keep getting error:
no acceptable ENCRYPTION_ALGORITHM found
it seems that someone changed something in the phase two
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-troubleshooting.html
or am I wrong? -
You can finde here:
https://administrator.de/content/detail.php?id=559328&token=338#comment-1436380
a fully running solution with a static IKEv2 tunnelYou have to make sure to exactly use the same crypto suites on both ends.
Recommended is AES256 and AES256-CGM with SHA256 hash.
Timeouts timers have to be the same as well.
Its also relevant if you work with distinguish names or IP adresses here in the peer authentication. They have to mandatory match of course.
Unforunately you havent posted any setup screeshots here so its just a guess.
In general IKEv2 static tunnel work without any error in 2.4.4 -
@lfoerster
thank you very much sir.