1.2/1.3 versions are used IKE DH-group '2' by default, if not set any other proposal configuration.
1.4 doesn't use any IKE DH-group by default.
To reproduce
1.3 configuration:
set interfaces vti vti2 address '10.0.0.1/30' set vpn ipsec esp-group ESP-GRP-VTI compression 'disable' set vpn ipsec esp-group ESP-GRP-VTI lifetime '1800' set vpn ipsec esp-group ESP-GRP-VTI mode 'tunnel' set vpn ipsec esp-group ESP-GRP-VTI pfs 'enable' set vpn ipsec esp-group ESP-GRP-VTI proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GRP-VTI proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-GRP-VTI ikev2-reauth 'no' set vpn ipsec ike-group IKE-GRP-VTI key-exchange 'ikev1' set vpn ipsec ike-group IKE-GRP-VTI lifetime '3600' set vpn ipsec ike-group IKE-GRP-VTI proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GRP-VTI proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret 'SeCrEt' set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'IKE-GRP-VTI' set vpn ipsec site-to-site peer 192.0.2.2 local-address '192.0.2.1' set vpn ipsec site-to-site peer 192.0.2.2 vti bind 'vti2' set vpn ipsec site-to-site peer 192.0.2.2 vti esp-group 'ESP-GRP-VTI'
1.4 configuration:
set interfaces vti vti2 address '10.0.0.2/30' set vpn ipsec esp-group ESP-GRP-VTI compression 'disable' set vpn ipsec esp-group ESP-GRP-VTI lifetime '1800' set vpn ipsec esp-group ESP-GRP-VTI mode 'tunnel' set vpn ipsec esp-group ESP-GRP-VTI pfs 'enable' set vpn ipsec esp-group ESP-GRP-VTI proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GRP-VTI proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-GRP-VTI ikev2-reauth 'no' set vpn ipsec ike-group IKE-GRP-VTI key-exchange 'ikev1' set vpn ipsec ike-group IKE-GRP-VTI lifetime '3600' set vpn ipsec ike-group IKE-GRP-VTI proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GRP-VTI proposal 1 hash 'sha1' set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SeCrEt' set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-GRP-VTI' set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.1 vti bind 'vti2' set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group 'ESP-GRP-VTI'
1.4 Logs:
Aug 3 17:33:08 r1-roll ipsec_starter[3344]: charon (3346) started after 60 ms Aug 3 17:33:08 r1-roll charon: 07[CFG] loaded IKE shared key with id 'ike_192-0-2-1' for: '192.0.2.2', '192.0.2.1' Aug 3 17:33:08 r1-roll charon: 12[CFG] a DH group is mandatory in IKE proposals
To get it working, needs to set dh-group 2 for 1.4
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 dh-group 2