BOVPN Phase 1 Negotiation Fails Due to Encryption or DH Group Mismatch

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

Phase 1 negotiation fails when the encryption algorithm or Diffie‑Hellman (DH) group configured on one BOVPN endpoint differs from the configuration on the remote endpoint.

For Phase 1 negotiation, both endpoints must agree on a common set of security parameters to establish the initial IKE security association (SA). If the endpoints do not find at least one matching proposal, the negotiation stops, and the tunnel is not established.

A single mismatch, such as different encryption algorithms or DH groups, prevents the successful completion of Phase 1 negotiation, even when all other BOVPN settings are correct.

Symptoms

A BOVPN Phase 1 or DH group mismatch typically presents these symptoms:

• Phase 1 negotiation fails.
• The tunnel does not establish.
• The endpoint repeatedly attempts negotiation without success.
• Firebox log messages include one or more of these entries:
  • No Proposal Chosen
  • No matching Phase 1 proposal
  • Peer rejected proposal

Diagnostic Steps

On both BOVPN endpoints, complete these steps:

1. Compare the Phase 1 configuration settings:
   • Authentication (for example, SHA1 versus SHA2-256).
   • Encryption algorithm (for example, AES‑256 versus 3DES)
   • DH group (for example, Group 14 versus Group 2)

2. Verify that at least one Phase 1 proposal is the same on both endpoints.
3. Review log messages on both endpoints to identify which parameter is rejected while in negotiation.

Possible Causes and Solutions

Possible Cause	Solution
Encryption algorithms differ between BOVPN endpoints.	Configure identical Phase 1 encryption algorithms on both BOVPN endpoints (for example, AES‑256 on both sides). For more information, go to: Locally-Managed: Configure Phase 1 and Phase 2 Settings Cloud-Managed: Configure BOVPN Security Settings
DH groups differ between BOVPN endpoints	Select the same DH group on both endpoints (for example, Group 14). Make sure that both devices support the selected DH group. For more information, go to: Locally-Managed: About Diffie-Hellman Groups Cloud-Managed: Configure BOVPN Security Settings

Related Topics

Manual Branch Office VPN Tunnels

About Firebox Logging and Notification (Locally-managed Fireboxes)

Monitor Traffic on Fireboxes and FireClusters (Cloud-managed Fireboxes)