Skip to main content
A
Anonymous_User
Contributor
October 9, 2007
Question

IPSec Negotiate SA Error

  • October 9, 2007
  • 5 replies
  • 8715 views
Hello ALL, this is the 1st time I visit this forum and hoping to get some help on my site-to-site VPN connection setup... It' s a simple Policy-Based VPN using Pre-shared key between Forigate-60 & Checkpoint firewall. Getting " Negotiate SA Error: Peer' s id payloads do not match local policy." error on my Fortigate 60 device running FortiOS v3.0 trying to establish a IPSec tunnel (Preshared Key) with Checkpoint. I have done the same setup from few other sites with Fortigate-60 device running FortiOS v2.8 software. The same Preshared Key, Encrption/Authentication method. The only different I can tell between the 2 version of OS is the option under the Phase 2 " Quick Mode Identities" section. v2.8 offer options of " Use selectors from policy" , " Use wildcard selectors" & " Specify a selector" while there seems only the last option is available under FortiOS v3.0. Have been using the default " Use selectors from policy" option on the other v2.8 devices and they all worked fine. The event log on the v3.0 device showing... Responder: sent xx.xx.xx.xx aggressive mode message #1 (OK) Responder: parsed xx.xx.xx.xx afressive mode message #2 (DONE) Negotiate SA Error: Peer' s id payloads do not match local policy. Responder: parsed xx.xx.xx.xx quick mode message #1 (ERROR) ***repeating... Did I overlook any new features with v3.0 or, should I consider downgrade the OS on this device?? Any suggestion or comment is greatly appreciated.

    5 replies

    Hracio
    Hracio
    New Member
    October 9, 2007
    Assuming your P1&2 are ok, if you are using route based VPNs, check if in the involved FW Policies you are NAT.... Regards,. .!!
    A
    Anonymous_UserAuthor
    Contributor
    October 9, 2007
    Thanks, Hracio... I have been using Policy-based VPN by specifying certain internal network subnet to route through the encryption tunnel. This, works fine on my other Fortigate-60 units running OS v2.8. Guess I could do the same by creating a virtual interface using route based VPN?! Anything I should be awared? Thanks!
    rwpatterson
    rwpatterson
    New Member
    October 9, 2007
    There are some subtle differences between VPN tunnels on 2.8 and 3.00. One of the biggest is needing to use selectors to define the local and remote subnets. You could use policies on 2.8, not in 3.0. Try defining them in the advanced section on phase two, and get back to us.
    A
    Anonymous_UserAuthor
    Contributor
    October 9, 2007
    Sounds like Bob gave you the answer. Here' s a bit more detail... On the tunnel you' re trying to bring up, edit the phase 2 proposal on your Fortigate with the 3.0OS. Hit the " Advanced" button and look at the bottom section titled Quick Mode Selector... if your source and destination addresses both say 0.0.0.0 - there' s your problem. You need to define these parameters. If, for example, the private network on the side of the FortiOS 3.0 firewall is 192.168.1.1-192.168.1.254 and the private network on the other end is 192.168.2.1-192.168.2.254, type in 192.168.1.0/24 under " Source address" and 192.168.2.0/24 under " Destination address" . Cheers, mj
    A
    Anonymous_UserAuthor
    Contributor
    October 10, 2007
    Appreciate for your kind advice and detail instructions, Bob & mj.... I believe I have no problem defining the Source address but the destination part... as I have close to 20 different subnet that I needed to access/specify like different subnets in the 10.0.0.0 network, 146.235.0.0, 192.168.0.0, etc... That' s why I have been using the firewall policies in v2.8 to address our needs. The VPN manual for v3.0 software does mentioned that we can left 0.0.0.0 & 0 to refer to everything?! Only for dedicate function by routing all traffic through the VPN tunnel?! Thanks again for all your help.... I am still confused...
    rwpatterson
    rwpatterson
    New Member
    October 10, 2007
    What I have done is hang multiple phase 2 definitions from a single phase 1. Once the key has been accepted, the correct tunnel will come up depending on the phase 2 networks that need to communicate through the link. Check out a snapshot of my monitor: Notice the first line. There are two ' selector pairs' for the one phase 1 definition in the first column. I have hung up to three successfully. I don' t see a reason why more could not be done. Good luck
    FortiRack_Eric
    FortiRack_Eric
    New Member
    October 11, 2007
    Is this issue still open? When I look at the first post, it clearly states that the peer id' s don' t match. You may removed the peer id' s (local id' s) and test again. If you need to use peer-id' s then add them afterwards. The need to cross match (local and remote). Regards, Eric
    A
    Anonymous_UserAuthor
    Contributor
    October 16, 2007
    Good day, Eric. Yes, the case is still OPEN... When you mentioned about the peer id, do you mean the " Preshared Key" or are you referring to the name of the P1 & P2 tunnel? Further to my troubleshooting effort with the Fortinet engineer, noticed this peer id errors were related to the subnets defined on this device & far end. By turning ON the debug mode, we' re able to tell one of the subnets proposed from the far end was different from the subnet defined locally (the same was not being validated on the 2.8 software)... Now that we fixed all the peer' s id payloads do not match error but now facing with a lot of " Received ESP packet with unknown SPI." error. The tunnel seems to be UP & with proper keylife count down but no traffic seems to be flowing through... Again, any suggestion on this would be greatly appreciated!
    rwpatterson
    rwpatterson
    New Member
    October 16, 2007
    Could it be a simple routing issue with similar subnets on each side? Just a thought.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    October 16, 2007
    Did you upgrade the unit from 2.8 to 3.0? I' ve seen units were the VPN stops working after some time after an upgrade. Removing the complete VPN and rebuilding it fixed it. Don' t ask me why. Done it several times, especially with older MR3 builds. Btw what is your firmware version?
    A
    Anonymous_UserAuthor
    Contributor
    October 19, 2007
    The unit is brand new shipped with 3.0 B0400... I have done the configuration from scratch. Now, I upgraded to B0526 MR5 Patch 2... Still no luck... Working with Fortinet engineer to try resolve the issue... Thanks for your advice....
    A
    Anonymous_UserAuthor
    Contributor
    October 17, 2007
    Any more info on this? My 2.8 won' t pass traffic to my 3.0 either, even though the tunnel is up.
    A
    Anonymous_UserAuthor
    Contributor
    October 19, 2007
    I am still working with Fortinet engineer to try resolve this issue... Capture debug log from both end for further analysis...
    A
    Anonymous_UserAuthor
    Contributor
    October 19, 2007
    Ok, I just figured mine out. The 3.0 unit MUST have the firewall policy that specifies the VPN tunnel BEFORE any other policy. I have BOTH policies as internal to wan1. Hope this helps.
    Terms & ConditionsAccessibility statement