Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asostizzo_FTNT
Staff
Staff

Created on ‎10-05-2015 02:23 PM Edited on ‎05-01-2025 09:25 AM By Moderator

Article Id 191576

Technical Tip: 'Negotiation failure' is seen in IPsec VPN debugs with mismatching 'OAKLEY_GROUP' values

Description

This article describes an issue that occurs where, when using Aggressive Mode for establishing a VPN connection, any mismatch in the IKE parameters will cause an immediate negotiation failure. This example illustrates a failure due to the 'OAKLEY_GROUP' parameters, which is also known as the MODP Diffie-Hellman group:

ike 0:224b50f8ebe84df6/0000000000000000:33007: incoming proposal:
ike 0:224b50f8ebe84df6/0000000000000000:33007: proposal id = 0:
ike 0:224b50f8ebe84df6/0000000000000000:33007:   protocol id = ISAKMP:
ike 0:224b50f8ebe84df6/0000000000000000:33007:      trans_id = KEY_IKE.
ike 0:224b50f8ebe84df6/0000000000000000:33007:      encapsulation = IKE/none
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_GROUP, val=1536.
ike 0:224b50f8ebe84df6/0000000000000000:33007: ISAKMP SA lifetime=28800

ike 0:224b50f8ebe84df6/0000000000000000:33007: my proposal, gw RemoteGWname:
ike 0:224b50f8ebe84df6/0000000000000000:33007: proposal id = 1:
ike 0:224b50f8ebe84df6/0000000000000000:33007:   protocol id = ISAKMP:
ike 0:224b50f8ebe84df6/0000000000000000:33007:      trans_id = KEY_IKE.
ike 0:224b50f8ebe84df6/0000000000000000:33007:      encapsulation = IKE/none
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_GROUP, val=2048.
ike 0:224b50f8ebe84df6/0000000000000000:33007: ISAKMP SA lifetime=28800
ike 0:224b50f8ebe84df6/0000000000000000:33007: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:224b50f8ebe84df6/0000000000000000:33007: no SA proposal chosen

 

Additionally, while connecting to the VPN from the FortiClient, the following error is seen:

 

vpn (2).JPG

 

Scope

 

FortiGate.


Solution

Ensure the corresponding configured Phase1 IKE Diffie-Hellman group is matched on both sides. From RFC3526, RFC5903, and RFC7296 follows a mapping of supported Diffie-Hellman Group to their respective OAKLEY_GROUP value:

  • DH Group 1: 768-bit MODP Group
  • DH Group 2: 1024-bit MODP Group
  • DH Group 5: 1536-bit MODP Group
  • DH Group 14: 2048-bit MODP Group
  • DH Group 15: 3072-bit MODP Group
  • DH Group 16: 4096-bit MODP Group
  • DH Group 17: 6144-bit MODP Group
  • DH Group 18: 8192-bit MODP Group
  • DH Group 19: 256-bit random ECP Group
  • DH Group 20: 384-bit random ECP Group
  • DH Group 21: 521-bit random ECP Group

Verify the DH group of phase 1 and phase 2 selectors defined in FortiGate is matching with the VPN settings of the connection in the FortiClient.

 

48826
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.