Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
smujeeb
Staff
Staff

Created on ‎06-21-2022 10:51 PM Edited on ‎09-05-2024 10:57 PM By Community Manager

Article Id 215368

Technical Tip: IPsec Not Match Local Policy

Description

This article describes that tunnel fails to come up with 'Peer SA proposal not match local policy' message in logs.
Scope FortiGate.
Solution

The VPN configuration is identical on both local and remote ends but the VPN still fails to come up and negotiation errors are seen in the logs.

 

smujeeb_0-1655876133040.png

 

This is often because of a missing FW policy Inbound/Outbound for the tunnel.

Creating the respective policy should make the negotiation successful.

 

It is possible to gather additional information about the negotiations using the following debugs:

 

diagnose vpn ike log-filter dst-addr4 (X.X.X.X) <----- IP address of the remote peer.

diagnose debug application ike -1

diagnose debug enable  

 

Note:

Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.
60234
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.