Hey guys,
I've been looking into this error we keep getting on our VPN tunnel to Amazon cloud, but im not getting any further.
Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR
Any idea where this is comming from?
The setup:
phase1-interface
edit "VPNAMAZON"
set interface "wan1"
set nattraversal disable
set keylife 28800
set proposal aes128-sha1
set localid "ourlocalid"
set comments "Amazon-IKE-vpn"
set dhgrp 2
set remote-gw 52.x.x.x
set psksecret ENC supersecret
phase2-interface
edit "VPNAMAZON"
set phase1name "VPNAMAZON"
set proposal aes128-sha1
set dhgrp 2
set keepalive enable
set keylifeseconds 3600
set src-subnet 10.x.x.x 255.255.254.0
set dst-subnet 172.x.x.x 255.255.0.0
I tried enabling dpd but that doesn't take. It's not comming up in the config?
Though, in the GUI i do see it.
Hope anyone can help out with this.
(edit: to many spaces lol)
No one? :(
Hello
Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR
-VPN fails in Phase-2 negotiation, FGT is responder -Hence when trying to establish the VPN please collect output for the following commands. As FGT is responder you will see the quick-mode-msg-1 received on FGT with the remote selector parameters using which you can findout the possible cause
diag deb reset
diag vpn ike log-filter clear diag vpn ike log-filter dst-addr4 52.x.x.x diag deb app ike -1 diag deb en
to disable debugging # diag deb disable # diag deb reset
Regards
Anil
anil.nayak wrote:Hello
Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR
-VPN fails in Phase-2 negotiation, FGT is responder -Hence when trying to establish the VPN please collect output for the following commands. As FGT is responder you will see the quick-mode-msg-1 received on FGT with the remote selector parameters using which you can findout the possible cause
diag deb reset
diag vpn ike log-filter clear diag vpn ike log-filter dst-addr4 52.x.x.x diag deb app ike -1 diag deb en
to disable debugging # diag deb disable # diag deb reset
Regards
Anil
Thanks! Running it now
Ofcourse, the errors dont show during the debug.. ffs..
Retrying wednesday (got the day off tomorrow)
ike 0:VPNAMAZON:21830:1416004: responder received first quick-mode message ike 0:VPNAMAZON:21830: dec 936876A46095A5E71049096E5A8C58CE081020018B6E95810000012C01000018053F32B926BF42A33D34E2B123913D117A3324400A00003800000001000000010000002C000304017D3ED21500000020000C000080030002800400018001000180020E1080050002800600800400001460568BB33CB1E4E39012319CB4A44B240500008430858E557E0867199B99E5C4D21AE8CEB66F576C8D541A96B9F1B79ABE2C3C9C33FAA29F3A0A2F36135E8D598F0652B32622B6C712C75D52D3D3E3723FA02C6A6E459E219CDA511469480BD2BBAEB9E84C965DFEC566DFEEDC420F6E804766D96B87F0BDC3235C01159D9F927AB6DC2A547AEA506E91D284849BD82F5F59784205000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:VPNAMAZON:21830:1416004: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:VPNAMAZON:21830:VPNAMAZON:1416004: trying ike 0:VPNAMAZON:21830:1416004: specified selectors mismatch ike 0:VPNAMAZON:21830:1416004: peer: type=7/7, local=0:0.0.0.0-255.255.255.255:0, remote=0:0.0.0.0-255.255.255.255:0 ike 0:VPNAMAZON:21830:1416004: mine: type=7/7, local=0:10.x.x.0-10.x.x.255:0, remote=0:172.x.x.0-172.x.x.255:0 ike 0:VPNAMAZON:21830:1416004: no matching phase2 found ike 0:VPNAMAZON:21830:1416004: failed to get responder proposal ike 0:VPNAMAZON:21830: error processing quick-mode message from 52.x.x.4 as responder
-edit-
I expect it to be the other side of the VPN not having the right peer proposal.
Have send them the info..
Hello,
ike 0:VPNAMAZON:21830:1416004: specified selectors mismatch ike 0:VPNAMAZON:21830:1416004: peer: type=7/7, local=0:0.0.0.0-255.255.255.255:0, remote=0:0.0.0.0-255.255.255.255:0 ike 0:VPNAMAZON:21830:1416004: mine: type=7/7, local=0:10.x.x.0-10.x.x.255:0, remote=0:172.x.x.0-172.x.x.255:0 ike 0:VPNAMAZON:21830:1416004: no matching phase2 found
On remote end device they can configure the selectors as specific subnet as seen above. Else on the FGT, you can change the quick-mode selector to 0.0.0.0/0 to match the remote end config , the SA will come-up, and control the interface based vpn traffic via the static route with out-interface:VPNAMAZON. This step is possible only if you have configured interface-vpn not in tunnel-vpn
Thanks buddy for helping me out. I will let you know when the 'other side' has changed settings and if that helped or not :)
Seems on Amazon, they cannot change it. So i changed it on my side. Looks stable for now. Thanks.
p.s.
Managed to apply the debug on other VPN connection as well ;)
User | Count |
---|---|
2675 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.