Hi, I am trying to set up a ipsec site to site VPN between two Fortigate devices: The branch unit is connected to the ISP router which gets a dynamic IP-address. DDNS is set up and a hostname is created and working. The router forwards all traffic to a DMZ-IP, what in this case is the Fortigate50E. This works, as I succesfully have managed to forward port 443 to an internal IP (in this case with NAT enabled in the IPv4 policy).
I am not able to set up a working site to site VPN though. I have used the IPsec wizard on both sites: Site to Site / No NAT between sites Q: is this correct? The branch fortigate has no public IP, but it has a dynamic dns record enabled and setup as remote IP in the HQ fortigate unit. So my understanding is that both Fortigates should be able to see each others, is this correct? As the HQ Fortigate will connect to the dynamic router IP at the branch site and as the router forwards everything then to the Fortigate50E the Fortigate50E should be able to take care of the incoming IKE requests? This is the result of:
diag debug app ike -1
diag debug enable
ike Negotiate ISAKMP SA Error: ike 0:84a65a65d61b58b1/0000000000000000:49: no SA proposal chosen
clsike 0: comes 213.239.207.213:500->192.168.4.200:500,ifindex=10....
ike 0: IKEv1 exchange=Identity Protection id=84a65a65d61b58b1/0000000000000000 len=396
ike 0: in 84A65A65D61B58B1000000000000000001100200000000000000018C0D0000A4000000010000000100000098010100040300002401010000800B0001000C0004000151808001000180030001800200018004000E0300002402010000800B0001000C000400015180800100018003000180020001800400050300002403010000800B0001000C0004000151808001000180030001800200028004000E0000002404010000800B0001000C000400015180800100018003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:84a65a65d61b58b1/0000000000000000:50: responder: main mode get 1st message...
ike 0:84a65a65d61b58b1/0000000000000000:50: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:84a65a65d61b58b1/0000000000000000:50: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:84a65a65d61b58b1/0000000000000000:50: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:84a65a65d61b58b1/0000000000000000:50: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:84a65a65d61b58b1/0000000000000000:50: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:84a65a65d61b58b1/0000000000000000:50: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:84a65a65d61b58b1/0000000000000000:50: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:84a65a65d61b58b1/0000000000000000:50: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:84a65a65d61b58b1/0000000000000000:50: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:84a65a65d61b58b1/0000000000000000:50: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:84a65a65d61b58b1/0000000000000000:50: incoming proposal:
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 0:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=DES_CBC.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=MD5.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP2048.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 0:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=DES_CBC.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=MD5.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP1536.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 0:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=DES_CBC.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP2048.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 0:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=DES_CBC.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP1536.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: my proposal, gw HQ:
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP2048.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP1536.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP2048.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP1536.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP2048.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP1536.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP2048.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP1536.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP2048.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP1536.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP2048.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: proposal id = 1:
ike 0:84a65a65d61b58b1/0000000000000000:50: protocol id = ISAKMP:
ike 0:84a65a65d61b58b1/0000000000000000:50: trans_id = KEY_IKE.
ike 0:84a65a65d61b58b1/0000000000000000:50: encapsulation = IKE/none
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:84a65a65d61b58b1/0000000000000000:50: type=OAKLEY_GROUP, val=MODP1536.
ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400
ike 0:84a65a65d61b58b1/0000000000000000:50: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:84a65a65d61b58b1/0000000000000000:50: no SA proposal chosen
Can you help me please to get this fixxed? I am not sure what is not working.
UPDATE: the tunnel works now, but no traffic is flowing. So I recreated everything from scratch, but this time without using the wizard, doing everything manually. I then found the error: at HQ where a virtualised version of Fortigate runs (15 days eval license) I can only choose "DES" as encryption. So I changed this on both Fortigates and the tunnel was up then. But still I have no traffic flowing: I can't ping 10.0.1.1 from HQ or 192.168.30.10 from Branch. Any idea how to track this down now?
Take a look at the Routing Monitor. The remote subnet needs to be known on the opposite site.
And of course you need policies.
You might share some more information so this is not going into the crystal ball direction...
Fixxed it. Wrong IF was choosen in routing
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.