Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff & Editor
Staff & Editor

Created on ‎08-29-2024 05:02 AM

Article Id 337441

Troubleshooting Tip: IPsec phase2 failed to come up after FortiOS/FortiGate upgrade

Description

This article describes how to troubleshoot a case where phase2 failed to come up after a FortiOS upgrade.
Scope FortiOS.
Solution

After upgrading one side of the VPN peer (i.e. one side was upgraded, the other was not), it is possible for the IPsec VPN to not come up on Phase2.

Phase1 is up, and the TUNNEL created time, visible with diag vpn ike gateway list name <name> showed there is no issue on phase1.

 

vd: root/0

name: TEST

version: 1

interface: port1 3

addr: x.x.x.x:500 -> y.y.y.y:500

tun_id: 100.100.100.3/::10.0.0.11

remote_location: 0.0.0.0

network-id: 0

created: 1197869s ago 

 

However, the phase2 is down with below extract seen in IKE debug output.

 

ike 0:TEST:20877815:TEST:12518468: trying

ike 0:TEST:20877815:TEST:12518468: matched phase2

ike 0:TEST:20877815:TEST:12518468: autokey

ike 0:TEST:20877815:TEST:12518468: my proposal:   <- This FortiGate proposal.

ike 0:TEST:20877815:TEST:12518468: proposal id = 1:

ike 0:TEST:20877815:TEST:12518468:   protocol id = IPSEC_ESP:

ike 0:TEST:20877815:TEST:12518468:   PFS DH group = 14

ike 0:TEST:20877815:TEST:12518468:      trans_id = ESP_AES_CBC (key_len = 256)

ike 0:TEST:20877815:TEST:12518468:      encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:TEST:20877815:TEST:12518468:         type = AUTH_ALG, val=SHA2_256

ike 0:TEST:20877815:TEST:12518468: incoming proposal:  <- Remote FortiGate proposal.

ike 0:TEST:20877815:TEST:12518468: proposal id = 1:

ike 0:TEST:20877815:TEST:12518468:   protocol id = IPSEC_ESP:

ike 0:TEST:20877815:TEST:12518468:   PFS DH group = 5

ike 0:TEST:20877815:TEST:12518468:      trans_id = ESP_AES_CBC (key_len = 256)

ike 0:TEST:20877815:TEST:12518468:      encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947

ike 0:TEST:20877815:TEST:12518468:         type = AUTH_ALG, val=SHA1

ike 0:TEST:20877815:TEST:12518468: negotiation failure  

ike Negotiate IPsec SA Error: ike 0:TEST:20877815:12518468: no SA proposal chosen 

 

It is possible to see the proposals are not matching, causing the phase2 negotiation to fail.

It was noted in this case that the FortiGate which was upgraded added a new phase2 object, making the phase2 go down.

If similar issues are faced, go under phase2 on the recently upgraded FortiGate, check if an additional phase2 object was added, then delete the object to restore the VPN.
Labels:
1627
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.