Site to Site VPN between Ubiquiti and WatchGuard IKEv2 "No Proposal Chosen"
I have sites where I've setup site to site VPN between Ubiquiti UDM Pro Max and WatchGuard. Using IKEv2 shows an error message "No Proposal Chosen" in System Manager; however using IKEv1 works fine. Is there a different encryption algorithm between Ubiquiti and WatchGuard with IKEv2?
0
Sign In to comment.
Comments
Hi @kiffin
There's a number of encryption/authentication schemes in both IKEv1 and IKEv2. It's very likely that the Ubiquiti side is changing another setting when you move to IKEv2. The settings for both Phase 1 and Phase 2 must match.
The Ubiquiti is responding back to the WatchGuard that it doesn't like something in the proposal -- I'd suggest checking the logs on the Ubiquiti side -- it should be outputting what proposal it is getting, and potentially what it wants. If the settings match between the two sides, the tunnel should come up.
-James Carson
WatchGuard Customer Support
The tunnel works, just system manager shows this error.
I've seen this before where if you have a user endpoint device that also attempts an IPsec VPN connection (IKEv1/v2) from behind the same public IP address as the Ubiquiti (in this case - if "gateway.38" is that side), it can throw similar errors on the Firebox side.
In my case it was because we had Windows "Always On VPN" trying to initiate a VPN connection which the Firebox [in our case] had already initiated to the same endpoint.
Check the logs on the Firebox to confirm that the IKE errors do come from the public IP of the Ubiquiti device, and see what happens if you block outbound requests from behind the Ubiquiti device to the Firebox (but still permitting the Ubiquiti device itself to initiate the IPsec tunnel to the Firebox).
This would require a temporary change if possible on the Ubiquiti configuration.
@kiffin That error is something the other side is sending -- the firebox is just displaying it.
-James Carson
WatchGuard Customer Support
Ill investigate. Thanks for the tip!