Troubleshooting Tip: FortiGate with Azure VPN failed error 'ike Negotiate SA Error: ike ike [1481]'

Run the IPsec VPN debug:

diagnose debug application ike -1

diagnose debug console timestamp enable

diagnose debug enable

ike 0:Azure_VPN:47553:Azure_VPN:653581: incoming child SA proposal:
ike 0:Azure_VPN:47553:Azure_VPN:653581: proposal id = 1:
ike 0:Azure_VPN:47553:Azure_VPN:653581: protocol = ESP:
ike 0:Azure_VPN:47553:Azure_VPN:653581: encapsulation = TUNNEL
ike 0:Azure_VPN:47553:Azure_VPN:653581: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Azure_VPN:47553:Azure_VPN:653581: type=INTEGR, val=SHA256
ike 0:Azure_VPN:47553:Azure_VPN:653581: type=DH_GROUP, val=24
ike 0:Azure_VPN:47553:Azure_VPN:653581: type=ESN, val=NO
ike 0:Azure_VPN:47553:Azure_VPN:653581: my proposal:
ike 0:Azure_VPN:47553:Azure_VPN:653581: proposal id = 1:
ike 0:Azure_VPN:47553:Azure_VPN:653581: protocol = ESP:
ike 0:Azure_VPN:47553:Azure_VPN:653581: encapsulation = TUNNEL
ike 0:Azure_VPN:47553:Azure_VPN:653581: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Azure_VPN:47553:Azure_VPN:653581: type=INTEGR, val=SHA256
ike 0:Azure_VPN:47553:Azure_VPN:653581: type=DH_GROUP, val=MODP2048
ike 0:Azure_VPN:47553:Azure_VPN:653581: type=ESN, val=NO
ike 0:Azure_VPN:47553:Azure_VPN:653581: lifetime=27000
ike 0:Azure_VPN:47553:Azure_VPN:653581: no proposal chosen
ike Negotiate SA Error: ike ike [1481]

To resolve it, configure a different DH group available in FortiGate than 24.

Note:

For 'ike Negotiate SA Error: ike ike [11089]', the solution is the same as above.

Related documents:

Technical Tip: How to check if Diffie-Hellman(DH) group is the same on both peer units

About cryptographic requirements and Azure VPN gateways

Diffie-Hellman groups