Forti/MicroTik IPSe issue

Question

Im trying to setup an IPSec VPN between an Forti (my side) and an MicroTik.

You are seeing 192.168.1.101 (thats the local IP for the Forti) because theres a DMZ from the ISP modem/router to the Forti. I have other VPNs with other Fortigates and Ciscos on this same Forti/Site and they are running just fine.

Apparently Im getting an erro during Phase1

FGT60D4614056671 # ike 0: comes RemoteWAN:4500->192.168.1.101:4500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=dfcbc71ae93abd03/921b208b19fce6f6:b2869163 len=92 ike 0: in DFCBC71AE93ABD03921B208B19FCE6F608100501B28691630000005C21223EE0F891039A0F05F727F401C1E7562F6B701B6700BB7A581E9EAFA79A69A299A019B10400E4FF53F676A18803D409E8BF125B4589FAE89C2ADCC2599A44 ike 0:LG_P1:3031: dec DFCBC71AE93ABD03921B208B19FCE6F608100501B28691630000005C0B000018D1D590C65365399AE98C99F6D4130565C340867A000000200000000101108D28DFCBC71AE93ABD03921B208B19FCE6F6000002ECA25775A13F21D707 ike 0:LG_P1:3031: notify msg received: R-U-THERE ike 0:LG_P1:3031: enc DFCBC71AE93ABD03921B208B19FCE6F608100501F5E900EB000000540B0000181124FFAD14BD497CF18608F3E0D0A9BA58C576A3000000200000000101108D29DFCBC71AE93ABD03921B208B19FCE6F6000002EC ike 0:LG_P1:3031: out DFCBC71AE93ABD03921B208B19FCE6F608100501F5E900EB0000005C34BCC8599FF60AF53EF990590719C7EFDCC3554F9BB45935234C28CF459F1FD3B9750F2D914B3BD9D4E1A188722160D6D434C115E9A3B3020FB5B5A4491F0273 ike 0:LG_P1:3031: sent IKE msg (R-U-THERE-ACK): 192.168.1.101:4500->RemoteWAN:4500, len=92, id=dfcbc71ae93abd03/921b208b19fce6f6:f5e900eb ike 0:LG_P1:LG_P2: IPsec SA connect 5 192.168.1.101->RemoteWAN:4500 ike 0:LG_P1:LG_P2: using existing connection ike 0:LG_P1:LG_P2: config found ike 0:LG_P1:LG_P2: IPsec SA connect 5 192.168.1.101->RemoteWAN:4500 negotiating ike 0:LG_P1:3031: cookie dfcbc71ae93abd03/921b208b19fce6f6:a9585ce1 ike 0:LG_P1:3031:LG_P2:342878: natt flags 0x1f, encmode 1->3 ike 0:LG_P1:3031:LG_P2:342878: initiator selectors 0 0:10.0.50.0/255.255.255.0:0:0->0:192.168.3.0/255.255.255.0:0:0 ike 0:LG_P1:3031: enc DFCBC71AE93ABD03921B208B19FCE6F608102001A9585CE10000016401000018802C1FBA11799662337307C3BC3CD80A36B480720A00003800000001000000010000002C010304014C618BE20000002001030000800100010002000400015180800400038005000280030005040000147F0B0D7879CE8318454E4874831C5673050000C410D6364BE6C78BC1BFF984E91D168513175D6787D1F2A9158FD4F08CE56E038226AAF816ABE458F2D99891080CC4C536DA41C6AD61302367487C1EE299FB956F5F3A3259CB907B1FA9659077B18F59E57D1062FEEC09284792A3C4872F7EC2590EFB32E7065B7978C4F6F433029615CBF06240BEBC0FCF4AFF560C57C1EBF32AB6F89C2F3D6BB07C705ADBF9F38E782E70F40D097256F2EE3B6A41C61D7637BFFEC3B8994400AC0EBEA99E5806100C610B320EFE943C161D3EAEEA2812F024C005000010040000000A003200FFFFFF000000001004000000C0A80300FFFFFF00 ike 0:LG_P1:3031: out DFCBC71AE93ABD03921B208B19FCE6F608102001A9585CE10000016C7D8B625A0B0BB7A83A0C2E8361AD0D71413C80607F850DDEF44FB017AFB363ADA02244A3B102A72C5CA52E0D9E4A27E0409B67C34746B5673D67B875A8928629AF59C132D53A599956964F867B8AE719858283D2384D96421195823298FB8B026051C6649B17A44721496567542A1CB5B13D3983EC5E45C99DFDE720C82F59CA6ED0E0C0DE065F4D614DE42808B12E6383D687D0F52260D2FB3C0794B6EF8E09309690D0D7FD6703B9D1F1C3E33C7865F646EF03387CC83B4B23CA87006357CBCE05DF91F158BEF235511052DF37C92E43674EEB0AC0E23F22E1B6AA9B3C2F05BFFB89DF40CCB3DC955A8A6F6DD1B3AD01A1F813C0C01392430566362E864107771A42B5B72F6DFE1AEBBE527F3DE9866F82CFA1049EFE7B60A8D3AA139D769299E5F154792DAF8473FE69CF2040AC5EB00163399888A0CBAA36119A6EB72E1056B78B9BE3599AD9B9CB15C25B53B670 ike 0:LG_P1:3031: sent IKE msg (quick_i1send): 192.168.1.101:4500->RemoteWAN:4500, len=364, id=dfcbc71ae93abd03/921b208b19fce6f6:a9585ce1 ike 0: comes RemoteWAN:4500->192.168.1.101:4500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=dfcbc71ae93abd03/921b208b19fce6f6:ad5452ab len=68 ike 0: in DFCBC71AE93ABD03921B208B19FCE6F608100501AD5452AB00000044B75E987CC44C843CD702AD7347EF23694346B9F0E3EC604067B600469D950D1C9BF2F35E5CCE75EA ike 0:LG_P1:3031: dec DFCBC71AE93ABD03921B208B19FCE6F608100501AD5452AB000000440B000018A00DD789818D208E9F3FE830EC80447CD0061DBC0000000C000000010100000EA9955603 ike 0:LG_P1:3031: notify msg received: NO-PROPOSAL-CHOSEN ike 0:LG_P1:3031:: no matching IPsec SPI ike 0:LG_P1:3031:LG_P2:342878: delete phase2 SPI e28b614c

ede_pfau · Answer

no, phase2 is not negotiated successfully. Check the local/remote subnets (quick mode selectors), and then the encryption settings. I'd choose only one set, like SHA256/AES256.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded