IPSec Tunnel's Encryption Settings Mismatch

Note: This topic applies to the Leeds Release.

IPSec encryption settings are strictly enforced — both ends of the tunnel must use the same encryption key. Previously, a mismatch was allowed.

Previously, you were advised when a mismatch was found in a connected tunnel; providing the opportunity to resolve the mismatch before upgrading to this release, where such a mismatch causes the tunnels to not connect. There is no way to preempt or detect a mismatch in encryption settings in unconnected tunnels.

What do I need to do?

You must check the following for each IPSec tunnel:

Matching phase 1 and phase 2 cryptographic algorithms (including key size)
Matching phase 1 and phase 2 hash algorithms
Matching phase 1 Diffie-Hellman group algorithm

Note: Phase 2 Diffie-Hellman group algorithm does not need to match on both ends of the tunnel.

IPSec encryption settings are found in the Smoothwall administration user interface, Network > VPN > IPSec subnets page — you must edit each tunnel separately. For a detailed description of how to do this, see Creating an IPSec Subnet VPN.

Smoothwall supports the following:




AES — with 128- or 256-bit keys



Authentication type



Hashing algorithm


The use of MD5 hashing is not recommended, although will continue to be supported for backwards compatibility.

Diffie-Hellman Group Diffie-Hellman Group algorithms: 2,14,15,16,17,18,19, 20, 21, 24

Note: Support for group 2 - 1024-bit Diffie-Hellman group algorithm may be deprecated in a future release