Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
TomasFy
Explorer

Limit in received IKEv2 Phase-1 SA Proposal count

Hi,

 

I am working on a VPN with 3rd party vendor and we cannot make it working.

During troubleshooting I found out that the problem is down to fact that gateway can ‘see’ only 16 IKE Phase-1 Proposals sent from the other party.

As result the tunnel negotiation is refused with message “No proposal chosen”.

 

In packet capture I can see that 20 proposals are sent, but in ikev2.xmll debug file I can only see 16. On the basis of Peer engineer’s analysis I know that the 16 Proposals in our GW’s debug match 1st 16 sets in their configuration.The rest seems to be just cut off.

The one which should match has index 17 …

 

Is this a known problem and is there any solution to it?

 

My GW version R80.40 with JHF T139. The Peer's GW is Cisco ASA-X

0 Kudos
4 Replies
the_rock
Champion
Champion

Is tunnel management set as per subnet or per gateway?

Andy

0 Kudos
Chris_Atkinson
Employee
Employee

Per sk112139 only up to 16 proposals are supported in R80.40 currently.

TomasFy
Explorer

Hi Chris,

 

Thank you for the answer. I was looking for any solution but didn't find this one 😞

Do you know whether the same regards IKEv1?

Is the limit there the same or lower? Or maybe higher than this?

0 Kudos
Timothy_Hall
Champion
Champion

For IKEv1 I don't believe this limit applies, as I'm pretty sure only one SA can be proposed at a time.  IKEv2 allows multiple proposals within the same negotiation, and the creation of Child SAs as well.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos