I'm hoping someone with greater knowledge of IPSec encryption and GH groups than I can explain this weirdness encountered last night.

Last Friday (5/1; I know, no changes on Friday but was a necessity), I had updated my PSK (lost to time what it was originally) and the encryption/DH groups for the Phase 1 and Phase 2 of one of my IPSec tunnels. If it matters, running on FortiGate 7.2.13 on 101Es.

Both sides were updated to:

Phase 1: AES256GCM-PRFSHA384, AES256-SHA256, DH20

Phase 2: AES256GCM, DH20

Unknown to me, the phase 2 change did NOT stick on the remote end. It reverted itself to:

Phase 2:aes128-sha1, aes256-sha1, aes128-sha256, aes256-sha256, aes128gcm, aes256gcm, chacha20poly1305, DH 14,5

For the last 5.5 days, the tunnel was up, happy, and functioning.

Yesterday, replaced my routers on my local end upgrading to newer hardware (101E v7.2.13 to 121G v7.4.11). Tunnels came up exactly as expected, worked all working hours until ~6:30PM. Then suddenly, tunnel stops working, phase 2 negotiation failure.

My understanding is that this tunnel should have been complaining since Friday about Phase 2 mismatch, but it worked for 5.5 days before just suddenly stopped.

Does anyone have any information on how a phase 2 with one side using DH 20 and the other DH 14/5 was even able to function for that stretch of time.