Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ob1lan
Collaborator

IKE failure : Reason unsupported encryption algorithm

Jump to solution

Hi,

I'm trying to establish and IPSEC (S2S) tunnel between 2 managed Check Point firewalls. I previously succeeded with the same kind of HW/version. This one throws an error I've never seen before :

Main Mode Failed to match proposal: Transform: SHA1, Certificate, Group 2 (1024 bit); Reason: unsupported encryption algorithm -1 (NA)

 

I've tried lowering the algorithm, still the same issue.

Any idea how to troubleshoot that ? I'm currently planning on upgrading that remote GW to the latest available firmware, and rebooting it.

Thanks !

 

0 Kudos
1 Solution

Accepted Solutions
Ob1lan
Collaborator

Hi,

I actually updated the firmware to the latest version available, and it solved it.

Thanks for your help.

Regards.

View solution in original post

0 Kudos
9 Replies
the_rock
Champion
Champion

I cant say 100% this is related, but just see what you have there. I changed mine, so yours would look different if you never touched it.

Andy

Screenshot_1.png

Ob1lan
Collaborator

Hi, thanks for your answer. In my case I don't have the same screen as yours, all should be set in the Community:

Screenshot 2022-02-15 at 16.45.55.png

And in the said community (I tried various combination):

Screenshot 2022-02-15 at 16.47.14.png

This works for more than 10 gateways in the same community (as Satellite), but doesn't work for a new one I wanted to add. 😞

0 Kudos
the_rock
Champion
Champion

Ok, so just to make sure I get this right, apologies if I had wrong assumption. Are you saying there are multiple satellite gateways with one centre gateway? If so, is it the case that this new firewall you added is also a satellite, correct? And thats where you get the error?

0 Kudos
Ob1lan
Collaborator

Exactly, this community is used for many of our remote offices, and I just want to add a new one into it. The Centre gateway is our main cluster, and the Satellites are the remote offices' firewalls. The one that I didn't succeed in adding is a remote office, so a Satellite. That's where I get the error.

0 Kudos
Timothy_Hall
Champion
Champion

SHA1 has been deprecated for awhile now, is the new gateway perhaps running a newer version of code that is blocking the use of SHA1?  DH Group 2 is pretty old but should still be supported by all code versions.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
the_rock
Champion
Champion

I get what @Timothy_Hall is saying...though, I had seen customer running on R81.10 use sha1 and works perfectly fine. I would definitely confirm with TAC to get official statement/answer.

0 Kudos
Ob1lan
Collaborator

Hi,

I actually updated the firmware to the latest version available, and it solved it.

Thanks for your help.

Regards.

0 Kudos

These were SMB GWs ?

CCSE CCTE CCSM SMB Specialist
Ob1lan
Collaborator

Yes it was 🙂

0 Kudos