Problem
Unable to connect to a device through ssh from FortiGate
FGT1 # execute ssh admin@192.168.1.100
Unable to negotiate with 192.168.1.100: no matching MAC found. Their offer: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-md5-96Solution (allow INSECURE ciphers)
config system global
set strong-crypto disable
set ssh-mac-algo hmac-md5 hmac-md5-etm@openssh.com hmac-md5-96 hmac-md5-96-etm@openssh.com hmac-sha1 hmac-sha1-etm@openssh.com hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com hmac-ripemd160 hmac-ripemd160@openssh.com hmac-ripemd160-etm@openssh.com umac-64@openssh.com umac-128@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com
set ssh-kex-algo diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
endAfter you’ve finished your work you should enable strong crypto and change settings back to default
config system global
set strong-crypto enable
unset ssh-mac-algo
unset ssh-kex-algo
endFurther details
Your devices connected through Capwap e.g.: FortiAP or FortiSwitch might loose the connection to your FortiGate if you change the strong-crypto setting.
I would recommend to change these settings only for a short period of time, or to use another possibility to connect to the device (e.g.: SSLVPN / VIP)
Sometime you may try to access another device through ssh from the FortiGate and it fails because it uses insecure ciphers
Furhter details are very well documented in this KB Article: Technical Tip: ‘Unable to negotiate with x.x.x.x: … – Fortinet Community
I’ve tested these changes/settings with FOS 7.2.5, FOS 7.0.12
