Phase 2 Proposal or PFS Mismatch in BOVPNs

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

Phase 2 BOVPN negotiation fails when the VPN peers use different ESP encryption, authentication, or Perfect Forward Secrecy (PFS) settings. For a BOVPN tunnel to establish successfully, both endpoints must use the same Phase 2 (IPSec) proposals. When these settings do not match, the Firebox rejects the Phase 2 negotiation and the tunnel does not pass traffic.

Symptoms

When the BOVPN endpoints use different ESP encryption, authentication, or Perfect Forward Secrecy (PFS) settings, it typically presents these symptoms:

The BOVPN tunnel completes Phase 1 negotiation but fails or drops at Phase 2.
The tunnel briefly connects and then disconnects.
Phase 2 negotiation errors appear in log messages.
Encrypted traffic does not pass between tunnel endpoints.

Diagnostic Steps

For each BOVPN endpoint, perform these steps:

Go to the Phase 2 (IPSec/ESP) settings for the BOVPN tunnel.
Compare the configured ESP encryption algorithms on both endpoints.
Compare the configured authentication algorithms on both endpoints.
Compare the PFS settings on both endpoints. If PFS is enabled, verify that both endpoints use the same Diffie‑Hellman (DH) group.
Review log messages related to Phase 2 proposal or PFS mismatches. Examples:
Phase 2 proposal mismatch
Received proposal without PFS

For a non-VIF BOVPN tunnel, Phase 2 negotiations can also fail if the tunnel route differs between the two tunnel endpoints.

Possible Causes and Solutions

Possible Cause	Solution
Phase 2 negotiation fails due to a proposal mismatch, PFS being enabled on only one peer, or the use of different Diffie‑Hellman (DH) groups.	Configure both sides of the BOVPN tunnel to use the same settings. For more information, go to: Locally-Managed: Configure Phase 2 Settings Cloud-Managed: Configure BOVPN Security Settings
One VPN endpoint does not support the proposed algorithms.	Change the Phase 2 proposal to use algorithms supported by both endpoints. For more information, go to: Locally-Managed: Configure Phase 2 Settings Cloud-Managed: Configure BOVPN Security Settings
For a non‑VIF BOVPN tunnel, the configured tunnel route differs between the two endpoints.	Verify that both BOVPN peers use identical tunnel route definitions and network selectors, and update the configuration so the local and remote networks are defined the same on both endpoints. For more information, go to: Locally-Managed: Manual Branch Office VPN Tunnels Cloud-Managed: Manage BOVPNs for Cloud-Managed Fireboxes

Possible Cause

Solution

Phase 2 negotiation fails due to a proposal mismatch, PFS being enabled on only one peer, or the use of different Diffie‑Hellman (DH) groups.

Configure both sides of the BOVPN tunnel to use the same settings. For more information, go to:

Locally-Managed: Configure Phase 2 Settings

Cloud-Managed: Configure BOVPN Security Settings

One VPN endpoint does not support the proposed algorithms.

Change the Phase 2 proposal to use algorithms supported by both endpoints. For more information, go to:

Locally-Managed: Configure Phase 2 Settings

Cloud-Managed: Configure BOVPN Security Settings

For a non‑VIF BOVPN tunnel, the configured tunnel route differs between the two endpoints.

Verify that both BOVPN peers use identical tunnel route definitions and network selectors, and update the configuration so the local and remote networks are defined the same on both endpoints.

For more information, go to:

Locally-Managed: Manual Branch Office VPN Tunnels

Cloud-Managed: Manage BOVPNs for Cloud-Managed Fireboxes

Phase 2 Proposal or PFS Mismatch in BOVPNs

Symptoms

Diagnostic Steps

Possible Causes and Solutions

Related Topics