Hi all,
In one of our branch offices we had to replace one of our Fortigates for a new one. After setup the Fortigate the tunnel came up (Fortige 60D - Fortigate 60B) and everything looks ok. Now it looks like we can ping from HQ - to the branch , but when we want to ping from branch to HQ it failed. When we do a trace on the Branch FG to HQ it's not going to HQ but to the internet. The firewall looks like correct , so that's not the problem.
When i go to the VPN logs i get a error on phase1 with reason: peer SA proposal not match local policy
That's strange because both sides are the same except IKE version 1 or 2 is not selectable on the HQ FG , because that's an older version.
Anyone suggestions or ideas?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
arjanfeest wrote:IKE v1 or v2 may not be selectable on HQ machine, but insure that v1 is what is selected on the newer branch FGT. Also make sure you have a static route back to the HQ unit through the tunnel with a lower distance than that of the default gateway. Often missed setup piece.Hi all,
In one of our branch offices we had to replace one of our Fortigates for a new one. After setup the Fortigate the tunnel came up (Fortige 60D - Fortigate 60B) and everything looks ok. Now it looks like we can ping from HQ - to the branch , but when we want to ping from branch to HQ it failed. When we do a trace on the Branch FG to HQ it's not going to HQ but to the internet. The firewall looks like correct , so that's not the problem.
When i go to the VPN logs i get a error on phase1 with reason: peer SA proposal not match local policy
That's strange because both sides are the same except IKE version 1 or 2 is not selectable on the HQ FG , because that's an older version.
Anyone suggestions or ideas?
Hope this helps
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
new box meens in most cases new operating system.
We had one time a problem with changed default settings with a new OS.
Do a "show full-config vpn ipsec phas ....." on both units and compare the configuration.
HTH
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.