Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kgosi
New Contributor

IPsec VPN Error : no IKEv1 phase1 configuration matching

Greetings

Im configuring IPsec VPN for our office, im fairly new to forti configurations but i`v manged to set it up for our remote office, using forti 30d v5, but now im trying to configure the same on forti 200a but im unable to connect with the forticlient

i ran ike -1 debug and got the following output

 

ike 0: comes 197.231.195.152:500->172.17.x.x:500,ifindex=2... ike 0: IKEv1 exchange=Aggressive id=96e9ec0aecd61e97/0000000000000000 len=508 ike 0: no IKEv1 phase1 configuration matching 197.231.195.152:500->172.17.x.x 2 ike 0: comes 197.231.195.152:500->172.17.x.x:500,ifindex=2.... ike 0: IKEv1 exchange=Aggressive id=96e9ec0aecd61e97/0000000000000000 len=508 ike 0: no IKEv1 phase1 configuration matching 197.231.195.152:500->172.17.x.x 12

i have re-checked my configs several times and now im stuck, don`t know what to do next

 

please have a look at my topology (attaced) and configurations below

 

config vpn ipsec phase1-interface edit "My_VPN" set type dynamic set interface "wan2" set nattraversal disable set dhgrp 2 set proposal 3des-sha1 aes256-md5 aes192-sha1 set peertype one set xauthtype auto set mode aggressive set mode-cfg enable set peerid "vpn_client" set authusrgrp "ipsec_group" set ipv4-start-ip 172.17.7.101 set ipv4-end-ip 172.17.7.110 set ipv4-netmask 255.255.255.0 set psksecret ENC AABa/EsOB5k3Z1oE3SzT1harGW7GH3dmlPyXSqcqChvAUKBRwQ7ToM el08F0To4VR/vtO+F5R6TRnRNA0/BFSMyQdTNlDve8GQ4l0EtRhg8irxGB next end

config vpn ipsec phase2-interface edit "My_VPNp2" set encapsulation transport-mode set keylife-type both set pfs disable set phase1name "My_VPN" set proposal 3des-sha1 aes256-md5 aes192-sha1 set replay disable set keylifekbs 250000 set keylifeseconds 3600 next end

config firewall policy edit 19 set srcintf "My_VPN" set dstintf "internal" set srcaddr "ipsec_network" set dstaddr "Access_network" set action accept set schedule "always" set service "ANY" set logtraffic enable next end

 

What am i missing or doing wrong here!?

Please assist

 

2 REPLIES 2
Rewanta_FTNT
Staff
Staff

possible reason:

 

'ifindex=2 in the ike debug' is where the ike packet are recieved from vpn dailoer. check if wan2 index is 2. 

 

diag netlink interface list 

 

you will see index=x for wan2 in the output. 

 

 

kgosi

Thanks for the reply

 

This is what im getting

 

if=wan2 family=00 type=1 index=2 mtu=1500 link=0 master=0 ref=220 state=start present flags=up broadcast run multicast