A scenario existed where the Phase 1 of a VPN would result in a proposal mismatch (or no proposal selected)
One the local side of the Phase 1 VPN, the settings where selected as group 14 for Diffie-Hellman, encryption as AES 256 bit and SHA 256 for the hashing algorithm.
On the remote side of the VPN, operating a Cisco ASA, the below configuration was present:
crypto ikev2 policy 1 encryption aes-256 integrity sha256 group 14 prf sha lifetime seconds 86400
If I enabled SHA1 locally as well as SHA256, the VPN came online OK. This was due to the prf line in the Cisco configuration containing sha (SHA1)
Changing the Cisco ASA configuration from prf sha to prf sha256 allowed the VPN to come online with only SHA256 as the hashing algorithm.
Leave a Reply