Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dinhawaii
New Contributor

Created on ‎11-24-2021 01:26 PM

Fortiwifi 60C to Checkpoint IPSEC VPN Phase 1 Issues

Hi All,

 

I am having an issue trying to get a Site-to-Site VPN up and running between a Fortiwifi 60c and a Checkpoint firewall. I have triple checked the settings and they are all correct (See images below). The first image is the checkpoint firewall and the second is the fortiwifi 60c. I am getting a phase one policy mismatch. The engineer I am working with says he doesn't see anything in his logfiles that even indicate that I am trying to connect, but I get the following in the Fortiwifi VPN logs:

 

date=2021-11-19 time=09:52:36 logid=0101037128 type=event subtype=vpn level=error vd="root" logdesc="progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=199.253.xxx.xxx locip=67.53.xxx.xxx remport=500 locport=500 outintf="wan1" cookies="40b9e860259787fa/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERROR 

date=2021-11-19 time=09:52:36 logid=0101037124 type=event subtype=vpn level=error vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action=negotiate remip=199.253.xxx.xxx locip=67.53.xxx.xxx remport=500 locport=500 outintf="wan1" cookies="40b9e860259787fa/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=negotiate_error reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE"

 

HPH.pngInked-HPH.jpg

If anyone has any input that they think would be useful, I would appreciate it if you'd drop it below.

 

TIA

Don

Don Mangiarelli
Don Mangiarelli
Labels:
2186
0 Kudos
2 REPLIES 2
ESCHAN_FTNT
Staff
Staff

Created on ‎11-24-2021 09:16 PM

Hi Dinhawaii

 

You can try enable the ike debug as per https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-Site-to-Site-Tunnel-Connectivi... to see what is going on. 

2120
Dinhawaii
New Contributor

Created on ‎12-01-2021 02:09 PM

This is a packet capture from yesterday's session. I can see that my Fortinet is connecting to the Checkpoint and the Checkpoint is responding (so there should be something in their logs). I am wondering if the AES_CBC algorithm is the mismatch?

 

2021-11-30 15:35:28 ike 0:HPH VPN:94717: sent IKE msg (P1_RETRANSMIT): 67.XXX.XXX.XXX:500->199.XXX.XXX.XXX:500, len=192, id=241c654fc2338a41/0000000000000000
2021-11-30 15:35:29 ike 0:HPH VPN:HPH VPN: IPsec SA connect 5 67.XXX.XXX.XXX->199.XXX.XXX.XXX:0
2021-11-30 15:35:29 ike 0:HPH VPN:HPH VPN: using existing connection
2021-11-30 15:35:29 ike 0:HPH VPN:HPH VPN: config found
2021-11-30 15:35:29 ike 0:HPH VPN: request is on the queue
2021-11-30 15:35:34 ike 0:HPH VPN:HPH VPN: IPsec SA connect 5 67.XXX.XXX.XXX->199.XXX.XXX.XXX:0
2021-11-30 15:35:34 ike 0:HPH VPN:HPH VPN: using existing connection
2021-11-30 15:35:34 ike 0:HPH VPN:HPH VPN: config found
2021-11-30 15:35:34 ike 0:HPH VPN: request is on the queue
2021-11-30 15:35:38 ike 0: comes 199.XXX.XXX.XXX:500->67.XXX.XXX.XXX:500,ifindex=5....
2021-11-30 15:35:38 ike 0: IKEv1 exchange=Identity Protection id=0e8be8e11abb8180/0000000000000000 len=152
2021-11-30 15:35:38 ike 0: in 0E8BE8E11ABB818000000000000000000110020000000000000000980D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048003000180040002800B0001000C0004000151800D0000144048B7D56EBCE88525E7DE7F00D6C2D30000002CF4ED19E0C114EB516FAAAC0EE37DAF2807B4381F000000010000138D61A6D16A0000000018290000
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: responder: main mode get 1st message...
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: VID unknown (40): F4ED19E0C114EB516FAAAC0EE37DAF2807B4381F000000010000138D61A6...
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: incoming proposal:
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: proposal id = 0:
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: protocol id = ISAKMP:
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: trans_id = KEY_IKE.
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: encapsulation = IKE/none
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: type=OAKLEY_HASH_ALG, val=SHA2_256.
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: type=AUTH_METHOD, val=PRESHARED_KEY.
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: type=OAKLEY_GROUP, val=MODP1024.
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: ISAKMP SA lifetime=86400
2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: negotiation failure
2021-11-30 15:35:38 ike Negotiate ISAKMP SA Error: 2021-11-30 15:35:38 ike 0:0e8be8e11abb8180/0000000000000000:94718: no SA proposal chosen

 

Don Mangiarelli
Don Mangiarelli
2060
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.