IPsec phase1 negotiation failes due to certificate inspection

AEK · ‎05-06-2024

Hi FortiGate admins

I have two hosts interconnected via a third party IPsec, separated by a FortiGate.

When I use no-inspection in the FG's firewall policy I have the tunnel comes up and working fine.

When I use certificate inspection it doesn't come up and I see the below logs on the host.

000066725 ERROR (t=2001779) isakmp_inf.c: ignore information because the message has no hash payload.
000066726 ERROR (t=2001784) isakmp_inf.c: ignore information because ISAKMP-SA has not been established yet.
000066726 ERROR (t=2001788) isakmp.c: phase1 negotiation failed due to time up. d4427a2432ce119a:529f737158a30be8
000066726 ERROR (t=2001790) isakmp.c: phase2 negotiation failed due to time up waiting for phase1. ESP 10.10.20.30->10.20.30.40

The certificate inspection profile I'm using allows all and doesn't block any kind of certificate. FG logs show no traffic blocked.

Any idea why this happens?

AEK

dbu · ‎05-06-2024

Hi @AEK ,

Are you using the built-in certificate ?

Maybe a packet capture can tell you more about the certificates that are being exchanged and why is not happy.

Have you tried to extend the timeout ?

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

AEK · ‎05-07-2024

Hi dbu

Thanks for the advice.. Sure we need some deeper troubleshooting here. I'll try comeback with more info.

AEK

hbac · ‎05-07-2024

Hi @AEK,

Have you checked Security Events > SSL logs?

Regards,

AEK · ‎05-08-2024

I'll do as well. Thanks dbu.

AEK

IPsec phase1 negotiation failes due to certificate inspection

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website