Hi,
I need help to debug IPSEC VPN between Fortigate to ForcePoint
Here the ForcePoint conf :
Here my fortigate conf
config vpn ipsec phase1-interface
edit "IPSEC_XXX"
set interface "vlnk_XXX"
set peertype any
set net-device disable
set proposal aes256-sha1
set dhgrp 5
set remote-gw 1.2.3.4
set psksecret ************
next
end
config vpn ipsec phase2-interface
edit "IPSEC_XXX"
set phase1name "IPSEC_XXX"
set proposal aes256-sha1
set dhgrp 5
set src-subnet 10.XX.XX.0 255.255.255.0
set dst-subnet 10.XX.XX.0 255.255.255.0
next
end
Here my log
2024-06-19 14:27:42.549271 ike V=VIPP:2:IPSEC_VIPP:IPSEC_VIPP: created connection: 0x10111700 19 10.1.0.6->185.87.229.218:500.
2024-06-19 14:27:42.551162 ike V=VIPP:2:IPSEC_VIPP: HA start as master
2024-06-19 14:27:42.551178 ike V=VIPP:2:IPSEC_VIPP:45: initiator: main mode is sending 1st message...
2024-06-19 14:27:42.551192 ike V=VIPP:2:IPSEC_VIPP:45: cookie e6579f4ac461652e/0000000000000000
2024-06-19 14:27:42.551894 ike 2:IPSEC_VIPP:45: out E6579F4AC461652E00000000000000000110020000000000000001240D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
2024-06-19 14:27:42.551999 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (ident_i1send): 10.1.0.6:500->185.87.229.218:500, len=292, vrf=0, id=e6579f4ac461652e/0000000000000000
2024-06-19 14:27:42.560099 ike V=VIPP:2: comes 185.87.229.218:500->10.1.0.6:500,ifindex=19,vrf=0,len=264....
2024-06-19 14:27:42.560437 ike V=VIPP:2: IKEv1 exchange=Identity Protection id=e6579f4ac461652e/ad1834d2654db597 len=264 vrf=0
2024-06-19 14:27:42.560458 ike 2: in E6579F4AC461652EAD1834D2654DB5970110020000000000000001080D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000241082A1C3D2DD1755015AEBB766B5819000000001020221F100010401000000000D0000145C8F1743DCCC474D73B41106367726550D000014D5AB0922CBB4BD46CBC6B115A08CCED10D000014DD477B3D56B7720CB4210571F6D206A00D000014F4B5F16943B84BA919E00E5AFA43567D0D000014645AF885467F08A68619C60E77BDB6050D000014431CFC9292A0595D7592FEBEA586AD1900000014AFCAD71368A1F1C96B8696FC77570100
2024-06-19 14:27:42.561234 ike V=VIPP:2:IPSEC_VIPP: HA state master(2)
2024-06-19 14:27:42.561250 ike V=VIPP:2:IPSEC_VIPP:45: initiator: main mode get 1st response...
2024-06-19 14:27:42.561999 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (32): 1082A1C3D2DD1755015AEBB766B5819000000001020221F10001040100000000
2024-06-19 14:27:42.562007 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): 5C8F1743DCCC474D73B4110636772655
2024-06-19 14:27:42.562014 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): D5AB0922CBB4BD46CBC6B115A08CCED1
2024-06-19 14:27:42.562020 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): DD477B3D56B7720CB4210571F6D206A0
2024-06-19 14:27:42.562026 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): F4B5F16943B84BA919E00E5AFA43567D
2024-06-19 14:27:42.562033 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): 645AF885467F08A68619C60E77BDB605
2024-06-19 14:27:42.562774 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): 431CFC9292A0595D7592FEBEA586AD19
2024-06-19 14:27:42.562781 ike V=VIPP:2:IPSEC_VIPP:45: VID DPD AFCAD71368A1F1C96B8696FC77570100
2024-06-19 14:27:42.562788 ike V=VIPP:2:IPSEC_VIPP:45: DPD negotiated
2024-06-19 14:27:42.562802 ike V=VIPP:2:IPSEC_VIPP:45: negotiation result
2024-06-19 14:27:42.562809 ike V=VIPP:2:IPSEC_VIPP:45: proposal id = 1:
2024-06-19 14:27:42.563552 ike V=VIPP:2:IPSEC_VIPP:45: protocol id = ISAKMP:
2024-06-19 14:27:42.563559 ike V=VIPP:2:IPSEC_VIPP:45: trans_id = KEY_IKE.
2024-06-19 14:27:42.563565 ike V=VIPP:2:IPSEC_VIPP:45: encapsulation = IKE/none
2024-06-19 14:27:42.563571 ike V=VIPP:2:IPSEC_VIPP:45: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
2024-06-19 14:27:42.564303 ike V=VIPP:2:IPSEC_VIPP:45: type=OAKLEY_HASH_ALG, val=SHA.
2024-06-19 14:27:42.564309 ike V=VIPP:2:IPSEC_VIPP:45: type=AUTH_METHOD, val=PRESHARED_KEY.
2024-06-19 14:27:42.564316 ike V=VIPP:2:IPSEC_VIPP:45: type=OAKLEY_GROUP, val=MODP1536.
2024-06-19 14:27:42.564322 ike V=VIPP:2:IPSEC_VIPP:45: ISAKMP SA lifetime=86400
2024-06-19 14:27:42.564336 ike V=VIPP:2:IPSEC_VIPP:45: generate DH public value request queued
2024-06-19 14:27:42.565074 ike 2:IPSEC_VIPP:45: out E6579F4AC461652EAD1834D2654DB5970410020000000000000000F40A0000C43B7D89BFE4C60A0B7A90189A327CA3582DBEFCB47E4565F8FC9441C110BC4611F27F300BD3A1C16361BFDEA23A8193B49C7F72A94483CDC9AE6A639A15871405BE9942FC1B4E51B9AD288471918EA6CEE75E063F642988514E093E94403C56034314E6DFA396F776C2C64FD3C5D70261E87A21976532B5A4C9F8E669E4D863C34CCA521F4F55446F46BA0EBDB770B0240A716DE4D12258A217C11B71A4031CA95D056D09BEEFF957C13AC5AEA1C157F1674436DDDB07B4711D37618926EB44FE0000001484B4978239F70D674FF95191BC297A67
2024-06-19 14:27:42.565105 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (ident_i2send): 10.1.0.6:500->185.87.229.218:500, len=244, vrf=0, id=e6579f4ac461652e/ad1834d2654db597
2024-06-19 14:27:42.573408 ike V=VIPP:2: comes 185.87.229.218:500->10.1.0.6:500,ifindex=19,vrf=0,len=244....
2024-06-19 14:27:42.573420 ike V=VIPP:2: IKEv1 exchange=Identity Protection id=e6579f4ac461652e/ad1834d2654db597 len=244 vrf=0
2024-06-19 14:27:42.573426 ike 2: in E6579F4AC461652EAD1834D2654DB5970410020000000000000000F40A0000C4F47F8E4A5B2AF45A3068EE13018BA922DC4B6A1770E226CB57FA6E902A339232897D4884E59A9C8D6134F51A9B0746CAD4D52DAB736AEB3B0237F83362B6390D18491E529208D9BB6BC48A818AEEA7C6C43BB91974FF7EE084D5E00F232F017AC08B003905756153B3A4FA8709892E25EEFBA121011805392F4141A1BC1C3950A175244D406EBAE9E73058E66F0D5CD2B460A32308D76ADC2B7CFB6BEFE1AA014C9986DC1AA8B5E7A4277C333ACB2A5EEEF8EE117797A0C9F0E5B8B5C2556BD3000000146455500773EDABB98C79FD6AAB14EC59
2024-06-19 14:27:42.573435 ike V=VIPP:2:IPSEC_VIPP: HA state master(2)
2024-06-19 14:27:42.573440 ike V=VIPP:2:IPSEC_VIPP:45: initiator: main mode get 2nd response...
2024-06-19 14:27:42.573446 ike V=VIPP:2:IPSEC_VIPP:45: nat unavailable
2024-06-19 14:27:42.573454 ike V=VIPP:2:IPSEC_VIPP:45: compute DH shared secret request queued
2024-06-19 14:27:42.573779 ike 2:IPSEC_VIPP:45: ISAKMP SA e6579f4ac461652e/ad1834d2654db597 key 32:6A12FEC0B03318B565A60BC66371DFF0446CE80EB0F989B5829874766FFEE864
2024-06-19 14:27:42.573794 ike V=VIPP:2:IPSEC_VIPP:45: add INITIAL-CONTACT
2024-06-19 14:27:42.573811 ike 2:IPSEC_VIPP:45: enc E6579F4AC461652EAD1834D2654DB59705100201000000000000005C0800000C010000000A0100060B0000187B198D653B5F907127F5B44F261B37731F6E09190000001C0000000101106002E6579F4AC461652EAD1834D2654DB597
2024-06-19 14:27:42.573830 ike 2:IPSEC_VIPP:45: out E6579F4AC461652EAD1834D2654DB59705100201000000000000006C21467011419C17BC2F739D1DFC188379C1EDA57CC9E0F6FF80B1CC8C261DE98BFDE96DBD27D2EE552336AD64F481917EDB31F597F9E81D82B5B316F47AF066178B91B1DAAC188F8E15CC35137A38B0D4
2024-06-19 14:27:42.573852 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (ident_i3send): 10.1.0.6:500->185.87.229.218:500, len=108, vrf=0, id=e6579f4ac461652e/ad1834d2654db597
2024-06-19 14:27:42.581263 ike V=VIPP:2: comes 185.87.229.218:500->10.1.0.6:500,ifindex=19,vrf=0,len=64....
2024-06-19 14:27:42.581274 ike V=VIPP:2: IKEv1 exchange=Informational id=e6579f4ac461652e/ad1834d2654db597:fd7b9ede len=64 vrf=0
2024-06-19 14:27:42.581279 ike 2: in E6579F4AC461652EAD1834D2654DB5970B100500FD7B9EDE0000004000000024000000010110000EE6579F4AC461652EAD1834D2654DB597800C000180080000
2024-06-19 14:27:42.581284 ike V=VIPP:2:IPSEC_VIPP: HA state master(2)
2024-06-19 14:27:42.581289 ike V=VIPP:2:IPSEC_VIPP:45: ignoring unencrypted NO-PROPOSAL-CHOSEN message from 185.87.229.218:500.
2024-06-19 14:27:45.573921 ike 2:IPSEC_VIPP:45: out E6579F4AC461652EAD1834D2654DB59705100201000000000000006C21467011419C17BC2F739D1DFC188379C1EDA57CC9E0F6FF80B1CC8C261DE98BFDE96DBD27D2EE552336AD64F481917EDB31F597F9E81D82B5B316F47AF066178B91B1DAAC188F8E15CC35137A38B0D4
2024-06-19 14:27:45.575997 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (P1_RETRANSMIT): 10.1.0.6:500->185.87.229.218:500, len=108, vrf=0, id=e6579f4ac461652e/ad1834d2654db597
2024-06-19 14:27:51.572585 ike 2:IPSEC_VIPP:45: out E6579F4AC461652EAD1834D2654DB59705100201000000000000006C21467011419C17BC2F739D1DFC188379C1EDA57CC9E0F6FF80B1CC8C261DE98BFDE96DBD27D2EE552336AD64F481917EDB31F597F9E81D82B5B316F47AF066178B91B1DAAC188F8E15CC35137A38B0D4
2024-06-19 14:27:51.574352 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (P1_RETRANSMIT): 10.1.0.6:500->185.87.229.218:500, len=108, vrf=0, id=e6579f4ac461652e/ad1834d2654db597
2024-06-19 14:28:03.576432 ike 2:IPSEC_VIPP:45: out E6579F4AC461652EAD1834D2654DB59705100201000000000000006C21467011419C17BC2F739D1DFC188379C1EDA57CC9E0F6FF80B1CC8C261DE98BFDE96DBD27D2EE552336AD64F481917EDB31F597F9E81D82B5B316F47AF066178B91B1DAAC188F8E15CC35137A38B0D4
2024-06-19 14:28:03.577959 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (P1_RETRANSMIT): 10.1.0.6:500->185.87.229.218:500, len=108, vrf=0, id=e6579f4ac461652e/ad1834d2654db597
2024-06-19 14:28:12.555754 ike V=VIPP:2:IPSEC_VIPP:45: negotiation timeout, deleting
2024-06-19 14:28:12.557391 ike V=VIPP:2:IPSEC_VIPP: connection expiring due to phase1 down
2024-06-19 14:28:12.558068 ike V=VIPP:2:IPSEC_VIPP: going to be deleted
Can you help me to diagnose ?
Solved! Go to Solution.
Hi @5q46n2te8jPWJY,
"NO-PROPOSAL-CHOSEN" means some settings are not matching. You might need to run debugs on the other side as well to see why it is failing.
Regards,
Hi @5q46n2te8jPWJY,
"NO-PROPOSAL-CHOSEN" means some settings are not matching. You might need to run debugs on the other side as well to see why it is failing.
Regards,
Hi @5q46n2te8jPWJY ,
When I reviewed the outputs, I saw that your remote site has a private IP. If you didn't do any nat configuration on the nat device(router/modem etc.), I suggest enabling nat-t configuration on both sites.
And also did you configure phase 2 networks on the SonicWall side?
Btw, I found a document about how can you establish site 2 site vpn between Forcepoint and FortiGate.
https://support.forcepoint.com/s/article/000015793
Can you add other encryption/authentication proposals on both sides?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.