Technical Tip: Phase 1 negotiation failure when VPN is terminated on a secondary IP

nvisentin_FTNT · ‎09-02-2015

Description

This article describes an issue when the FortiGate is configured to terminate IPsec VPN tunnel on a secondary IP, the local-gw must be configured in the IKE phase 1. Otherwise, it will result in a phase 1 negotiation failure. Debug IKE (level -1) will report 'no SA proposal chosen' even if all the proposals are properly configured:

2015-08-27 14:59:43 ike 0: IKEv1 Aggressive, comes 172.31.18.191:500->172.31.192.205 36, peer-id=LAB
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: my proposal, gw Dialup_P1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:   protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:      trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:      encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:   protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:      trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:      encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: incoming proposal:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 0:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:   protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:      trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:      encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 0:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:   protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:      trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:      encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84:         type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: negotiation failure
2015-08-27 14:59:43 ike Negotiate ISAKMP SA Error: 2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: no SA proposal chosen

Scope

FortiGate.

Solution

The interface bound to IKE is configured as follows, IPsec VPN is terminated on the secondary IP 172.31.192.205.

FGT1KC # sh sys inter wan1
config system interface
    edit "wan1"
        set vdom "root"
        set ip 1.2.3.4 255.255.255.0
        set allowaccess ping
        set snmp-index 31
        set secondary-IP enable
            config secondaryip
                edit 1
                    set ip 172.31.192.205 255.255.252.0
                    set allowaccess ping https ssh http telnet
                next
            end
    next
end

Example configuration on the GUI:

IPsec phase 1 must be configured as follows (dialup phase 1 configuration in this example).

config vpn ipsec phase1-interface
    edit "Dialup_P1"
        set type dynamic
        set interface "wan1"
        set local-gw 172.31.192.205
        set mode aggressive
        set peertype one
        set proposal 3des-sha1 aes128-sha1
        set peerid "LAB"
set psksecret ENC bWFpbgoVxDP89ru9ni9Ob9ulxYyFlnSrp3I7RRf9caGri/nTK/MhIV5J2MZ7c6+iH3lyXakWgFTaBapVCq+Vtoss3JTdzc4PtBw77AniaifJQzoBtG95vA3EXKHa0m/NfP6fIN9qIJ9axjzuxWYEifeilbXrx506pJhCY/1EdcFMHQRnXvF4vHzEXx3gD1MEskeNZg==
    next
end

To specify 'Local Gateway' on the GUI, go to VPN -> IPsec Tunnels -> Edit VPN Tunnel as shown below:

Technical Tip: Phase 1 negotiation failure when VPN is terminated on a secondary IP

You are leaving our website