Hello ALL, this is the 1st time I visit this forum and hoping to get some help on my site-to-site VPN connection setup...
It' s a simple Policy-Based VPN using Pre-shared key between Forigate-60 & Checkpoint firewall. Getting " Negotiate SA Error: Peer' s id payloads do not match local policy." error on my Fortigate 60 device running FortiOS v3.0 trying to establish a IPSec tunnel (Preshared Key) with Checkpoint.
I have done the same setup from few other sites with Fortigate-60 device running FortiOS v2.8 software. The same Preshared Key, Encrption/Authentication method. The only different I can tell between the 2 version of OS is the option under the Phase 2 " Quick Mode Identities" section. v2.8 offer options of " Use selectors from policy" , " Use wildcard selectors" & " Specify a selector" while there seems only the last option is available under FortiOS v3.0. Have been using the default " Use selectors from policy" option on the other v2.8 devices and they all worked fine.
The event log on the v3.0 device showing...
Responder: sent xx.xx.xx.xx aggressive mode message #1 (OK)
Responder: parsed xx.xx.xx.xx afressive mode message #2 (DONE)
Negotiate SA Error: Peer' s id payloads do not match local policy.
Responder: parsed xx.xx.xx.xx quick mode message #1 (ERROR)
***repeating...
Did I overlook any new features with v3.0 or, should I consider downgrade the OS on this device??
Any suggestion or comment is greatly appreciated. 
It' s a simple Policy-Based VPN using Pre-shared key between Forigate-60 & Checkpoint firewall. Getting " Negotiate SA Error: Peer' s id payloads do not match local policy." error on my Fortigate 60 device running FortiOS v3.0 trying to establish a IPSec tunnel (Preshared Key) with Checkpoint.
I have done the same setup from few other sites with Fortigate-60 device running FortiOS v2.8 software. The same Preshared Key, Encrption/Authentication method. The only different I can tell between the 2 version of OS is the option under the Phase 2 " Quick Mode Identities" section. v2.8 offer options of " Use selectors from policy" , " Use wildcard selectors" & " Specify a selector" while there seems only the last option is available under FortiOS v3.0. Have been using the default " Use selectors from policy" option on the other v2.8 devices and they all worked fine.
The event log on the v3.0 device showing...
Responder: sent xx.xx.xx.xx aggressive mode message #1 (OK)
Responder: parsed xx.xx.xx.xx afressive mode message #2 (DONE)
Negotiate SA Error: Peer' s id payloads do not match local policy.
Responder: parsed xx.xx.xx.xx quick mode message #1 (ERROR)
***repeating...
Did I overlook any new features with v3.0 or, should I consider downgrade the OS on this device??
Any suggestion or comment is greatly appreciated.
What I have done is hang multiple phase 2 definitions from a single phase 1. Once the key has been accepted, the correct tunnel will come up depending on the phase 2 networks that need to communicate through the link. Check out a snapshot of my monitor:
Notice the first line. There are two ' selector pairs' for the one phase 1 definition in the first column. I have hung up to three successfully. I don' t see a reason why more could not be done.
Good luck
Notice the first line. There are two ' selector pairs' for the one phase 1 definition in the first column. I have hung up to three successfully. I don' t see a reason why more could not be done.
Good luck
