Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Diabolicus23
New Contributor

Created on ‎09-14-2012 01:30 AM

Problem with IPSec VPN

Hi all, sometimes one of our VPN does not bring up. When this happens, this is what we get: ike 0:VPN_NAME_:VPN_NAME__ph2-10: IPsec SA connect 8 OUR_IP->REMOTE_IP:500, natt_mode=0 ike 0:VPN_NAME_: using existing connection, dpd_fail=0 ike 0:VPN_NAME_: found phase2 VPN_NAME__ph2-10 ike 0:VPN_NAME_: IPsec SA connect 8 OUR_IP->REMOTE_IP:500 negotiating ike 0:VPN_NAME_:8: cookie 61b4455598b04bea/fbdab48ecd5111c5:fddcfd97 ike 0:VPN_NAME_:8:VPN_NAME__ph2-10:3617: initiator selectors 0 0:10.200.1.0/255.255.255.0:0:0->0:172.24.7.0/255.255.255.0:0:0 ike 0:VPN_NAME_:8: sent IKE msg (quick_i1send): OUR_IP:500->REMOTE_IP:500, len=172 ike 0:VPN_NAME_:8: sent IKE msg (P2_RETRANSMIT): OUR_IP:500->REMOTE_IP:500, len=172 ike 0:VPN_NAME_:VPN_NAME__ph2-10: IPsec SA connect 8 OUR_IP->REMOTE_IP:500, natt_mode=0 ike 0:VPN_NAME_: using existing connection, dpd_fail=0 ike 0:VPN_NAME_: found phase2 VPN_NAME__ph2-10 ike 0:VPN_NAME_:8: sent IKE msg (P2_RETRANSMIT): OUR_IP:500->REMOTE_IP:500, len=172 ike 0:VPN_NAME_:VPN_NAME__ph2-10: IPsec SA connect 8 OUR_IP->REMOTE_IP:500, natt_mode=0 ike 0:VPN_NAME_: using existing connection, dpd_fail=0 ike 0:VPN_NAME_: found phase2 VPN_NAME__ph2-10 ike 0:VPN_NAME_:8: sent IKE msg (P2_RETRANSMIT): OUR_IP:500->REMOTE_IP:500, len=172 ike 0:VPN_NAME_:8: sent IKE msg (P2_RETRANSMIT): OUR_IP:500->REMOTE_IP:500, len=172 ike 0:VPN_NAME_:8:VPN_NAME__ph2-10:3617: quick-mode negotiation failed due to retry timeout On the other side there is a Cisco appliance. Could you help we with the debugging? Thanks
2889
0 Kudos
3 REPLIES 3
Scott_York
New Contributor

Created on ‎09-18-2012 06:32 AM

This is a Phase 2 mismatch, most likely due to multiple subnets on either side of the encryption domain. For a fortigate to cisco IPSEC VPN, you will need to have multiple phase 2 policies if there are multiple subnets on either end. For example, if your site has 2 - /24 networks and the other side also has 2 - /24 networks, you will need 4 Phase 2 polices. Sucks, but it' s the only way around it and if someone disagrees with me, please show me the light, cause this is the biggest PITA with these things.
SPY
SPY
1852
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎09-18-2012 07:14 AM

Agreed Also if the network are contiguous you can get by with one. Also ensure you match of the Phase2 proposal and if your listing more than 2 proposals, eliminate one and specify the proposal that you really want. e.g 3des-md5 aes128-sha = bad Specify either 3des-md5 or aes128 but not both, I found this approach rules out the devices negotiation of the phase1/2 proposals. The cisco/fgt should use the 1st match, but some times it doesn' t work that way for me.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1852
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎09-18-2012 09:52 AM

Isn' t it that you can use an address group on the FGT, containing multiple IP address ranges/subnets? And that this feature just doesn' t work against a Cisco VPN? But should work FGT-to-FGT?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1852
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.