Hey All,
I'm having issues connecting my FortiGate (Head Office) to a SonicWall (Remote Office). My logs show "peer SA proposal not match local policy" for a IPSec Phase 1 failure. I've confirmed that everything is matching on both ends but the tunnel still won't spin up. Anyone have any resolutions handy?
Thanks!
Is your fortigate behind a NAT? I had a similar error where my fortigate was behind a NAT so I had to configure the sonicwall settings with the remote peer ID of the WAN IP on the fortigate.
Dakota_G wrote:Did you create policies in and out of the tunnel?peer SA proposal not match local policy
Did you create static routes pointing to the tunnel?
Are you 100% certain the P2 matches the other side exactly?
Please access the CLI and use
diag debug reset
diag debug application ike -1
diag debug application enable
and provide the log. To stop type
diag debug disable
diag debug reset
I hope the following can help.
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
But it sounds like you need to double check ph2-proposals and proxy-ids. I would start by obtaining the above suggest diagnostics and by reading the above link. Concentrate on phase2 diagnostics if you actually have a IKE-SA active.
validate first phase1 and then 2nd phase2. Proxy-ids will need to match, and the 0.0.0.0:0 is probably not going to work with a sonicwall or at least I never tried it on a sonicwall
fwiw: if you have left the default 0.0.0.0:0 in the phase2 selectors of a route-based vpn, that would work find with a FGT to FGT or FGT to SRX or FGT to CISCO ( route-based )
PCNSE
NSE
StrongSwan
Hello,
you need to specify the proxy id (do not use group) on the fortigate.
On sonicwall, leave the local/peer id to blank.
and google is your friend :
http://kb.fortinet.com/kb/viewContent.do?externalId=11657
http://www.sysprobs.com/guide-to-setup-vpn-between-sonicwall-and-fortigate-ipsec-site-to-site-vpn
Lucas
I've gotten the tunnel up and I am able to ping from FortiGate to SonicWall but not SonicWall to FortiGate. I believe I have all the polices in places, anyone have any input?
The diag debug flow command is the #1 diagnostic tool in the fortiGate toolbox. I would suggest you deploy it ;)
diag debug dis
diag debug reset
diag debug enable
diag debug flow filter addr <x.x.x.x>
diag debug flow show console enable
diag debug flow trace start 100
Place your traffic up, monitor he diagnostics output and look at the evidence. After conclusion disable the diagnostics
diag debug reset
diag debug disable
Ken
PCNSE
NSE
StrongSwan
Make sure you're using IKEv2 - DPD and nat-t work much better between vendors
any one can help on this now i am getting below error from sonicwall
IKE Initiator: Proposed IKE ID mismatch
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.