Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SAJUDIYA
Staff
Staff

Created on ‎03-31-2023 07:44 AM

Article Id 250973

Technical Tip: IPsec VPN error 'ike Negotiate SA Error: ike ike [1470]'

Description

This article describes that the error ike Negotiate SA Error: ike ike [1470] occurred due to the phase-2 Perfect Forward Secrecy (PFS) setting being mismatched.

In most cases, site-to-site VPN is with FortiGate to a third-party firewall. 
Scope FortiGate 7.0.9 and 7.2.3 above.
Solution

1) Find issues by using ike debug command: 

 

# diagnose vpn ike log-filter dst-addr4 x.x.x. ßWhere x.x.x.x is remote peer IP address 
# diagnose debug console timestamp enable  
# diagnose debug application ike -1  
# diagnose debug enable 

 

The ike debug logs will appear as below: 

 

ike 4:test-P1:18317:test-P2:228618: PFS is disabled 

ike 4:test-P1:18317:test-P2:228618: lifetime=3600 

ike 4:test-P1:18317:test-P2:228618: no proposal chosen 

ike Negotiate SA Error: ike ike [1470] 

 

Solution:  

 

Verify PFS in phase-2 configuration from both sides and make sure that the DH group on phase-2 is identical. 

 

It is also possible to use CLI: 

 

# config vpn ipsec phase2-interface  

    (phase2-interface) # edit test  

        (test) # set pfs enable  

        (test) # set dhgrp 14 

(test) # end 
6639
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.