Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

SITE-TO-SITE - No matching phase2 found

Hello everyone, I have some trouble when creating a SITE-TO-SITE connection between FORTIGATE 200B and a Checkpoint EDGE device (its a small appliance like SBOX, it is not an NG firewall). PLEASE NOTE: The " outside" interface that I use is a VLAN interface which is assinged to the LAN interface on the FORTIGATE. However this VLAN interface has a PUBLIC ip address and is accessable from the remote peer. I have configured the connection on the FORTIGATE 200B as an route based VPN (by using an IPSEC interface in the phase1). On the FORTIGATE lan site I created a LOOPBACK interface with an address of 10.10.10.10/32. On the remote peer I have a class C subnet 192.168.10.0/24. The policies and the static route are created. After creating all that I simply initiated PING command from the remote peer' s lan to the LOOPBACK interface and tunnel came up (both phase 1 and 2). HOWEVER, there is no reply and afer about 10 to 15 seconds there is a message on the remote peer' s log that says: " Failed to establish VPN tunnel: invalid SPI x.x.x.x" On the FORTIGATE debug output it says : :error processing quick-mode message from [EDGE ip address] as responder :no matching phase2 found The phase 2 exists on both peers and it matches exactly. However the FORTIGATE debug says otherwise. Does anyone has any ideas ? Thanks
1 REPLY 1
gunthnp
New Contributor

did you change the Quik mode selector ip address after setup ? MR4 patch 7 has a bug we found with that but deleteing the phase one and two and recreating it seemed to fix it.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors