Set up a ikev2 site to site I keep getting error



  • Hello, I was trying to make a site to site tunnel but I keep getting logs like this one.
    What is no acceptable INTEGRITY_ALGORITHM found, no acceptable ENCRYPTION_ALGORITHM found, received proposals unacceptable ?
    What are safe values that should work?

    charon 11[NET] <1135> received packet: from REMOTE_PEER[49554] to LOCAL_PEER[500] (476 bytes)
    charon 11[ENC] <1135> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V ]
    charon 11[CFG] <1135> looking for an IKEv2 config for LOCAL_PEER...REMOTE_PEER
    charon 11[CFG] <1135> candidate: %any...%any, prio 24
    charon 11[CFG] <1135> found matching ike config: %any...%any with prio 24
    charon 11[ENC] <1135> received unknown vendor ID: blablabla1
    charon 11[ENC] <1135> received unknown vendor ID: blablabla2
    charon 11[ENC] <1135> received unknown vendor ID: blablabla3
    charon 11[IKE] <1135> REMOTE_PEER is initiating an IKE_SA
    charon 11[IKE] <1135> IKE_SA (unnamed)[1135] state change: CREATED => CONNECTING
    charon 11[CFG] <1135> selecting proposal:
    charon 11[CFG] <1135> no acceptable INTEGRITY_ALGORITHM found
    charon 11[CFG] <1135> selecting proposal:
    charon 11[CFG] <1135> no acceptable ENCRYPTION_ALGORITHM found
    charon 11[CFG] <1135> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    charon 11[CFG] <1135> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
    charon 11[CFG] <1135> looking for IKEv2 configs for LOCAL_PEER...REMOTE_PEER
    charon 11[CFG] <1135> candidate: %any...%any, prio 24
    charon 11[IKE] <1135> remote host is behind NAT
    charon 11[IKE] <1135> received proposals unacceptable
    charon 11[ENC] <1135> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    charon 11[NET] <1135> sending packet: from LOCAL_PEER[500] to REMOTE_PEER[49554] (36 bytes)
    charon 11[IKE] <1135> IKE_SA (unnamed)[1135] state change: CONNECTING => DESTROYING



  • @Hoygen83 said in Set up a ikev2 site to site I keep getting error:

    no acceptable ENCRYPTION_ALGORITHM found

    it seems that someone changed something in the phase two
    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-troubleshooting.html
    or am I wrong?



  • You can finde here:
    https://administrator.de/content/detail.php?id=559328&token=338#comment-1436380
    a fully running solution with a static IKEv2 tunnel

    You have to make sure to exactly use the same crypto suites on both ends.
    Recommended is AES256 and AES256-CGM with SHA256 hash.
    Timeouts timers have to be the same as well.
    Its also relevant if you work with distinguish names or IP adresses here in the peer authentication. They have to mandatory match of course.
    Unforunately you havent posted any setup screeshots here so its just a guess.
    In general IKEv2 static tunnel work without any error in 2.4.4



  • @lfoerster
    thank you very much sir.


Log in to reply