IPSec Negotiate SA Error

Report Inappropriate Content · ‎10-09-2007

Hello ALL, this is the 1st time I visit this forum and hoping to get some help on my site-to-site VPN connection setup...

It' s a simple Policy-Based VPN using Pre-shared key between Forigate-60 & Checkpoint firewall. Getting " Negotiate SA Error: Peer' s id payloads do not match local policy." error on my Fortigate 60 device running FortiOS v3.0 trying to establish a IPSec tunnel (Preshared Key) with Checkpoint. I have done the same setup from few other sites with Fortigate-60 device running FortiOS v2.8 software. The same Preshared Key, Encrption/Authentication method. The only different I can tell between the 2 version of OS is the option under the Phase 2 " Quick Mode Identities" section. v2.8 offer options of " Use selectors from policy" , " Use wildcard selectors" & " Specify a selector" while there seems only the last option is available under FortiOS v3.0. Have been using the default " Use selectors from policy" option on the other v2.8 devices and they all worked fine. The event log on the v3.0 device showing... Responder: sent xx.xx.xx.xx aggressive mode message #1 (OK) Responder: parsed xx.xx.xx.xx afressive mode message #2 (DONE) Negotiate SA Error: Peer' s id payloads do not match local policy. Responder: parsed xx.xx.xx.xx quick mode message #1 (ERROR) ***repeating... Did I overlook any new features with v3.0 or, should I consider downgrade the OS on this device?? Any suggestion or comment is greatly appreciated.

rwpatterson · ‎10-10-2007

Sorry abut the pic. You will need to open port 5190 (AIM) to view it. I' m hosting from Verizon FIOS, and they do not permit port 80 traffic from their network. In answer to your question, yes. You will need to define a policy (or policies) to allow the traffic as well. Create an address group with the same networks defined in it, and use it in the policy instead of individual addresses. It makes management a snap.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Report Inappropriate Content · ‎10-10-2007

Thanks, Bob... I have created the separate P2 tunnels and pending to test them with home office... However, guess I have made a big mistake... I have tried to update the firmware remotely from MR3 Build 0400 to MR3 0416... A memory optimized version. Hoping to get a better performance and memory allocation. Have lost the connection right after I click OK... Confirmed with a local user that the upgrade completed successfully and I can now see the 3.00 build 8552 showing as the Firmware version. However, the ADSL interface failed to connect. All the configuration seems to be retained but when we check System -> Network, found ADSL interface is showing as currently Down... Click on the " Bring UP" but still won' t connect. Check under the Log, found a repeating message outline, User unknown change status of interface ASDL from ADSL-MON... Have tried to re-start the device, still no go... Please help....

rwpatterson · ‎10-10-2007

That' s a support issue. I do not have one of those boxes, and cannot be of any help. Sorry!

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Report Inappropriate Content · ‎10-16-2007

Hi Bob, I am back after trying different configuration settings to try establish my IPSec tunnel... Still trying to work this out with the Fortigate engineers... Wonder if any one had experience the same with the 3.0 software running on their Fortigate device connecting to 3rd party firewall like CheckPoint... Managed to try setting up multipe P2 tunnels (for different subnets) as well, also tried to using the CLI to configured Address Group, defined under the Firewall -> Address -> Group. The tunnel seems to be UP and with the proper Keylife count down... Tunnel seems to be UP & Running by looking at the far end. However, no traffic was flowed through the tunnel & am getting lots of " Received ESP packet with unknown SPI." error message... Any comment or, suggestion would be highly appreciated!

FortiRack_Eric · ‎10-11-2007

Is this issue still open? When I look at the first post, it clearly states that the peer id' s don' t match. You may removed the peer id' s (local id' s) and test again. If you need to use peer-id' s then add them afterwards. The need to cross match (local and remote). Regards, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

Report Inappropriate Content · ‎10-16-2007

Good day, Eric. Yes, the case is still OPEN... When you mentioned about the peer id, do you mean the " Preshared Key" or are you referring to the name of the P1 & P2 tunnel? Further to my troubleshooting effort with the Fortinet engineer, noticed this peer id errors were related to the subnets defined on this device & far end. By turning ON the debug mode, we' re able to tell one of the subnets proposed from the far end was different from the subnet defined locally (the same was not being validated on the 2.8 software)... Now that we fixed all the peer' s id payloads do not match error but now facing with a lot of " Received ESP packet with unknown SPI." error. The tunnel seems to be UP & with proper keylife count down but no traffic seems to be flowing through... Again, any suggestion on this would be greatly appreciated!

rwpatterson · ‎10-16-2007

Could it be a simple routing issue with similar subnets on each side? Just a thought.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Report Inappropriate Content · ‎10-16-2007

That' s possible but I have verified all subnets are unique and they do not overlap with each other. Furthermore, the same subnets were defined and working on my other device, running 2.8 software. Thanks for your kind advise.

FortiRack_Eric · ‎10-16-2007

Did you upgrade the unit from 2.8 to 3.0? I' ve seen units were the VPN stops working after some time after an upgrade. Removing the complete VPN and rebuilding it fixed it. Don' t ask me why. Done it several times, especially with older MR3 builds. Btw what is your firmware version?

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

Report Inappropriate Content · ‎10-18-2007

The unit is brand new shipped with 3.0 B0400... I have done the configuration from scratch. Now, I upgraded to B0526 MR5 Patch 2... Still no luck... Working with Fortinet engineer to try resolve the issue... Thanks for your advice....

IPSec Negotiate SA Error

Nominate a Forum Post for Knowledge Article Creation