Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
5q46n2te8jPWJY
New Contributor III

Need help to debug IPSEC VPN

Hi,

 

I need help to debug IPSEC VPN between Fortigate to ForcePoint

 

Here the ForcePoint conf :

 

2024-06-19 14_18_41-Conversation _ Loic BOUCHARD (Externe) _ Microsoft Teams.png

Here my fortigate conf

 

config vpn ipsec phase1-interface
    edit "IPSEC_XXX"
        set interface "vlnk_XXX"
        set peertype any
        set net-device disable
        set proposal aes256-sha1
        set dhgrp 5
        set remote-gw 1.2.3.4
        set psksecret ************
    next
end
config vpn ipsec phase2-interface
    edit "IPSEC_XXX"
        set phase1name "IPSEC_XXX"
        set proposal aes256-sha1
        set dhgrp 5
        set src-subnet 10.XX.XX.0 255.255.255.0
        set dst-subnet 10.XX.XX.0 255.255.255.0
    next
end

Here my log 

2024-06-19 14:27:42.549271 ike V=VIPP:2:IPSEC_VIPP:IPSEC_VIPP: created connection: 0x10111700 19 10.1.0.6->185.87.229.218:500.
2024-06-19 14:27:42.551162 ike V=VIPP:2:IPSEC_VIPP: HA start as master
2024-06-19 14:27:42.551178 ike V=VIPP:2:IPSEC_VIPP:45: initiator: main mode is sending 1st message...
2024-06-19 14:27:42.551192 ike V=VIPP:2:IPSEC_VIPP:45: cookie e6579f4ac461652e/0000000000000000
2024-06-19 14:27:42.551894 ike 2:IPSEC_VIPP:45: out E6579F4AC461652E00000000000000000110020000000000000001240D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
2024-06-19 14:27:42.551999 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (ident_i1send): 10.1.0.6:500->185.87.229.218:500, len=292, vrf=0, id=e6579f4ac461652e/0000000000000000
2024-06-19 14:27:42.560099 ike V=VIPP:2: comes 185.87.229.218:500->10.1.0.6:500,ifindex=19,vrf=0,len=264....
2024-06-19 14:27:42.560437 ike V=VIPP:2: IKEv1 exchange=Identity Protection id=e6579f4ac461652e/ad1834d2654db597 len=264 vrf=0
2024-06-19 14:27:42.560458 ike 2: in E6579F4AC461652EAD1834D2654DB5970110020000000000000001080D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000241082A1C3D2DD1755015AEBB766B5819000000001020221F100010401000000000D0000145C8F1743DCCC474D73B41106367726550D000014D5AB0922CBB4BD46CBC6B115A08CCED10D000014DD477B3D56B7720CB4210571F6D206A00D000014F4B5F16943B84BA919E00E5AFA43567D0D000014645AF885467F08A68619C60E77BDB6050D000014431CFC9292A0595D7592FEBEA586AD1900000014AFCAD71368A1F1C96B8696FC77570100
2024-06-19 14:27:42.561234 ike V=VIPP:2:IPSEC_VIPP: HA state master(2)
2024-06-19 14:27:42.561250 ike V=VIPP:2:IPSEC_VIPP:45: initiator: main mode get 1st response...
2024-06-19 14:27:42.561999 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (32): 1082A1C3D2DD1755015AEBB766B5819000000001020221F10001040100000000
2024-06-19 14:27:42.562007 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): 5C8F1743DCCC474D73B4110636772655
2024-06-19 14:27:42.562014 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): D5AB0922CBB4BD46CBC6B115A08CCED1
2024-06-19 14:27:42.562020 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): DD477B3D56B7720CB4210571F6D206A0
2024-06-19 14:27:42.562026 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): F4B5F16943B84BA919E00E5AFA43567D
2024-06-19 14:27:42.562033 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): 645AF885467F08A68619C60E77BDB605
2024-06-19 14:27:42.562774 ike V=VIPP:2:IPSEC_VIPP:45: VID unknown (16): 431CFC9292A0595D7592FEBEA586AD19
2024-06-19 14:27:42.562781 ike V=VIPP:2:IPSEC_VIPP:45: VID DPD AFCAD71368A1F1C96B8696FC77570100
2024-06-19 14:27:42.562788 ike V=VIPP:2:IPSEC_VIPP:45: DPD negotiated
2024-06-19 14:27:42.562802 ike V=VIPP:2:IPSEC_VIPP:45: negotiation result
2024-06-19 14:27:42.562809 ike V=VIPP:2:IPSEC_VIPP:45: proposal id = 1:
2024-06-19 14:27:42.563552 ike V=VIPP:2:IPSEC_VIPP:45:   protocol id = ISAKMP:
2024-06-19 14:27:42.563559 ike V=VIPP:2:IPSEC_VIPP:45:      trans_id = KEY_IKE.
2024-06-19 14:27:42.563565 ike V=VIPP:2:IPSEC_VIPP:45:      encapsulation = IKE/none
2024-06-19 14:27:42.563571 ike V=VIPP:2:IPSEC_VIPP:45:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
2024-06-19 14:27:42.564303 ike V=VIPP:2:IPSEC_VIPP:45:         type=OAKLEY_HASH_ALG, val=SHA.
2024-06-19 14:27:42.564309 ike V=VIPP:2:IPSEC_VIPP:45:         type=AUTH_METHOD, val=PRESHARED_KEY.
2024-06-19 14:27:42.564316 ike V=VIPP:2:IPSEC_VIPP:45:         type=OAKLEY_GROUP, val=MODP1536.
2024-06-19 14:27:42.564322 ike V=VIPP:2:IPSEC_VIPP:45: ISAKMP SA lifetime=86400
2024-06-19 14:27:42.564336 ike V=VIPP:2:IPSEC_VIPP:45: generate DH public value request queued
2024-06-19 14:27:42.565074 ike 2:IPSEC_VIPP:45: out E6579F4AC461652EAD1834D2654DB5970410020000000000000000F40A0000C43B7D89BFE4C60A0B7A90189A327CA3582DBEFCB47E4565F8FC9441C110BC4611F27F300BD3A1C16361BFDEA23A8193B49C7F72A94483CDC9AE6A639A15871405BE9942FC1B4E51B9AD288471918EA6CEE75E063F642988514E093E94403C56034314E6DFA396F776C2C64FD3C5D70261E87A21976532B5A4C9F8E669E4D863C34CCA521F4F55446F46BA0EBDB770B0240A716DE4D12258A217C11B71A4031CA95D056D09BEEFF957C13AC5AEA1C157F1674436DDDB07B4711D37618926EB44FE0000001484B4978239F70D674FF95191BC297A67
2024-06-19 14:27:42.565105 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (ident_i2send): 10.1.0.6:500->185.87.229.218:500, len=244, vrf=0, id=e6579f4ac461652e/ad1834d2654db597
2024-06-19 14:27:42.573408 ike V=VIPP:2: comes 185.87.229.218:500->10.1.0.6:500,ifindex=19,vrf=0,len=244....
2024-06-19 14:27:42.573420 ike V=VIPP:2: IKEv1 exchange=Identity Protection id=e6579f4ac461652e/ad1834d2654db597 len=244 vrf=0
2024-06-19 14:27:42.573426 ike 2: in E6579F4AC461652EAD1834D2654DB5970410020000000000000000F40A0000C4F47F8E4A5B2AF45A3068EE13018BA922DC4B6A1770E226CB57FA6E902A339232897D4884E59A9C8D6134F51A9B0746CAD4D52DAB736AEB3B0237F83362B6390D18491E529208D9BB6BC48A818AEEA7C6C43BB91974FF7EE084D5E00F232F017AC08B003905756153B3A4FA8709892E25EEFBA121011805392F4141A1BC1C3950A175244D406EBAE9E73058E66F0D5CD2B460A32308D76ADC2B7CFB6BEFE1AA014C9986DC1AA8B5E7A4277C333ACB2A5EEEF8EE117797A0C9F0E5B8B5C2556BD3000000146455500773EDABB98C79FD6AAB14EC59
2024-06-19 14:27:42.573435 ike V=VIPP:2:IPSEC_VIPP: HA state master(2)
2024-06-19 14:27:42.573440 ike V=VIPP:2:IPSEC_VIPP:45: initiator: main mode get 2nd response...
2024-06-19 14:27:42.573446 ike V=VIPP:2:IPSEC_VIPP:45: nat unavailable
2024-06-19 14:27:42.573454 ike V=VIPP:2:IPSEC_VIPP:45: compute DH shared secret request queued
2024-06-19 14:27:42.573779 ike 2:IPSEC_VIPP:45: ISAKMP SA e6579f4ac461652e/ad1834d2654db597 key 32:6A12FEC0B03318B565A60BC66371DFF0446CE80EB0F989B5829874766FFEE864
2024-06-19 14:27:42.573794 ike V=VIPP:2:IPSEC_VIPP:45: add INITIAL-CONTACT
2024-06-19 14:27:42.573811 ike 2:IPSEC_VIPP:45: enc E6579F4AC461652EAD1834D2654DB59705100201000000000000005C0800000C010000000A0100060B0000187B198D653B5F907127F5B44F261B37731F6E09190000001C0000000101106002E6579F4AC461652EAD1834D2654DB597
2024-06-19 14:27:42.573830 ike 2:IPSEC_VIPP:45: out E6579F4AC461652EAD1834D2654DB59705100201000000000000006C21467011419C17BC2F739D1DFC188379C1EDA57CC9E0F6FF80B1CC8C261DE98BFDE96DBD27D2EE552336AD64F481917EDB31F597F9E81D82B5B316F47AF066178B91B1DAAC188F8E15CC35137A38B0D4
2024-06-19 14:27:42.573852 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (ident_i3send): 10.1.0.6:500->185.87.229.218:500, len=108, vrf=0, id=e6579f4ac461652e/ad1834d2654db597
2024-06-19 14:27:42.581263 ike V=VIPP:2: comes 185.87.229.218:500->10.1.0.6:500,ifindex=19,vrf=0,len=64....
2024-06-19 14:27:42.581274 ike V=VIPP:2: IKEv1 exchange=Informational id=e6579f4ac461652e/ad1834d2654db597:fd7b9ede len=64 vrf=0
2024-06-19 14:27:42.581279 ike 2: in E6579F4AC461652EAD1834D2654DB5970B100500FD7B9EDE0000004000000024000000010110000EE6579F4AC461652EAD1834D2654DB597800C000180080000
2024-06-19 14:27:42.581284 ike V=VIPP:2:IPSEC_VIPP: HA state master(2)
2024-06-19 14:27:42.581289 ike V=VIPP:2:IPSEC_VIPP:45: ignoring unencrypted NO-PROPOSAL-CHOSEN message from 185.87.229.218:500.
2024-06-19 14:27:45.573921 ike 2:IPSEC_VIPP:45: out E6579F4AC461652EAD1834D2654DB59705100201000000000000006C21467011419C17BC2F739D1DFC188379C1EDA57CC9E0F6FF80B1CC8C261DE98BFDE96DBD27D2EE552336AD64F481917EDB31F597F9E81D82B5B316F47AF066178B91B1DAAC188F8E15CC35137A38B0D4
2024-06-19 14:27:45.575997 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (P1_RETRANSMIT): 10.1.0.6:500->185.87.229.218:500, len=108, vrf=0, id=e6579f4ac461652e/ad1834d2654db597
2024-06-19 14:27:51.572585 ike 2:IPSEC_VIPP:45: out E6579F4AC461652EAD1834D2654DB59705100201000000000000006C21467011419C17BC2F739D1DFC188379C1EDA57CC9E0F6FF80B1CC8C261DE98BFDE96DBD27D2EE552336AD64F481917EDB31F597F9E81D82B5B316F47AF066178B91B1DAAC188F8E15CC35137A38B0D4
2024-06-19 14:27:51.574352 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (P1_RETRANSMIT): 10.1.0.6:500->185.87.229.218:500, len=108, vrf=0, id=e6579f4ac461652e/ad1834d2654db597
2024-06-19 14:28:03.576432 ike 2:IPSEC_VIPP:45: out E6579F4AC461652EAD1834D2654DB59705100201000000000000006C21467011419C17BC2F739D1DFC188379C1EDA57CC9E0F6FF80B1CC8C261DE98BFDE96DBD27D2EE552336AD64F481917EDB31F597F9E81D82B5B316F47AF066178B91B1DAAC188F8E15CC35137A38B0D4
2024-06-19 14:28:03.577959 ike V=VIPP:2:IPSEC_VIPP:45: sent IKE msg (P1_RETRANSMIT): 10.1.0.6:500->185.87.229.218:500, len=108, vrf=0, id=e6579f4ac461652e/ad1834d2654db597
2024-06-19 14:28:12.555754 ike V=VIPP:2:IPSEC_VIPP:45: negotiation timeout, deleting
2024-06-19 14:28:12.557391 ike V=VIPP:2:IPSEC_VIPP: connection expiring due to phase1 down
2024-06-19 14:28:12.558068 ike V=VIPP:2:IPSEC_VIPP: going to be deleted

Can you help me to diagnose ?

1 Solution
hbac
Staff
Staff

Hi @5q46n2te8jPWJY,

 

"NO-PROPOSAL-CHOSEN" means some settings are not matching. You might need to run debugs on the other side as well to see why it is failing. 

 

Regards, 

View solution in original post

3 REPLIES 3
hbac
Staff
Staff

Hi @5q46n2te8jPWJY,

 

"NO-PROPOSAL-CHOSEN" means some settings are not matching. You might need to run debugs on the other side as well to see why it is failing. 

 

Regards, 

ozkanaltas
Valued Contributor II

Hi @5q46n2te8jPWJY ,

 

When I reviewed the outputs, I saw that your remote site has a private IP. If you didn't do any nat configuration on the nat device(router/modem etc.), I suggest enabling nat-t configuration on both sites.

 

And also did you configure phase 2 networks on the SonicWall side? 

 

Btw, I found a document about how can you establish site 2 site vpn between Forcepoint and FortiGate.

 

https://support.forcepoint.com/s/article/000015793

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
AEK
SuperUser
SuperUser

Can you add other encryption/authentication proposals on both sides?

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors