Monday, July 11, 2016

Aerohive IPsec VPN - Phase 1 proposal mismatch with peer


2016-07-11 13:22:36:Phase 1 proposal mismatch with peer (172.16.1.5[500]->172.16.1.254[500])

I was setting up a VPN using Aerohive VPN gateway(CVG) and Aerohive BR200 branch router. and the VPN gateway was up but the VR200 was not forming the VPN,


1) The next step is to check the ike events in both VPN gateway and the BR200, SSH in, 

2) BR200 is saying that there is no response from the VPN GW

AH-3f9dc0#show vpn ike event (BR200)

2016-07-11 13:58:36:Phase 1 deleted(10.100.4.237[4500]->172.16.1.5[4500]) 
2016-07-11 13:58:37:Phase 1 started(10.100.4.237[500]->172.16.1.5[500]) 
2016-07-11 13:59:26:Peer not responding(10.100.4.237[500]->172.16.1.5[500]) 2016-07-11 13:59:26:Phase 1 deleted(10.100.4.237[500]->172.16.1.5[500]) 
2016-07-11 13:59:32:Phase 1 started(10.100.4.237[4500]->172.16.1.5[4500]) 
2016-07-11 14:00:21:Peer not responding(10.100.4.237[4500]->172.16.1.5[4500])

3) VPN gateway is saying that there is a Phase 1 proposal mismatch
CVG#show vpn ike even (VPN GW) 
2016-07-11 14:06:55:Phase 1 proposal mismatch with peer(172.16.1.5[4500]->172.16.1.254[4500])2016-07-11 14:06:55:Phase 1 deleted(172.16.1.5[4500]->172.16.1.254[4500])
2016-07-11 14:07:05:Phase 1 started(172.16.1.5[4500]->172.16.1.254[4500])
2016-07-11 14:07:05:Phase 1 proposal mismatch with peer(172.16.1.5[4500]->172.16.1.254[4500])2016-07-11 14:07:05:Phase 1 deleted(172.16.1.5[4500]->172.16.1.254[4500])
2016-07-11 14:07:15:Phase 1 started(172.16.1.5[500]->172.16.1.254[500])


4) Compare the phase 1 proposals in the VPN GW and BR200, and you see that 
the AES key length is not matching 

AH-3f9dc0#show vpn ike conf (BR200)
 /* prop_no=1, trns_no=1, rmconf=172.16.1.5[500] */
 phase1 proposal {
  lifetime time 84669 sec;
  lifetime bytes 0;
  dh_group modp1024;
  encryption_algorithm aes;
  encryption_algorithm length 256;
  hash_algorithm sha1;
  authentication_method hybrid_rsa_client;
 }

CVG#show vpn ike configuration (VPN Gateway)
/* prop_no=1, trns_no=1, rmconf=anonymous */
 phase1 proposal {
 lifetime time 86400 sec;
 lifetime bytes 0;
 dh_group modp1024;
 encryption_algorithm aes;
 encryption_algorithm length 128;
 hash_algorithm sha1;
 authentication_method hybrid_rsa_server;
 }

5) Goto the VPN configuration and change the AES key length to 128,
6) Upload the configuration to the CVG(VPN gateway) and BR200,
7) VPN is UP
Post a Comment