Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arjanfeest
New Contributor

VPN Tunnel (Tunnelmode) between two Fortigates up , but can only one ping side

Hi all,

 

In one of our branch offices we had to replace one of our Fortigates for a new one. After setup the Fortigate the tunnel came up (Fortige 60D - Fortigate 60B) and everything looks ok. Now it looks like we can ping from HQ - to the branch , but when we want to ping from branch to HQ it failed. When we do a trace on the Branch FG to HQ it's not going to HQ but to the internet. The firewall looks like correct , so that's not the problem.

 

When i go to the VPN logs i get a error on phase1 with reason: peer SA proposal not match local policy

That's strange because both sides are the same except IKE version 1 or 2 is not selectable on the HQ FG , because that's an older version.

 

Anyone suggestions or ideas? 

 

2 REPLIES 2
rwpatterson
Valued Contributor III

arjanfeest wrote:

Hi all,

 

In one of our branch offices we had to replace one of our Fortigates for a new one. After setup the Fortigate the tunnel came up (Fortige 60D - Fortigate 60B) and everything looks ok. Now it looks like we can ping from HQ - to the branch , but when we want to ping from branch to HQ it failed. When we do a trace on the Branch FG to HQ it's not going to HQ but to the internet. The firewall looks like correct , so that's not the problem.

 

When i go to the VPN logs i get a error on phase1 with reason: peer SA proposal not match local policy

That's strange because both sides are the same except IKE version 1 or 2 is not selectable on the HQ FG , because that's an older version.

 

Anyone suggestions or ideas? 

 

IKE v1 or v2 may not be selectable on HQ machine, but insure that v1 is what is selected on the newer branch FGT. Also make sure you have a static route back to the HQ unit through the tunnel with a lower distance than that of the default gateway. Often missed setup piece.

 

Hope this helps

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
tinyadmin

new box meens in most cases new operating system.

We had one time a problem with changed default settings with a new OS.

 

Do a "show full-config vpn ipsec phas ....." on both units and compare the configuration.

 

HTH

Top Kudoed Authors