Troubleshooting Tip: IKEv2 IPSec VPN phase 1 down with an IPsec VPN error 'ike Negotiate SA Error: ike ike [1470]'

preetisingh · ‎08-07-2024

Description

This article describes how to resolve the error 'ike Negotiate SA Error: ike ike [1470]' which occurs due to a network-id mismatch in configuration.

Scope

Any supported version of FortiGate.

Solution

This article assumes conditions where IKEv2 and network-overlay are enabled.

GUI:

On the initiator VPN gateway:

Screenshot 2024-08-06 174541.png

On the responder VPN gateway:

No logs:

Screenshot 2024-08-06 174706.png

The following CLI debug commands need to be used on the responder VPN gateway to find the issue:

diagnose vpn ike log-filter dst-addr4 x.x.x. >>> Where x.x.x.x is IP address of initiator 
diagnose debug console timestamp enable  
diagnose debug application ike -1  
diagnose debug enable 

Logs:

ike 0:3b866f3cdcf98c8c/0000000000000000:13059: NETWORK ID : 0

ike 0:3b866f3cdcf98c8c/0000000000000000:13059: incoming proposal:

ike 0:3b866f3cdcf98c8c/0000000000000000:13059: proposal id = 1:

ike 0:3b866f3cdcf98c8c/0000000000000000:13059: protocol = IKEv2:

ike 0:3b866f3cdcf98c8c/0000000000000000:13059: encapsulation = IKEv2/none

ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=ENCR, val=AES_CBC (key_len = 256)

ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=INTEGR, val=AUTH_HMAC_SHA2_256_128

ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=PRF, val=PRF_HMAC_SHA2_256

ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=DH_GROUP, val=MODP2048.

ike 0:3b866f3cdcf98c8c/0000000000000000:13059: type=DH_GROUP, val=MODP1536.

ike 0:3b866f3cdcf98c8c/0000000000000000:13059: my proposal, gw VPN3: