IPsec dial-in VPN on loopback

Guenther · ‎03-05-2024

Putting an IPsec tunnel onto a loopback interface has led continuously to an error of unknown SPI, like:

2024-03-05 21:32:19.150302 ike V=root:0:IPsec_demo_0:IPsec_demo:2975: send SA_DONE SPI 0x94f4245
2024-03-05 21:32:19.221924 ike V=root:0: unknown SPI 2f50eb14 54 81.207.197.48:64800->100.64.1.5

Trying to solve this issue by defining the local gateway address with help of

set local-gw 197.196.65.14

leads to another error:

2024-03-05 21:30:24.705268 ike V=root:0:26af7e33589f4514/0000000000000000:153: no SA proposal chosen

Any pointers appreciated ... Rgds Guenther

jiahoong112 · ‎03-05-2024

Please ensure that the remote-gateway is reachable too. You may find this guide helpful to your query: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practice-when-IPSec-VPN-is-bound-to-l...

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

Guenther · ‎03-06-2024

Thanks for your answer. Unfortunatelly it's a dial up remote - therefore no remote-gw is defined.

But the remote site is reachable in any case.

BillH_FTNT · ‎03-05-2024

Hi @Guenther

In the latter one, you can see the reason seems not related to routing reachability. It may be associated with the configuration of IPsec, usually due to a mismatch in the phase 1 encrypt/auth algorithm. You can check the issue following this link https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Understanding-message-no-proposal-ch...

RG/Bill

Guenther · ‎03-09-2024

Hi Bill,

unfortunatelly the negotiation fails only, if the statement

set local-gw 197.196.65.14

is activated. If I remove this statement, the tunnel is coming up again (but not carrying any traffic due to SPI mismatch as initially described).

To put it in a nutshell:

(a) without local-gw, the tunnel comes up but does not carry any traffic,

(b) with local-gw, the tunnel initialization fails with a "no SA proposal chosen"

Any ideas?

ezhupa · ‎03-11-2024

Hello,
Is the loopback interface configured on the FGT acting as Dialup Server?
Is the below IP configured on any interface?
set local-gw 197.196.65.14

There was a common issue a while back which can be resolved by following the below KB article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-IPsec-VPN-settings-on-a-s...

Guenther · ‎03-17-2024

Hello @ezhupa ,

the solution of placing it on a 2ndary interface works fine. We would like to use a loopback interface for limiting access by another policy.

Toshi_Esumi · ‎03-10-2024

100.64.1.5 is in CGNAT IP range. If local ISP is using CGNAT, you can't receive/terminate IPsec VPNs. It can only initiate IPsec VPNs as a dialup client. Check with your ISP.

Toshi

Guenther · ‎03-17-2024

Hello @Toshi_Esumi ,

as the FG is serving as dialin server, we do not worry about the CGNAT (which is used internally as well). But you're right: it's ISP address space.

IPsec dial-in VPN on loopback

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website