| Description |
This article describes that when trying to SSH from the FortiGate, the following error message: 'Unable to negotiate with 169.254.0.1: no matching cipher found' appears. The offer: chacha20-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Scope |
FortiGate v6.x.x and v7.x.x. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Solution |
This is an error that can occur if the available SSH ciphers have been modified, or if the device connected does not support secure ciphers. If a user tries to connect to a device that only supports insecure ciphers, this error will occur if ‘strong-crypto’ is enabled and there is no appropriate cipher allowed.
To view the ciphers which are available to the FortiGate to use, execute the following commands:
config system global
From the example above, there are chacha20-poly1305@openssh.com, aes256-ctr, and aes256-gcm currently enabled. This is the default there is ‘strong-crypto’ enabled. If needed, it is possible to disable this option and choose an insecure cipher to add.
Below is a table outlining the ciphers available to the FortiGate, and whether or not they need 'strong-crypto':
If the device connected to requires ‘arcfour’ for example, it is possible to append it to the allowed ciphers list by executing ‘append ssh-enc-algo arcfour’. It will then, be possible to connect to the device.
This error can also occur when ‘ssh-kex-algo’ or ‘ssh-mac-algo’ requires modification, it will be the same steps as for ‘ssh-enc-algo’.
Refer to the following charts below for available ciphers:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
