Hi,
I have a problem in phase 2. The only encryption I can choose is either DES or NULL on the server side. In client side on the other hand I have all options, but I choose DES, so the settings on both sides match.
However I get Negotiate IPsec SA Error as no proposal was chosen. In the debug I see, that the server offers only DES ciphers, as instructed, however my VPN client proposes 3DES, AES, AES-CBC - so it's no surprise there is no match.
I'm running an evaluation license on the fortigate VPN and Forticlient 7.2.3.0822
Any ideas how I could solve that?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can set both client-side proposals to be the same, thus functionally restrict the offer.
With that said, the FortiGate is expected to pick the matching set out of a list of offers. Are you sure it's not failing match on something else than encryption?
If you can, sharing the ike debug from FortiGate could help.
Created on 02-22-2024 02:52 AM Edited on 02-22-2024 02:57 AM
Edit - I also tried rolling back the client to v6 or even 5, but that did not change :(
Hi, So the part I think is relevant is pasted below. From the configuration side it does look like I have matching settings.
ike V=root:0:forti_vpn_0:49:forti_vpn:171: my proposal:
ike V=root:0:forti_vpn_0:49:forti_vpn:171: proposal id = 1:
ike V=root:0:forti_vpn_0:49:forti_vpn:171: protocol id = IPSEC_ESP:
ike V=root:0:forti_vpn_0:49:forti_vpn:171: PFS DH group = 14
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_DES
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=MD5
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_DES
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA1
ike V=root:0:forti_vpn_0:49:forti_vpn:171: proposal id = 2:
ike V=root:0:forti_vpn_0:49:forti_vpn:171: protocol id = IPSEC_ESP:
ike V=root:0:forti_vpn_0:49:forti_vpn:171: PFS DH group = 2
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_DES
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=MD5
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_DES
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA1
ike V=root:0:forti_vpn_0:49:forti_vpn:171: proposal id = 3:
ike V=root:0:forti_vpn_0:49:forti_vpn:171: protocol id = IPSEC_ESP:
ike V=root:0:forti_vpn_0:49:forti_vpn:171: PFS DH group = 1
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_DES
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=MD5
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_DES
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA1
ike V=root:0:forti_vpn_0:49:forti_vpn:171: incoming proposal:
ike V=root:0:forti_vpn_0:49:forti_vpn:171: proposal id = 1:
ike V=root:0:forti_vpn_0:49:forti_vpn:171: protocol id = IPSEC_ESP:
ike V=root:0:forti_vpn_0:49:forti_vpn:171: PFS DH group = 1
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_3DES
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA1
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_3DES
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_256
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_3DES
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_384
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_3DES
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_512
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 128)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA1
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 128)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_256
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 128)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_384
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 128)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_512
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 192)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA1
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 192)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_256
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 192)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_384
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 192)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_512
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 256)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA1
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 256)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_256
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 256)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_384
ike V=root:0:forti_vpn_0:49:forti_vpn:171: trans_id = ESP_AES_CBC (key_len = 256)
ike V=root:0:forti_vpn_0:49:forti_vpn:171: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike V=root:0:forti_vpn_0:49:forti_vpn:171: type = AUTH_ALG, val=SHA2_512
ike V=root:0:forti_vpn_0:49:forti_vpn:171: negotiation failure
ike V=root:Negotiate IPsec SA Error:
ike V=root:0:forti_vpn_0:49:171: no SA proposal chosen
Created on 02-22-2024 04:53 AM Edited on 02-22-2024 04:53 AM
The FortiGate is configured to accept DES-MD5 or DES-SHA1, each with DH group 1, 2, or 14.
The (Forti?)Client offers 3DES, or AES-CBC(128/192/256) + SHA1/256/384/512, plus DH group 1. It does not offer DES.
So this is still a mismatch.Not sure if the client is refusing to save or negotiate the DES that is configured per you screenshot.
Created on 02-22-2024 04:54 AM Edited on 02-22-2024 04:56 AM
Yeah - that is exactly what beats me... I do wonder if my operating system has something to do with it - I'm running MACOS on M1 processor...
The confusing part is that Phase1 accepts DES and it only fail during phase2
DES is ancient, so I wouldn't be surprised if some systems simply didn't offer it. With that said, if it's not possible with the underlying OS, then FortiClient should not offer it as an option (=at least a visual bug).
If you have the chance, try with the same nominal client version on a different OS. That may give a hint if this is MACOS-specific.
Here's a similar discussion from a year ago on reddit: https://www.reddit.com/r/MacOS/comments/111cgne/ikev2_vpn_not_working_on_new_m1_mbp_exact_same/
Interestingly, the poster there reports having issues with M1 Mac but not with a 2019 intel-Mac. (Using windows RAS for VPN)
So your guess is probably right that this is a limitation/hardening in M1 versions.
I'm trying that - but it seems Windows client is trying to establish connection on port 500 and it does not work (MAC is doing it on 4500).
I wonder if there is a way to enable stronger ciphers on server-side.Or is it a limitation of a trial license?
Trial FGT VM is severely restricted in terms of crypto, no way around it. That is expected.
UDP/500 is the standard initial port for IKEv1, expected to switch to 4500 once NAT-T is detected. Make sure you're not blocking this port (or anybody else on the path, including mean ISPs).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.