Explorer II

Question

Gre over IPsec between Fortigate and Mikrotik routers

Forum|Forum|3 years ago
October 12, 2022
3 replies
10137 views

Hello Team!!!

I recently created a GRE VPN over IPsec between a Fortigate and a Mikrotik, following this: https://www.linkedin.com/pulse/configur ... eros-denys
This VPN never worked, I get the following error:
Mikrotik side:

09:19:32 ipsec,error phase1 negotiation failed due to time up PublicIpMKT[500]<=>PublicIpFGT[500] 23496e323ff1fc23:0000000000000000
09:19:32 ipsec,info initiate new phase 1 (Identity Protection): PublicIpMKT[500]<=>PublicIpFGT[500]

Fortigate side:

date=2022-10-12 time=09:23:24 logid="0101037128" type="event" subtype="vpn" level="error" vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=PublicIpMKT locip=PublicIpFGT remport=500 locport=500 outintf="wan1" cookies="b30f4d9b6a2aa208/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="failure" init="remote" mode="main" dir="inbound" stage=1 role="responder" result="ERROR" advpnsc=0 utmref=0:1665577404
date=2022-10-12 time=09:23:24 logid="0101037124" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=PublicIpMKT locip=PublicIpFGT remport=500 locport=500 outintf="wan1" cookies="b30f4d9b6a2aa208/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" advpnsc=0 utmref=0:1665577404

However, I see the same settings.
Any Idea?

Thanks in advance.
Regards,
Damián

FortiGate

aionescu

Staff

Hi @damianhlozano

Can you, please share the relevant configuration and also the output of:

diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 x.x.x.x where x.x.x.x is the IP address of the remote peer.
diagnose debug application ike -1
diagnose debug enable

damianhlozanoAuthor

Explorer II

Hello @aionescu ,

Thanks for your answer!!

Below the output, followed by the settings in the Fortigate side:

FGT80F-PL-Alem # diagnose debug enable

FGT80F-PL-Alem # 2022-10-12 11:42:24.590602 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:24.590704 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:24.753032 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:24.753100 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:24.753133 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:24.753208 ike 0:a638cf808bbc84fd/0000000000000000:6489: responder: main mode get 1st message...
2022-10-12 11:42:24.753251 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:24.753289 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:24.753326 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:24.753363 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:24.753401 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:24.753437 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:24.753474 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:24.753511 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:24.753548 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:24.753585 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:24.753622 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:24.753659 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:24.753695 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:24.753748 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:24.753785 ike 0:a638cf808bbc84fd/0000000000000000:6489: negotiation failure
2022-10-12 11:42:24.753860 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:24.753899 ike 0:a638cf808bbc84fd/0000000000000000:6489: no SA proposal chosen
2022-10-12 11:42:29.600619 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:29.600722 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:34.610611 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:34.610712 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:34.755887 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:34.755957 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:34.755990 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:34.756068 ike 0:a638cf808bbc84fd/0000000000000000:6490: responder: main mode get 1st message...
2022-10-12 11:42:34.756111 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:34.756149 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:34.756186 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:34.756223 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:34.756260 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:34.756297 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:34.756333 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:34.756370 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:34.756407 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:34.756444 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:34.756480 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:34.756517 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:34.756553 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:34.756605 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:34.756641 ike 0:a638cf808bbc84fd/0000000000000000:6490: negotiation failure
2022-10-12 11:42:34.756715 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:34.756752 ike 0:a638cf808bbc84fd/0000000000000000:6490: no SA proposal chosen
2022-10-12 11:42:34.756857 ike shrank heap by 159744 bytes
2022-10-12 11:42:39.620598 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:39.620694 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.630642 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:44.630747 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.752119 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:44.752184 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:44.752216 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752296 ike 0:a638cf808bbc84fd/0000000000000000:6491: responder: main mode get 1st message...
2022-10-12 11:42:44.752339 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:44.752377 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:44.752415 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:44.752452 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:44.752489 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:44.752526 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:44.752563 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:44.752600 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:44.752636 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:44.752673 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:44.752710 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:44.752746 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:44.752782 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752835 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:44.752872 ike 0:a638cf808bbc84fd/0000000000000000:6491: negotiation failure
2022-10-12 11:42:44.752952 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:44.752987 ike 0:a638cf808bbc84fd/0000000000000000:6491: no SA proposal chosen

config vpn ipsec phase1-interface
edit "aPacheco-W1"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes256-sha256
set dpd on-idle
set dhgrp 5 14
set auto-discovery-sender enable
set remote-gw PublicIpMKT
set psksecret ENC UbOZkSUO5Y5C4zX9krwTkHmkjis87FpwIquYKTvDMAV83Ov5OWT+1RBjGtoab5efwc4EPqFOd8XaAwM0LiIBKstKWWafvp3Sjzrw2xSU+jknOF3PeKNn4YXo4PC1iod2WkNrZUeNdXuyd1SacdpLHOhIYxQYHIr1B02x295hQ7h69uCH+Z1TQGR5N+3T/iQVHRBIUA==
set dpd-retryinterval 5
next
end

config vpn ipsec phase2-interface
edit "aPacheco-W1"
set phase1name "aPacheco-W1"
set proposal aes256-sha256
set dhgrp 5 14
set auto-negotiate enable
set encapsulation transport-mode
set protocol 47
next
end

config system gre-tunnel
edit "GREaPacheco-W1"
set interface "aPacheco-W1"
set remote-gw PublicIpMKT
set local-gw PublicIpFGT
next
end

config system interface
edit "GREaPacheco-W1"
set vdom "root"
set ip 172.22.1.45 255.255.255.255
set type tunnel
set remote-ip 172.22.1.46 255.255.255.252
set snmp-index 19
set interface "aPacheco-W1"
next
end

Thanks in advance.

Regards,

Damián

sagha

Staff

Hi @damianhlozano

Do you have firewall policies configured on FGT?

Thank you.

Shahan

damianhlozanoAuthor

Explorer II

Hello @sagha, thanks for your answer,

Yes, I have the following policies:

config firewall policy
edit 5
set name "Enable IPsec"
set uuid 01c94e4a-3460-51ed-6e80-6bbc13c7b2b4
set srcintf "GREaPacheco-W1"
set dstintf "GREaPacheco-W1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 6
set name "GRE Alem->Pacheco"
set uuid 3c211f14-3460-51ed-6c32-b504549cb2ba
set srcintf "internal"
set dstintf "GREaPacheco-W1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 7
set name "GRE Pacheco->Alem"
set uuid 57afcadc-3460-51ed-9db1-b53782bc23f7
set srcintf "GREaPacheco-W1"
set dstintf "internal"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end

Thanks in advance.

Regards,

Damián

damianhlozanoAuthor

Explorer II

Output:

2022-10-12 11:42:34.756641 ike 0:a638cf808bbc84fd/0000000000000000:6490: negotiation failure
2022-10-12 11:42:34.756715 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:34.756752 ike 0:a638cf808bbc84fd/0000000000000000:6490: no SA proposal chosen
2022-10-12 11:42:34.756857 ike shrank heap by 159744 bytes
2022-10-12 11:42:39.620598 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:39.620694 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.630642 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:44.630747 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.752119 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:44.752184 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:44.752216 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752296 ike 0:a638cf808bbc84fd/0000000000000000:6491: responder: main mode get 1st message...
2022-10-12 11:42:44.752339 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:44.752377 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:44.752415 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:44.752452 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:44.752489 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:44.752526 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:44.752563 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:44.752600 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:44.752636 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:44.752673 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:44.752710 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:44.752746 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:44.752782 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752835 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:44.752872 ike 0:a638cf808bbc84fd/0000000000000000:6491: negotiation failure
2022-10-12 11:42:44.752952 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:44.752987 ike 0:a638cf808bbc84fd/0000000000000000:6491: no SA proposal chosen

damianhlozanoAuthor

Explorer II

Hello team,

With the output of the command asked for aionesku, and using google, I could solve the issue by myself

The issue was that I had created a policy from GRE to GRE in FGT, but instead of this, I needed a policy from IPsec Interface to IPsec Interface, changing this started to work.

Thanks!!!

Regards,

Damián

aionescu

Staff

Hello @damianhlozano,

Great to hear you solved the issue!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded