Solved: Re: IKE failure : Reason unsupported encryption al...

Ob1lan · ‎2022-02-15

Hi,

I'm trying to establish and IPSEC (S2S) tunnel between 2 managed Check Point firewalls. I previously succeeded with the same kind of HW/version. This one throws an error I've never seen before :

Main Mode Failed to match proposal: Transform: SHA1, Certificate, Group 2 (1024 bit); Reason: unsupported encryption algorithm -1 (NA)

I've tried lowering the algorithm, still the same issue.

Any idea how to troubleshoot that ? I'm currently planning on upgrading that remote GW to the latest available firmware, and rebooting it.

Thanks !

Ob1lan · ‎2022-03-14

Hi,

I actually updated the firmware to the latest version available, and it solved it.

Thanks for your help.

Regards.

View solution in original post

the_rock · ‎2022-02-15

I cant say 100% this is related, but just see what you have there. I changed mine, so yours would look different if you never touched it.

Andy

Best,
Andy

Ob1lan · ‎2022-02-15

Hi, thanks for your answer. In my case I don't have the same screen as yours, all should be set in the Community:

And in the said community (I tried various combination):

This works for more than 10 gateways in the same community (as Satellite), but doesn't work for a new one I wanted to add. 😞

the_rock · ‎2022-02-15

Ok, so just to make sure I get this right, apologies if I had wrong assumption. Are you saying there are multiple satellite gateways with one centre gateway? If so, is it the case that this new firewall you added is also a satellite, correct? And thats where you get the error?

Best,
Andy

Ob1lan · ‎2022-02-16

Exactly, this community is used for many of our remote offices, and I just want to add a new one into it. The Centre gateway is our main cluster, and the Satellites are the remote offices' firewalls. The one that I didn't succeed in adding is a remote office, so a Satellite. That's where I get the error.

Timothy_Hall · ‎2022-02-16

SHA1 has been deprecated for awhile now, is the new gateway perhaps running a newer version of code that is blocking the use of SHA1? DH Group 2 is pretty old but should still be supported by all code versions.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

the_rock · ‎2022-02-16

I get what @Timothy_Hall is saying...though, I had seen customer running on R81.10 use sha1 and works perfectly fine. I would definitely confirm with TAC to get official statement/answer.

Best,
Andy

Ob1lan · ‎2022-03-14

Hi,

I actually updated the firmware to the latest version available, and it solved it.

Thanks for your help.

Regards.

G_W_Albrecht · ‎2022-03-15

These were SMB GWs ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Ob1lan · ‎2022-04-04

Yes it was 🙂

Are you a member of CheckMates?

IKE failure : Reason unsupported encryption algorithm