Technical Tip: How to confirm Phase2 Selectors mismatch Configuration

ravisingh · ‎04-17-2025

Description

This article describes how to confirm a Phase 2 Selectors mismatch configuration when there is no access to the peer device.

Scope

FortiGate, Cisco, or any other vendor, an IPsec VPN environment.

Solution

Start capture and enable filters under GUI -> Network -> Diagnostics -> Packet Captures.
Follow the steps in the article below: Troubleshooting Tip: Packet Capture on FortiOS GUI

Open the pcap file on Wireshark, Cisco Peer gateway IP address is 216.208.130.131, and FortiGate Local gateway IP address is 104.207.208.109.

Select the Peer source IP address (216.208.130.131) and expand Internet Security Association and Key Management Protocol.

Scroll down to Traffic Selector: TS_IPV4_ADDR_RANGE.

Starting Addr: 172.24.0.0.
Ending Addr: 172.31.255.255.
This equates to: 172.24.0.0/13.

Select the Local source IP address (104.207.208.109) and expand Internet Security Association and Key Management Protocol.

Scroll down to Traffic Selector: TS_IPV4_ADDR_RANGE.

Starting Addr: 172.24.0.0.
Ending Addr: 172.27.255.255.
This equates to: 172.24.0.0/14.

This means that the Phase2 selector in Peer gateway is configured as 172.24.0.0/13, and Local gateway has phase2 selector 172.24.0.0/14, which is a mismatch.

IKE debug also provides similar information.

ike 0:lab:42:25: peer proposal is: peer:0:10.99.0.0-10.99.255.255:0, me:0:172.24.0.0-172.27.255.255:0
ike 0:lab:42:LB-2:25: trying
ike 0:lab:42:25: specified selectors mismatch
ike 0:lab:42:25: peer: type=7/7, local=0:172.24.0.0-172.27.255.255:0, remote=0:10.99.0.0-10.99.255.255:0
ike 0:lab:42:25: mine: type=7/7, local=0:192.168.0.0-192.168.255.255:0, remote=0:10.99.0.0-10.99.255.255:0
ike 0:lab:42:LB-3:25: trying
ike 0:lab:42:25: specified selectors mismatch
ike 0:lab:42:25: peer: type=7/7, local=0:172.24.0.0-172.27.255.255:0, remote=0:10.99.0.0-10.99.255.255:0
ike 0:lab:42:25: mine: type=7/7, local=0:172.24.0.0-172.31.255.255:0, remote=0:10.99.0.0-10.99.255.255:0
ike 0:lab:42:LB-4:25: trying
ike 0:lab:42:25: specified selectors mismatch
ike 0:lab:42:25: peer: type=7/7, local=0:172.24.0.0-172.27.255.255:0, remote=0:10.99.0.0-10.99.255.255:0
ike 0:lab:42:25: mine: type=7/7, local=0:192.168.0.0-192.168.255.255:0, remote=0:172.54.0.0-172.54.255.255:0
ike 0:lab:42:LB-5:25: trying
ike 0:lab:42:25: specified selectors mismatch
ike 0:lab:42:25: peer: type=7/7, local=0:172.24.0.0-172.27.255.255:0, remote=0:10.99.0.0-10.99.255.255:0
ike 0:lab:42:25: mine: type=7/7, local=0:172.10.10.0-172.10.10.255:0, remote=0:172.54.0.0-172.54.255.255:0
ike 0:lab:42:LB-6:25: trying
ike 0:lab:42:25: specified selectors mismatch
ike 0:lab:42:25: peer: type=7/7, local=0:172.24.0.0-172.27.255.255:0, remote=0:10.99.0.0-10.99.255.255:0
ike 0:lab:42:25: mine: type=7/7, local=0:172.10.10.0-172.10.10.255:0, remote=0:10.99.0.0-10.99.255.255:0
ike 0:lab:42:lab:25: trying
ike 0:lab:42:25: specified selectors mismatch
ike 0:lab:42:25: peer: type=7/7, local=0:172.24.0.0-172.27.255.255:0, remote=0:10.99.0.0-10.99.255.255:0
ike 0:lab:42:25: mine: type=7/7, local=0:10.10.0.0-10.10.255.255:0, remote=0:10.99.0.0-10.99.255.255:0
ike 0:lab:42:25: no matching phase2 found
ike 0:lab:42:25: failed to get responder proposal
ike 0:lab:42: error processing quick-mode message from 10.5.23.237 as responder

Related article:
Troubleshooting Tip: Packet Capture on FortiOS GUI

Technical Tip: How to confirm Phase2 Selectors mismatch Configuration

You are leaving our website