Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Amazon cloud VPN errors

Hey guys,


I've been looking into this error we keep getting on our VPN tunnel to Amazon cloud, but im not getting any further.

Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR  


Any idea where this is comming from?


The setup:


   edit "VPNAMAZON"
        set interface "wan1"
        set nattraversal disable
        set keylife 28800
        set proposal aes128-sha1
        set localid "ourlocalid"
        set comments "Amazon-IKE-vpn"
        set dhgrp 2
        set remote-gw 52.x.x.x
        set psksecret ENC supersecret


    edit "VPNAMAZON"
        set phase1name "VPNAMAZON"
        set proposal aes128-sha1
        set dhgrp 2
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 10.x.x.x
        set dst-subnet 172.x.x.x

I tried enabling dpd but that doesn't take. It's not comming up in the config?

Though, in the GUI i do see it.


Hope anyone can help out with this.

(edit: to many spaces lol)

New Contributor

No one? :(




Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR


-VPN fails in Phase-2 negotiation, FGT is responder -Hence when trying to establish the VPN please collect output for the following commands. As FGT is responder you will see the quick-mode-msg-1 received on FGT with the remote selector parameters using which you can findout the possible cause


diag deb reset 

diag vpn ike log-filter clear diag vpn ike log-filter dst-addr4  52.x.x.x diag deb app ike -1 diag deb en


to disable debugging # diag deb disable # diag deb reset





anil.nayak wrote:



Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR


-VPN fails in Phase-2 negotiation, FGT is responder -Hence when trying to establish the VPN please collect output for the following commands. As FGT is responder you will see the quick-mode-msg-1 received on FGT with the remote selector parameters using which you can findout the possible cause


diag deb reset 

diag vpn ike log-filter clear diag vpn ike log-filter dst-addr4  52.x.x.x diag deb app ike -1 diag deb en


to disable debugging # diag deb disable # diag deb reset




Thanks! Running it now

New Contributor

Ofcourse, the errors dont show during the debug.. ffs..

Retrying wednesday (got the day off tomorrow)

New Contributor

ike 0:VPNAMAZON:21830:1416004: responder received first quick-mode message ike 0:VPNAMAZON:21830: dec 936876A46095A5E71049096E5A8C58CE081020018B6E95810000012C01000018053F32B926BF42A33D34E2B123913D117A3324400A00003800000001000000010000002C000304017D3ED21500000020000C000080030002800400018001000180020E1080050002800600800400001460568BB33CB1E4E39012319CB4A44B240500008430858E557E0867199B99E5C4D21AE8CEB66F576C8D541A96B9F1B79ABE2C3C9C33FAA29F3A0A2F36135E8D598F0652B32622B6C712C75D52D3D3E3723FA02C6A6E459E219CDA511469480BD2BBAEB9E84C965DFEC566DFEEDC420F6E804766D96B87F0BDC3235C01159D9F927AB6DC2A547AEA506E91D284849BD82F5F59784205000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:VPNAMAZON:21830:1416004: peer proposal is: peer:0:, me:0: ike 0:VPNAMAZON:21830:VPNAMAZON:1416004: trying ike 0:VPNAMAZON:21830:1416004: specified selectors mismatch ike 0:VPNAMAZON:21830:1416004: peer: type=7/7, local=0:, remote=0: ike 0:VPNAMAZON:21830:1416004: mine: type=7/7, local=0:10.x.x.0-10.x.x.255:0, remote=0:172.x.x.0-172.x.x.255:0 ike 0:VPNAMAZON:21830:1416004: no matching phase2 found ike 0:VPNAMAZON:21830:1416004: failed to get responder proposal ike 0:VPNAMAZON:21830: error processing quick-mode message from 52.x.x.4 as responder



I expect it to be the other side of the VPN not having the right peer proposal.

Have send them the info..



ike 0:VPNAMAZON:21830:1416004: specified selectors mismatch ike 0:VPNAMAZON:21830:1416004: peer: type=7/7, local=0:, remote=0: ike 0:VPNAMAZON:21830:1416004: mine: type=7/7, local=0:10.x.x.0-10.x.x.255:0, remote=0:172.x.x.0-172.x.x.255:0 ike 0:VPNAMAZON:21830:1416004: no matching phase2 found

On remote end device they can configure the selectors as specific subnet as seen above. Else on the FGT, you can change the quick-mode selector to to match the remote end config , the SA will come-up, and control the interface based vpn traffic via the static route with out-interface:VPNAMAZON. This step is possible only if you have configured interface-vpn not in tunnel-vpn



Thanks buddy for helping me out. I will let you know when the 'other side' has changed settings and if that helped or not :)

New Contributor

Seems on Amazon, they cannot change it. So i changed it on my side. Looks stable for now. Thanks.



Managed to apply the debug on other VPN connection as well ;)

Check out our Community Chatter Blog! Click here to get involved
Top Kudoed Authors