Hello Team!!!
I recently created a GRE VPN over IPsec between a Fortigate and a Mikrotik, following this: https://www.linkedin.com/pulse/configur ... eros-denys
This VPN never worked, I get the following error:
Mikrotik side:
09:19:32 ipsec,error phase1 negotiation failed due to time up PublicIpMKT[500]<=>PublicIpFGT[500] 23496e323ff1fc23:0000000000000000
09:19:32 ipsec,info initiate new phase 1 (Identity Protection): PublicIpMKT[500]<=>PublicIpFGT[500]
Fortigate side:
date=2022-10-12 time=09:23:24 logid="0101037128" type="event" subtype="vpn" level="error" vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=PublicIpMKT locip=PublicIpFGT remport=500 locport=500 outintf="wan1" cookies="b30f4d9b6a2aa208/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="failure" init="remote" mode="main" dir="inbound" stage=1 role="responder" result="ERROR" advpnsc=0 utmref=0:1665577404
date=2022-10-12 time=09:23:24 logid="0101037124" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=PublicIpMKT locip=PublicIpFGT remport=500 locport=500 outintf="wan1" cookies="b30f4d9b6a2aa208/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" advpnsc=0 utmref=0:1665577404
However, I see the same settings.
Any Idea?
Thanks in advance.
Regards,
Damián
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Can you, please share the relevant configuration and also the output of:
diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 x.x.x.x where x.x.x.x is the IP address of the remote peer.
diagnose debug application ike -1
diagnose debug enable
Hello @aionescu ,
Thanks for your answer!!
Below the output, followed by the settings in the Fortigate side:
FGT80F-PL-Alem # diagnose debug enable
FGT80F-PL-Alem # 2022-10-12 11:42:24.590602 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:24.590704 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:24.753032 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:24.753100 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:24.753133 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:24.753208 ike 0:a638cf808bbc84fd/0000000000000000:6489: responder: main mode get 1st message...
2022-10-12 11:42:24.753251 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:24.753289 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:24.753326 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:24.753363 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:24.753401 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:24.753437 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:24.753474 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:24.753511 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:24.753548 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:24.753585 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:24.753622 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:24.753659 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:24.753695 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:24.753748 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:24.753785 ike 0:a638cf808bbc84fd/0000000000000000:6489: negotiation failure
2022-10-12 11:42:24.753860 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:24.753899 ike 0:a638cf808bbc84fd/0000000000000000:6489: no SA proposal chosen
2022-10-12 11:42:29.600619 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:29.600722 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:34.610611 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:34.610712 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:34.755887 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:34.755957 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:34.755990 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:34.756068 ike 0:a638cf808bbc84fd/0000000000000000:6490: responder: main mode get 1st message...
2022-10-12 11:42:34.756111 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:34.756149 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:34.756186 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:34.756223 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:34.756260 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:34.756297 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:34.756333 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:34.756370 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:34.756407 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:34.756444 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:34.756480 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:34.756517 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:34.756553 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:34.756605 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:34.756641 ike 0:a638cf808bbc84fd/0000000000000000:6490: negotiation failure
2022-10-12 11:42:34.756715 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:34.756752 ike 0:a638cf808bbc84fd/0000000000000000:6490: no SA proposal chosen
2022-10-12 11:42:34.756857 ike shrank heap by 159744 bytes
2022-10-12 11:42:39.620598 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:39.620694 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.630642 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:44.630747 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.752119 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:44.752184 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:44.752216 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752296 ike 0:a638cf808bbc84fd/0000000000000000:6491: responder: main mode get 1st message...
2022-10-12 11:42:44.752339 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:44.752377 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:44.752415 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:44.752452 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:44.752489 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:44.752526 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:44.752563 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:44.752600 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:44.752636 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:44.752673 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:44.752710 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:44.752746 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:44.752782 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752835 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:44.752872 ike 0:a638cf808bbc84fd/0000000000000000:6491: negotiation failure
2022-10-12 11:42:44.752952 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:44.752987 ike 0:a638cf808bbc84fd/0000000000000000:6491: no SA proposal chosen
config vpn ipsec phase1-interface
edit "aPacheco-W1"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes256-sha256
set dpd on-idle
set dhgrp 5 14
set auto-discovery-sender enable
set remote-gw PublicIpMKT
set psksecret ENC UbOZkSUO5Y5C4zX9krwTkHmkjis87FpwIquYKTvDMAV83Ov5OWT+1RBjGtoab5efwc4EPqFOd8XaAwM0LiIBKstKWWafvp3Sjzrw2xSU+jknOF3PeKNn4YXo4PC1iod2WkNrZUeNdXuyd1SacdpLHOhIYxQYHIr1B02x295hQ7h69uCH+Z1TQGR5N+3T/iQVHRBIUA==
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "aPacheco-W1"
set phase1name "aPacheco-W1"
set proposal aes256-sha256
set dhgrp 5 14
set auto-negotiate enable
set encapsulation transport-mode
set protocol 47
next
end
config system gre-tunnel
edit "GREaPacheco-W1"
set interface "aPacheco-W1"
set remote-gw PublicIpMKT
set local-gw PublicIpFGT
next
end
config system interface
edit "GREaPacheco-W1"
set vdom "root"
set ip 172.22.1.45 255.255.255.255
set type tunnel
set remote-ip 172.22.1.46 255.255.255.252
set snmp-index 19
set interface "aPacheco-W1"
next
end
Thanks in advance.
Regards,
Damián
Hello @sagha, thanks for your answer,
Yes, I have the following policies:
config firewall policy
edit 5
set name "Enable IPsec"
set uuid 01c94e4a-3460-51ed-6e80-6bbc13c7b2b4
set srcintf "GREaPacheco-W1"
set dstintf "GREaPacheco-W1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 6
set name "GRE Alem->Pacheco"
set uuid 3c211f14-3460-51ed-6c32-b504549cb2ba
set srcintf "internal"
set dstintf "GREaPacheco-W1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 7
set name "GRE Pacheco->Alem"
set uuid 57afcadc-3460-51ed-9db1-b53782bc23f7
set srcintf "GREaPacheco-W1"
set dstintf "internal"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end
Thanks in advance.
Regards,
Damián
Output:
2022-10-12 11:42:34.756641 ike 0:a638cf808bbc84fd/0000000000000000:6490: negotiation failure
2022-10-12 11:42:34.756715 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:34.756752 ike 0:a638cf808bbc84fd/0000000000000000:6490: no SA proposal chosen
2022-10-12 11:42:34.756857 ike shrank heap by 159744 bytes
2022-10-12 11:42:39.620598 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:39.620694 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.630642 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:44.630747 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.752119 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:44.752184 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:44.752216 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752296 ike 0:a638cf808bbc84fd/0000000000000000:6491: responder: main mode get 1st message...
2022-10-12 11:42:44.752339 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:44.752377 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:44.752415 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:44.752452 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:44.752489 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:44.752526 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:44.752563 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:44.752600 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:44.752636 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:44.752673 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:44.752710 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:44.752746 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:44.752782 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752835 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:44.752872 ike 0:a638cf808bbc84fd/0000000000000000:6491: negotiation failure
2022-10-12 11:42:44.752952 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:44.752987 ike 0:a638cf808bbc84fd/0000000000000000:6491: no SA proposal chosen
Settings:
config vpn ipsec phase1-interface
edit "aPacheco-W1"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes256-sha256
set dpd on-idle
set dhgrp 5 14
set auto-discovery-sender enable
set remote-gw PublicIpMKT
set psksecret ENC UbOZkSUO5Y5C4zX9krwTkHmkjis87FpwIquYKTvDMAV83Ov5OWT+1RBjGtoab5efwc4EPqFOd8XaAwM0LiIBKstKWWafvp3Sjzrw2xSU+jknOF3PeKNn4YXo4PC1iod2WkNrZUeNdXuyd1SacdpLHOhIYxQYHIr1B02x295hQ7h69uCH+Z1TQGR5N+3T/iQVHRBIUA==
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "aPacheco-W1"
set phase1name "aPacheco-W1"
set proposal aes256-sha256
set dhgrp 5 14
set auto-negotiate enable
set encapsulation transport-mode
set protocol 47
next
end
config system gre-tunnel
edit "GREaPacheco-W1"
set interface "aPacheco-W1"
set remote-gw PublicIpMKT
set local-gw PublicIpFGT
next
end
config system interface
edit "GREaPacheco-W1"
set vdom "root"
set ip 172.22.1.45 255.255.255.255
set type tunnel
set remote-ip 172.22.1.46 255.255.255.252
set snmp-index 19
set interface "aPacheco-W1"
next
end
Hello team,
With the output of the command asked for aionesku, and using google, I could solve the issue by myself
The issue was that I had created a policy from GRE to GRE in FGT, but instead of this, I needed a policy from IPsec Interface to IPsec Interface, changing this started to work.
Thanks!!!
Regards,
Damián
Hello @damianhlozano,
Great to hear you solved the issue!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.