IPSEC VPN DISCONNECTS AFTER UPGRADING TO VERSION 7.4.8 Build 2795 (Mature)

GscOutsourcingSAS · ‎08-04-2025

Hello,

I have an account with a FortiGate 200F, which was running the 7.2.10 build 1706 (Mature) version. In this version, it had a VPN that, in phase 1, contained the following settings.

Encryption

DES3DESAES128AES128GCMAES192AES256AES256GCMCHACHA20POLY1305

PRF

PRFSHA1PRFSHA256PRFSHA384PRFSHA512

Since the other end is a pfSense Community Edition 2.7.2, and this firewall does not normally allow the AES256 and SHA512 methods to be used, the connection was stable and working with that configuration.

When I upgrade my Fortinet Firewall to version 7.4.8 build2795 (Mature), the VPN drops and does not even raise phase 1. The error it gives me is an inbound connection failure, but when validating the logs of the two firewalls it indicates that "error no acceptable ENCRYPTION_ALGORITHM found" (this appears in Pfsense) and the algorithms were modified in one of the VPNs that presented the error but none of them work, as well as the PSK was changed on both sides, confirming its accuracy.

If anyone has a similar error and has been able to solve it, I'm open to any ideas, Pfsense

FortiGate

Jean-Philippe_P · ‎08-06-2025

Hello GscOutsourcingSAS,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Jean-Philippe - Fortinet Community Team

funkylicious · ‎08-06-2025

i would suggest doing some tshoot on the FGT side using the commands below in order to see what does it see as phase1 params and whatever error it might send the local device to the remote one and viceversa.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-Tunnel-debugging-IKE/ta-p/1900...

diagnose vpn ike log filter mrem-addr4 REM_IP LOCAL_IP

diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

To stop the debug, use the command given below:

diagnose debug disable

diagnose debug reset

"jack of all trades, master of none"

GscOutsourcingSAS · ‎08-08-2025

Hola,

bueno luego de esto evidencio que el log indica lo siguiente en temas de errores:

2025-08-08 07:53:20.837889 ike V=root:0:HExxxxx:111548: initiator received AUTH msg
2025-08-08 07:53:20.837898 ike V=root:0:HExxxxx:111548: peer identifier IPV4_ADDR xxx.xx.xxx.xxx
2025-08-08 07:53:20.837920 ike V=root:0:HExxxxx:111548: auth verify done
2025-08-08 07:53:20.837928 ike V=root:0:HExxxxx:111548: initiator AUTH continuation
2025-08-08 07:53:20.837935 ike V=root:0:HExxxxx:111548: authentication failed
2025-08-08 07:53:20.837942 ike V=root:0:HExxxxx:111548:264069: send informational
2025-08-08 07:53:20.837951 ike 0:HExxxxx:111548: enc 0000000800000018080706050403020108

Es como si estuviera mal el proceso de autenticación.
pero al revisar el Firewall PFsense aparece lo siguiente cuando trata de autenticar:

Como se evidencia indica en la parte superior que no es aceptable el método de encriptación.

VinayHM · ‎08-07-2025

Please go through the article, which explains support versions.

https://docs.fortinet.com/document/fortigate/7.4.8/administration-guide/484445

Vinay HM

IPSEC VPN DISCONNECTS AFTER UPGRADING TO VERSION 7.4.8 Build 2795 (Mature)

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website