Overview:

When configuring IPsec VPN tunnels on Local FortiGate with Remote Gateway set as secondary IP address of Remote FortiGate interface, the VPN tunnel may fail, showing a 'no proposal chosen' error. This occurs when Remote FortiGate uses the primary interface IP for IKE negotiations by default.

In IKE negotiations, FortiGate requires specific parameters such as the peer-id, encryption algorithm, and local-gw. By default:

• The first configured IP is the primary IP.
• Additional IPs are secondary.
• IKE negotiations use the primary IP unless explicitly configured otherwise.

Problem Description:

The issue manifests in environments where:

1. A secondary IP address is configured on the FortiGate interface.
2. The remote VPN peer is configured to establish a tunnel to this secondary IP.
3. The local-gateway (local-gw) setting is not explicitly configured in the FortiGate VPN configuration.

In this scenario, when the remote peer initiates the VPN connection to the secondary IP address, the FortiGate attempts to use its primary interface IP for the IKE negotiation. This IP address mismatch causes the negotiation to fail with a 'no proposal chosen' error.

Debug Analysis:

The debug output shows both failed and successful scenarios:

diag debug application ike -1

diag debug console timestamp enable

diag debug enable

Failed Negotiation:

<date>comes 192.168.1.10:14339->172.16.2.10:500,ifindex=17,vrf=0,len=608..

<date> 12:07:25.763232 ike V=root:0: IKEv2 exchange=SA_INIT id=123:435 len=932
<date> 12:07:25.763301 ike V=root:0:24d198225b970144/0000000000000000:17486: responder received SA_INIT msg
<date> 12:07:25.763319 ike V=root:0:123:435:17486: received notify type NAT_DETECTION_SOURCE_IP
<date> 12:07:25.763335 ike V=root:0:123:435:17486: received notify type NAT_DETECTION_DESTINATION_IP
<date> 12:07:25.763351 ike V=root:0:123:435:17486: received notify type FRAGMENTATION_SUPPORTED
<date> 12:07:25.763360 ike V=root:0:123:435:17486: received notify type SIGNATURE_HASH_ALGORITHMS
<date> 12:07:25.763375 ike V=root:0:123:435:17486: received notify type 16406
<date> 12:07:25.763391 ike V=root:0:123:435:17486: ignoring unauthenticated notify payload (16406)
<date> 12:07:25.763415 ike V=root:0:123:435:17486: incoming proposal:
<date> 12:07:25.763425 ike V=root:0:123:435:17486: proposal id = 1:
<date> 12:07:25.763432 ike V=root:0:123:435:17486: protocol = IKEv2:
<date> 12:07:25.763438 ike V=root:0:123:435:17486: encapsulation = IKEv2/none
<date> 12:07:25.763445 ike V=root:0:123:435:17486: type=ENCR, val=AES_CBC (key_len = 128)
<date> 12:07:25.763463 ike V=root:0:123:435:17486: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
<date> 12:07:25.763470 ike V=root:0:123:435:17486: type=PRF, val=PRF_HMAC_SHA2_256
<date> 12:07:25.763477 ike V=root:0:123:435:17486: type=DH_GROUP, val=MODP2048.
....... Additional proposals

<date> 12:07:25.764787 ike V=root:0:24d198225b970144/0000000000000000:17486: no proposal chosen
<date> 12:07:25.764814 ike V=root:Negotiate SA Error: [11909]

Successful Negotiation:

<date> 12:07:25.764787 ike V=root: SA proposal chosen, matched gateway Tunnel1

<date/time>ike V=root:0:Tunnel1:Tunnel1: created connection: 0xb5be700 9 192.168.1.10->172.16.2.10:1012.

Correct configuration snapshot:

config vpn ipsec phase1-interface
    edit "Tunnel1"
        set interface "wan1"
        set local-gw 172.16.2.10  <----- Specify the secondary IP. 
    next
end

 

config system interfaces

    edit "wan1"
        set vdom "root"
        set ip 172.16.2.9 255.255.255.0
        set allowaccess ping fabric
        set type physical
  .....
  config secondaryip
      edit 1
          set ip 172.16.2.10 255.255.255.0
          set allowaccess ping fabric
....

Related article:

Technical Tip: Local Gateway: IPSec VPN