| Description | This article describes how to resolve the error 'ike Negotiate SA Error: ike ike [1470]' which occurs due to a network-id mismatch in configuration. |
| Scope | FortiGate. |
| Solution |
This article assumes conditions where IKEv2 and network-overlay are enabled.
GUI: On the initiator VPN gateway:
On the responder VPN gateway:
No logs:
The following CLI debug commands need to be used on the responder VPN gateway to find the issue:
diagnose vpn ike log-filter dst-addr4 x.x.x. --> Where x.x.x.x is the IP address of the initiator.
Note: Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'
Logs:
ike 0:3b866f3cdcf98c8c/0000000000000000:13059: NETWORK ID : 0 ike 0:3b866f3cdcf98c8c/0000000000000000:13059: incoming proposal: ike 0:3b866f3cdcf98c8c/0000000000000000:13059: proposal id = 1: ike 0:3b866f3cdcf98c8c/0000000000000000:13059: protocol = IKEv2: ike 0:3b866f3cdcf98c8c/0000000000000000:13059: encapsulation = IKEv2/none ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=ENCR, val=AES_CBC (key_len = 256) ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=DH_GROUP, val=MODP2048. ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=DH_GROUP, val=MODP1536. ike 0:3b866f3cdcf98c8c/0000000000000000:13059: my proposal, gw VPN3: ike 0:3b866f3cdcf98c8c/0000000000000000:13059: proposal id = 1: ike 0:3b866f3cdcf98c8c/0000000000000000:13059: protocol = IKEv2: ike 0:3b866f3cdcf98c8c/0000000000000000:13059: encapsulation = IKEv2/none ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=ENCR, val=AES_CBC (key_len = 256) ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=DH_GROUP, val=MODP1536. ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=DH_GROUP, val=MODP2048. ike 0:3b866f3cdcf98c8c/0000000000000000:13059: lifetime=86400 ike 0:3b866f3cdcf98c8c/0000000000000000:13059: no proposal chosen ike Negotiate SA Error: ike ike [11064] <- Error indicating the issue.
Solution:
Verify the 'network-id' configuration under the phase 1 configuration and make sure both VPN gateways are using identical ‘network-id’s.
To check in the CLI:
config ipsec phase1-interface edit test set network-overlay enable show | grep network-id set network-id 0
Note: The network ID is commonly used to identify the VPN's overlay network in SD-WAN or ADVPN setups. The value '0' is often the default but needs to match on both sides of the VPN connection.
This configuration is relevant in deployments involving ADVPN or an SD-WAN environment where the remote peer also has network-overlay enabled, and the network ID aligns. In setups that do not involve SD-WAN or ADVPN, this setting does not apply to resolving the error. |
