Hi, i am trying to establish an IPSEC VPN between my Fortigate 100E 212.221.102.30 and a remote ASA, but struggling to get phase 1 up and running, i am hoping its just something not matching up but i cant tell what. There are only 3 things in the phase 1, Encryption, DH and key life. I have attached the log to make sure there isnt anything the more experienced eye can spot.
Are their any limitations in terms of encryption options i can choose, my phase 1 proposal are just
Encryption AES256
Authentication SHA256
DH4
Key life 86400
Any help appreciated, or if i can run any other debus to help troubleshoot.
2023-07-20 09:17:03.647905 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:03.647947 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:05.537046 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:17:05.537135 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:17:05.537171 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:17:05.537204 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:17:08.404702 ike 0:HOSP-AWS11:76791: out C02E7F9B03100B0376D6F9373F3B8E742E202520000005900000005000000034706218F1F9B55AB1C3F9DAC22B91B169D5EACC348F6AAAE8CE3B5B2C07CF2572EF4FE49287502D30C167BBEEC6328265
2023-07-20 09:17:08.658080 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:08.658118 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:10.547063 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:17:10.547222 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:17:10.547266 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:17:10.547302 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:17:11.176519 ike 0:HOSP-AWS12:76234: out 9DFFE7D5FC338203242CE45B14DDFEF12E202520000008B50000005000000034DACC5E8870AA921341B81388A22D5A5A752502465836A645A9DD0B306169F96DF65F3C67F83818D7F85658E0DCA17EEE
2023-07-20 09:17:13.667984 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:13.668033 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:15.557197 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:17:15.557289 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:17:15.557327 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:17:15.557361 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:17:18.678023 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:18.678058 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:20.567297 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:17:20.567400 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:17:20.567440 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:17:20.567477 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:17:23.687861 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:23.687902 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:25.577001 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:17:25.577093 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:17:25.577131 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:17:25.577167 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:17:28.247769 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:28.247808 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:30.537100 ike 0:HOSP-ACC_LPOOL:77727: negotiation timeout, deleting
2023-07-20 09:17:30.537416 ike 0:HOSP-ACC_LPOOL: connection expiring due to phase1 down
2023-07-20 09:17:30.537462 ike 0:HOSP-ACC_LPOOL: deleting
2023-07-20 09:17:30.537506 ike 0:HOSP-ACC_LPOOL: deleted
2023-07-20 09:17:30.537544 ike 0:HOSP-ACC_LPOOL: schedule auto-negotiate
2023-07-20 09:17:30.587048 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:17:30.587875 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:30.587917 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:30.589367 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:17:30.589498 ike 0:HOSP-ACC_LPOOL: created connection: 0x5f18280 26 212.221.102.30->213.1.215.166:500.
2023-07-20 09:17:30.589557 ike 0:HOSP-ACC_LPOOL: HA start as master
2023-07-20 09:17:30.589644 ike 0:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:500 negotiating
2023-07-20 09:17:30.589746 ike 0:HOSP-ACC_LPOOL: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
2023-07-20 09:17:30.592598 ike 0:HOSP-ACC_LPOOL:77729: create NAT-D hash local 212.221.102.30/500 remote 213.1.215.166/500
2023-07-20 09:17:30.592716 ike 0:HOSP-ACC_LPOOL:77729: out 3558EB490CA731DB00000000000000002120220800000000000001B8220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000E28000108000E00007E814F3CB72877919C8D83E2E8AEA99A4B3C5BF33FD15747F1A879847E0ABBCB106B2E7BD8227E03739D4FC3A74B23920B21FC4C39105DCA8932F93A4F1F50A49CDDF638A41502688FB411E5C84904EAC8725F2751A43136E75FA834BC81789E90B9BB4577368257753537DE6FEAFE5EF39893404EEB40CBA882FBA1E56729AB51675DBF57FA5AFF78852CB58DE7868725200B3236539DE1CD5E8D58542772F31B3CAD4F29A9241632660846EF7AD98E0143B111689D7C29A36CD7D97F8962029FF1D8C4B5C33198E743F65A37C7A4E459DC4520AFA58AD0655910D14AFF1083637DE4AC850EB685D813DE47D34167849B9A2E6BD5B2EE9420DAFE0F4877F8A129000024443DB7481D3FE2238F5A0886FE44B4447EAA213954BBAD82CA28F69E64F503962900001C00004004677C687F2A789FCD29DEDB5C6345A41FB02974482900001C0000400538DB92C9661102ECD6134245D5CB3938F469A54D000000080000402E
2023-07-20 09:17:30.592935 ike 0:HOSP-ACC_LPOOL:77729: sent IKE msg (SA_INIT): 212.221.102.30:500->213.1.215.166:500, len=440, vrf=0, id=3558eb490ca731db/0000000000000000
2023-07-20 09:17:30.600656 ike 0:HOSP-ACC_LPOOL:77729: initiator received SA_INIT response
2023-07-20 09:17:30.600703 ike 0:HOSP-ACC_LPOOL:77729: processing notify type NO_PROPOSAL_CHOSEN
2023-07-20 09:17:30.600864 ike 0:HOSP-ACC_LPOOL:77729: malformed message
2023-07-20 09:17:33.707881 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:33.707920 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:35.597029 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:17:35.597123 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:17:35.597162 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:17:35.597196 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:17:38.717950 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:38.717988 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:40.607020 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:17:40.607112 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:17:40.607150 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:17:40.607184 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:17:43.727939 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:43.727980 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:45.617216 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:17:45.617306 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:17:45.617345 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:17:45.617379 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:17:48.737986 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:48.738025 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:50.627080 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:17:50.627182 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:17:50.627220 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:17:50.627255 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:17:53.747912 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:53.747948 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:17:55.637064 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:17:55.637163 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:17:55.637202 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:17:55.637235 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:17:58.758503 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:17:58.758545 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:18:00.597076 ike 0:HOSP-ACC_LPOOL:77729: negotiation timeout, deleting
2023-07-20 09:18:00.597443 ike 0:HOSP-ACC_LPOOL: connection expiring due to phase1 down
2023-07-20 09:18:00.597495 ike 0:HOSP-ACC_LPOOL: deleting
2023-07-20 09:18:00.597542 ike 0:HOSP-ACC_LPOOL: deleted
2023-07-20 09:18:00.597581 ike 0:HOSP-ACC_LPOOL: schedule auto-negotiate
2023-07-20 09:18:00.647087 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:18:00.647901 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:18:00.647939 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:18:00.649387 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:18:00.649496 ike 0:HOSP-ACC_LPOOL: created connection: 0x5f4a8c8 26 212.221.102.30->213.1.215.166:500.
2023-07-20 09:18:00.649542 ike 0:HOSP-ACC_LPOOL: HA start as master
2023-07-20 09:18:00.649613 ike 0:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:500 negotiating
2023-07-20 09:18:00.649686 ike 0:HOSP-ACC_LPOOL: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
2023-07-20 09:18:00.652444 ike 0:HOSP-ACC_LPOOL:77731: create NAT-D hash local 212.221.102.30/500 remote 213.1.215.166/500
2023-07-20 09:18:00.652532 ike 0:HOSP-ACC_LPOOL:77731: out 6AFCB0B592CA7A1500000000000000002120220800000000000001B8220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000E28000108000E00006C1B9CE7FF300960336F229B2A102C2D78C8539ADC56E132D3A5488135C04D45A5B3E238C971356F5A7A0B4DCBAE0744BFC8BE7FA6EA17AEF424C4BF7FE5C3B8F89E16251597F6FFEFB4BDC494DDEE603A6547A16FCE02BB46D40A080FA433C7372BA659BFE66EBC13B0DCC7835431D215E8B5CC201DE0638513CDCB36777F32757D6B339074DB7DAC5265CE1E2DB76956E2E5111107C828983E1423783ADA7D2E361DB6FBF7204E0F7FF61395F0F0094C666DA95BAD3D8E6BEC83ABFF74915517FA0D9F88518AA58847DD5DB5CE479B23C0E94AC5E0F2F03D047FF680875615F754B3069C6CB4A77A21FE7A3DF26E28F39BD542C96B682285E2022C73412A832900002465FC794C529E3EB35D7E9D474EBCAE60A3BE400F7989531CA87BFAD3BA79AA292900001C00004004A438F9C96FAD17DAB58A15232948D02AB8493AF62900001C000040050463D553F263216FA8C6537A122B604458D369EF000000080000402E
2023-07-20 09:18:00.652713 ike 0:HOSP-ACC_LPOOL:77731: sent IKE msg (SA_INIT): 212.221.102.30:500->213.1.215.166:500, len=440, vrf=0, id=6afcb0b592ca7a15/0000000000000000
2023-07-20 09:18:00.660333 ike 0:HOSP-ACC_LPOOL:77731: initiator received SA_INIT response
2023-07-20 09:18:00.660384 ike 0:HOSP-ACC_LPOOL:77731: processing notify type NO_PROPOSAL_CHOSEN
2023-07-20 09:18:00.660549 ike 0:HOSP-ACC_LPOOL:77731: malformed message
2023-07-20 09:18:00.953794 ike 0:HOSP-AWS03:76643: out 6316039AB888504FEF470695099040682E202520000006750000005000000034DCA11CACC89B830555F45106EB256E2E1581A31AA8A2C42051CB801BC5232E9B192D5AFEBD4736A1D1DD7D2D516FD1D2
2023-07-20 09:18:03.768467 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:18:03.768505 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:18:05.657103 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:18:05.657202 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:18:05.657242 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:18:05.657276 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:18:08.777970 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:18:08.778010 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:18:10.132509 ike 0:HOSP-AWS01:76532: out 3F12DAACA68101AE23EAF7FE6027D5042E2025200000071D000000500000003487E477F15969F6D0027B7BAC3BBE7E71E8F9B285381F8F9056E68CC70ACC6492CBB5E591B9B4E80911B43BDB66DACA22
2023-07-20 09:18:10.667124 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:18:10.667216 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:18:10.667253 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:18:10.667289 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:18:13.788052 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:18:13.788092 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:18:15.677106 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:18:15.677206 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:18:15.677245 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:18:15.677279 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:18:18.280432 ike 0:HOSP-AWS01:76532:HOSP-AWS01:86783: accepted proposal:
2023-07-20 09:18:18.798270 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:18:18.798314 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:18:20.687231 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:18:20.687362 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:18:20.687412 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:18:20.687453 ike 0:HOSP-ACC_LPOOL: request is on the queue
2023-07-20 09:18:23.808004 ike 0:HOSP-ACC_LPOOL: local:212.221.102.30, remote:213.1.215.166
2023-07-20 09:18:23.808048 ike 0:HOSP-ACC_LPOOL: cached as static-ddns.
2023-07-20 09:18:25.697045 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: IPsec SA connect 26 212.221.102.30->213.1.215.166:0
2023-07-20 09:18:25.697139 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: using existing connection
2023-07-20 09:18:25.697177 ike 0:HOSP-ACC_LPOOL:HOSP-ACC_LPOOL: config found
2023-07-20 09:18:25.697211 ike 0:HOSP-ACC_LPOOL: request is on the queue
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Ideally the VPN debug should include the phase1 proposals details. can you collect a fresh debug?
diag debug app ike -1
diag debug enable
Dear Customer,
Hope you are doing good.
As per the logs shared, I could see that there is proposal mismatch and hence phase1 is not getting established. Kindly check the configuration at both side FGT and Cisco end and configure the same set of parameters.
2023-07-20 09:17:30.600656 ike 0:HOSP-ACC_LPOOL:77729: initiator received SA_INIT response
2023-07-20 09:17:30.600703 ike 0:HOSP-ACC_LPOOL:77729: processing notify type NO_PROPOSAL_CHOSEN
Regsrds,
Parteek
Hi,
Based on the provided logs, it seems like there is an issue during the phase 1 negotiation of the IPsec VPN between your FortiGate 100E (212.221.102.30) and the remote ASA (213.1.215.166). The error message "NO_PROPOSAL_CHOSEN" indicates that the two devices couldn't agree on a common set of encryption, authentication, or key exchange options during the phase 1 negotiation.
BR,
Manosh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1734 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.