Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
Contributor

Created on ‎10-12-2022 06:59 AM

Gre over IPsec between Fortigate and Mikrotik routers

Hello Team!!!

I recently created a GRE VPN over IPsec between a Fortigate and a Mikrotik, following this: https://www.linkedin.com/pulse/configur ... eros-denys
This VPN never worked, I get the following error:
Mikrotik side:

09:19:32 ipsec,error phase1 negotiation failed due to time up PublicIpMKT[500]<=>PublicIpFGT[500] 23496e323ff1fc23:0000000000000000
09:19:32 ipsec,info initiate new phase 1 (Identity Protection): PublicIpMKT[500]<=>PublicIpFGT[500]

 

Fortigate side: 

date=2022-10-12 time=09:23:24 logid="0101037128" type="event" subtype="vpn" level="error" vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=PublicIpMKT locip=PublicIpFGT remport=500 locport=500 outintf="wan1" cookies="b30f4d9b6a2aa208/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="failure" init="remote" mode="main" dir="inbound" stage=1 role="responder" result="ERROR" advpnsc=0 utmref=0:1665577404
date=2022-10-12 time=09:23:24 logid="0101037124" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action="negotiate" remip=PublicIpMKT locip=PublicIpFGT remport=500 locport=500 outintf="wan1" cookies="b30f4d9b6a2aa208/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="negotiate_error" reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" advpnsc=0 utmref=0:1665577404

 

However, I see the same settings.
Any Idea?


Thanks in advance.
Regards,
Damián

Labels:
4289
0 Kudos
8 REPLIES 8
aionescu
Staff
Staff

Created on ‎10-12-2022 07:36 AM Edited on ‎10-12-2022 07:37 AM

Hi @damianhlozano 

 

Can you, please share the relevant configuration and also the output of:

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 x.x.x.x where x.x.x.x is the IP address of the remote peer.
diagnose debug application ike -1
diagnose debug enable

4281
0 Kudos
damianhlozano
Contributor
In response to aionescu

Created on ‎10-12-2022 07:57 AM

Hello @aionescu ,

 

Thanks for your answer!!

Below the output, followed by the settings in the Fortigate side:

 

FGT80F-PL-Alem # diagnose debug enable

FGT80F-PL-Alem # 2022-10-12 11:42:24.590602 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:24.590704 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:24.753032 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:24.753100 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:24.753133 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:24.753208 ike 0:a638cf808bbc84fd/0000000000000000:6489: responder: main mode get 1st message...
2022-10-12 11:42:24.753251 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:24.753289 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:24.753326 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:24.753363 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:24.753401 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:24.753437 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:24.753474 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:24.753511 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:24.753548 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:24.753585 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:24.753622 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:24.753659 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:24.753695 ike 0:a638cf808bbc84fd/0000000000000000:6489: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:24.753748 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:24.753785 ike 0:a638cf808bbc84fd/0000000000000000:6489: negotiation failure
2022-10-12 11:42:24.753860 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:24.753899 ike 0:a638cf808bbc84fd/0000000000000000:6489: no SA proposal chosen
2022-10-12 11:42:29.600619 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:29.600722 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:34.610611 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:34.610712 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:34.755887 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:34.755957 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:34.755990 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:34.756068 ike 0:a638cf808bbc84fd/0000000000000000:6490: responder: main mode get 1st message...
2022-10-12 11:42:34.756111 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:34.756149 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:34.756186 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:34.756223 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:34.756260 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:34.756297 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:34.756333 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:34.756370 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:34.756407 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:34.756444 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:34.756480 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:34.756517 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:34.756553 ike 0:a638cf808bbc84fd/0000000000000000:6490: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:34.756605 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:34.756641 ike 0:a638cf808bbc84fd/0000000000000000:6490: negotiation failure
2022-10-12 11:42:34.756715 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:34.756752 ike 0:a638cf808bbc84fd/0000000000000000:6490: no SA proposal chosen
2022-10-12 11:42:34.756857 ike shrank heap by 159744 bytes
2022-10-12 11:42:39.620598 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:39.620694 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.630642 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:44.630747 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.752119 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:44.752184 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:44.752216 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752296 ike 0:a638cf808bbc84fd/0000000000000000:6491: responder: main mode get 1st message...
2022-10-12 11:42:44.752339 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:44.752377 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:44.752415 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:44.752452 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:44.752489 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:44.752526 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:44.752563 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:44.752600 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:44.752636 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:44.752673 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:44.752710 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:44.752746 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:44.752782 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752835 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:44.752872 ike 0:a638cf808bbc84fd/0000000000000000:6491: negotiation failure
2022-10-12 11:42:44.752952 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:44.752987 ike 0:a638cf808bbc84fd/0000000000000000:6491: no SA proposal chosen


config vpn ipsec phase1-interface
edit "aPacheco-W1"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes256-sha256
set dpd on-idle
set dhgrp 5 14
set auto-discovery-sender enable
set remote-gw PublicIpMKT
set psksecret ENC UbOZkSUO5Y5C4zX9krwTkHmkjis87FpwIquYKTvDMAV83Ov5OWT+1RBjGtoab5efwc4EPqFOd8XaAwM0LiIBKstKWWafvp3Sjzrw2xSU+jknOF3PeKNn4YXo4PC1iod2WkNrZUeNdXuyd1SacdpLHOhIYxQYHIr1B02x295hQ7h69uCH+Z1TQGR5N+3T/iQVHRBIUA==
set dpd-retryinterval 5
next
end

config vpn ipsec phase2-interface
edit "aPacheco-W1"
set phase1name "aPacheco-W1"
set proposal aes256-sha256
set dhgrp 5 14
set auto-negotiate enable
set encapsulation transport-mode
set protocol 47
next
end

config system gre-tunnel
edit "GREaPacheco-W1"
set interface "aPacheco-W1"
set remote-gw PublicIpMKT
set local-gw PublicIpFGT
next
end

config system interface
edit "GREaPacheco-W1"
set vdom "root"
set ip 172.22.1.45 255.255.255.255
set type tunnel
set remote-ip 172.22.1.46 255.255.255.252
set snmp-index 19
set interface "aPacheco-W1"
next
end

 

Thanks in advance.

Regards,

Damián

4246
0 Kudos
sagha
Staff
Staff

Created on ‎10-12-2022 07:58 AM

Hi damianhlozano, 

 

Do you have firewall policies configured on FGT?

 

Thank you. 

Shahan

4275
0 Kudos
damianhlozano
Contributor
In response to sagha

Created on ‎10-12-2022 08:08 AM

Hello @sagha, thanks for your answer,

 

Yes, I have the following policies:

 

config firewall policy
edit 5
set name "Enable IPsec"
set uuid 01c94e4a-3460-51ed-6e80-6bbc13c7b2b4
set srcintf "GREaPacheco-W1"
set dstintf "GREaPacheco-W1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 6
set name "GRE Alem->Pacheco"
set uuid 3c211f14-3460-51ed-6c32-b504549cb2ba
set srcintf "internal"
set dstintf "GREaPacheco-W1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 7
set name "GRE Pacheco->Alem"
set uuid 57afcadc-3460-51ed-9db1-b53782bc23f7
set srcintf "GREaPacheco-W1"
set dstintf "internal"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end

 

 

 

Thanks in advance.

Regards,

Damián

4273
0 Kudos
damianhlozano
Contributor
In response to damianhlozano

Created on ‎10-12-2022 10:39 AM

Output: 

2022-10-12 11:42:34.756641 ike 0:a638cf808bbc84fd/0000000000000000:6490: negotiation failure
2022-10-12 11:42:34.756715 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:34.756752 ike 0:a638cf808bbc84fd/0000000000000000:6490: no SA proposal chosen
2022-10-12 11:42:34.756857 ike shrank heap by 159744 bytes
2022-10-12 11:42:39.620598 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:39.620694 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.630642 ike 0:aPacheco-W1:aPacheco-W1: IPsec SA connect 5 PublicIpFGT->PublicIpMKT:0
2022-10-12 11:42:44.630747 ike 0:aPacheco-W1: ignoring request to establish IPsec SA, no policy configured
2022-10-12 11:42:44.752119 ike 0: comes PublicIpMKT:500->PublicIpFGT:500,ifindex=5,vrf=0....
2022-10-12 11:42:44.752184 ike 0: IKEv1 exchange=Identity Protection id=a638cf808bbc84fd/0000000000000000 len=388 vrf=0
2022-10-12 11:42:44.752216 ike 0: in A638CF808BBC84FD00000000000000000110020000000000000001840D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E010080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752296 ike 0:a638cf808bbc84fd/0000000000000000:6491: responder: main mode get 1st message...
2022-10-12 11:42:44.752339 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID RFC 3947 4A131C81070358455C5728F20E95452F
2022-10-12 11:42:44.752377 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2022-10-12 11:42:44.752415 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2022-10-12 11:42:44.752452 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2022-10-12 11:42:44.752489 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2022-10-12 11:42:44.752526 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2022-10-12 11:42:44.752563 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2022-10-12 11:42:44.752600 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2022-10-12 11:42:44.752636 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2022-10-12 11:42:44.752673 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
2022-10-12 11:42:44.752710 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
2022-10-12 11:42:44.752746 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2022-10-12 11:42:44.752782 ike 0:a638cf808bbc84fd/0000000000000000:6491: VID DPD AFCAD71368A1F1C96B8696FC77570100
2022-10-12 11:42:44.752835 ike 0:aPacheco-W1: ignoring IKE request, no policy configured
2022-10-12 11:42:44.752872 ike 0:a638cf808bbc84fd/0000000000000000:6491: negotiation failure
2022-10-12 11:42:44.752952 ike Negotiate ISAKMP SA Error: 2022-10-12 11:42:44.752987 ike 0:a638cf808bbc84fd/0000000000000000:6491: no SA proposal chosen

4261
0 Kudos
damianhlozano
Contributor
In response to damianhlozano

Created on ‎10-12-2022 10:39 AM

Settings:

config vpn ipsec phase1-interface
edit "aPacheco-W1"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes256-sha256
set dpd on-idle
set dhgrp 5 14
set auto-discovery-sender enable
set remote-gw PublicIpMKT
set psksecret ENC UbOZkSUO5Y5C4zX9krwTkHmkjis87FpwIquYKTvDMAV83Ov5OWT+1RBjGtoab5efwc4EPqFOd8XaAwM0LiIBKstKWWafvp3Sjzrw2xSU+jknOF3PeKNn4YXo4PC1iod2WkNrZUeNdXuyd1SacdpLHOhIYxQYHIr1B02x295hQ7h69uCH+Z1TQGR5N+3T/iQVHRBIUA==
set dpd-retryinterval 5
next
end

config vpn ipsec phase2-interface
edit "aPacheco-W1"
set phase1name "aPacheco-W1"
set proposal aes256-sha256
set dhgrp 5 14
set auto-negotiate enable
set encapsulation transport-mode
set protocol 47
next
end

config system gre-tunnel
edit "GREaPacheco-W1"
set interface "aPacheco-W1"
set remote-gw PublicIpMKT
set local-gw PublicIpFGT
next
end

config system interface
edit "GREaPacheco-W1"
set vdom "root"
set ip 172.22.1.45 255.255.255.255
set type tunnel
set remote-ip 172.22.1.46 255.255.255.252
set snmp-index 19
set interface "aPacheco-W1"
next
end

4260
0 Kudos
damianhlozano
Contributor

Created on ‎10-12-2022 10:59 AM

Hello team,

With the output of the command asked for aionesku, and using google, I could solve the issue by myself

The issue was that I had created a policy from GRE to GRE in FGT, but instead of this, I needed a policy from IPsec Interface to IPsec Interface, changing this started to work.

Thanks!!!

 

Regards,

Damián

4260
0 Kudos
aionescu
Staff
Staff
In response to damianhlozano

Created on ‎10-12-2022 11:24 AM

Hello @damianhlozano

Great to hear you solved the issue! 

4254
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.