https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141670#M21887 <P>SHA1 has been deprecated for awhile now, is the new gateway perhaps running a newer version of code that is blocking the use of SHA1?&nbsp; DH Group 2 is pretty old but should still be supported by all code versions.</P> Wed, 16 Feb 2022 14:49:04 GMT Timothy_Hall 2022-02-16T14:49:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141559#M21857 <P>Hi,</P><P>I'm trying to establish and IPSEC (S2S) tunnel between 2 managed Check Point firewalls. I previously succeeded with the same kind of HW/version. This one throws an error I've never seen before :</P><LI-CODE lang="markup">Main Mode Failed to match proposal: Transform: SHA1, Certificate, Group 2 (1024 bit); Reason: unsupported encryption algorithm -1 (NA)</LI-CODE><P>&nbsp;</P><P>I've tried lowering the algorithm, still the same issue.</P><P>Any idea how to troubleshoot that ? I'm currently planning on upgrading that remote GW to the latest available firmware, and rebooting it.</P><P>Thanks !</P><P>&nbsp;</P> Tue, 15 Feb 2022 14:33:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141559#M21857 Ob1lan 2022-02-15T14:33:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141567#M21859 <P>I cant say 100% this is related, but just see what you have there. I changed mine, so yours would look different if you never touched it.</P> <P>Andy</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15408iC0A3E40EC092A752/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> Tue, 15 Feb 2022 15:42:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141567#M21859 the_rock 2022-02-15T15:42:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141570#M21860 <P>Hi, thanks for your answer. In my case I don't have the same screen as yours, all should be set in the Community:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2022-02-15 at 16.45.55.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15409iBEF5C86291F2CAAD/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2022-02-15 at 16.45.55.png" alt="Screenshot 2022-02-15 at 16.45.55.png" /></span></P><P>And in the said community (I tried various combination):</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2022-02-15 at 16.47.14.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15410i361AAD231E883AC8/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2022-02-15 at 16.47.14.png" alt="Screenshot 2022-02-15 at 16.47.14.png" /></span></P><P>This works for more than 10 gateways in the same community (as Satellite), but doesn't work for a new one I wanted to add. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Tue, 15 Feb 2022 15:48:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141570#M21860 Ob1lan 2022-02-15T15:48:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141575#M21862 <P>Ok, so just to make sure I get this right, apologies if I had wrong assumption. Are you saying there are multiple satellite gateways with one centre gateway? If so, is it the case that this new firewall you added is also a satellite, correct? And thats where you get the error?</P> Tue, 15 Feb 2022 16:36:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141575#M21862 the_rock 2022-02-15T16:36:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141614#M21869 <P>Exactly, this community is used for many of our remote offices, and I just want to add a new one into it. The Centre gateway is our main cluster, and the Satellites are the remote offices' firewalls. The one that I didn't succeed in adding is a remote office, so a Satellite. That's where I get the error.</P> Wed, 16 Feb 2022 08:27:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141614#M21869 Ob1lan 2022-02-16T08:27:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141670#M21887 <P>SHA1 has been deprecated for awhile now, is the new gateway perhaps running a newer version of code that is blocking the use of SHA1?&nbsp; DH Group 2 is pretty old but should still be supported by all code versions.</P> Wed, 16 Feb 2022 14:49:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141670#M21887 Timothy_Hall 2022-02-16T14:49:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141675#M21889 <P>I get what&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;is saying...though, I had seen customer running on R81.10 use sha1 and works perfectly fine. I would definitely confirm with TAC to get official statement/answer.</P> Wed, 16 Feb 2022 15:07:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/141675#M21889 the_rock 2022-02-16T15:07:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/143661#M22343 <P>Hi,</P><P>I actually updated the firmware to the latest version available, and it solved it.</P><P>Thanks for your help.</P><P>Regards.</P> Mon, 14 Mar 2022 15:07:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/143661#M22343 Ob1lan 2022-03-14T15:07:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/143736#M22362 <P>These were SMB GWs ?</P> Tue, 15 Mar 2022 11:46:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/143736#M22362 G_W_Albrecht 2022-03-15T11:46:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/145349#M22884 <P>Yes it was <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 04 Apr 2022 07:13:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IKE-failure-Reason-unsupported-encryption-algorithm/m-p/145349#M22884 Ob1lan 2022-04-04T07:13:56Z