Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arjanfeest
New Contributor

Created on ‎01-10-2017 02:03 AM

VPN Tunnel (Tunnelmode) between two Fortigates up , but can only one ping side

Hi all,

 

In one of our branch offices we had to replace one of our Fortigates for a new one. After setup the Fortigate the tunnel came up (Fortige 60D - Fortigate 60B) and everything looks ok. Now it looks like we can ping from HQ - to the branch , but when we want to ping from branch to HQ it failed. When we do a trace on the Branch FG to HQ it's not going to HQ but to the internet. The firewall looks like correct , so that's not the problem.

 

When i go to the VPN logs i get a error on phase1 with reason: peer SA proposal not match local policy

That's strange because both sides are the same except IKE version 1 or 2 is not selectable on the HQ FG , because that's an older version.

 

Anyone suggestions or ideas? 

 

6055
0 Kudos
2 REPLIES 2
rwpatterson
Valued Contributor III

Created on ‎01-10-2017 05:56 AM

arjanfeest wrote:

Hi all,

 

In one of our branch offices we had to replace one of our Fortigates for a new one. After setup the Fortigate the tunnel came up (Fortige 60D - Fortigate 60B) and everything looks ok. Now it looks like we can ping from HQ - to the branch , but when we want to ping from branch to HQ it failed. When we do a trace on the Branch FG to HQ it's not going to HQ but to the internet. The firewall looks like correct , so that's not the problem.

 

When i go to the VPN logs i get a error on phase1 with reason: peer SA proposal not match local policy

That's strange because both sides are the same except IKE version 1 or 2 is not selectable on the HQ FG , because that's an older version.

 

Anyone suggestions or ideas? 

 

IKE v1 or v2 may not be selectable on HQ machine, but insure that v1 is what is selected on the newer branch FGT. Also make sure you have a static route back to the HQ unit through the tunnel with a lower distance than that of the default gateway. Often missed setup piece.

 

Hope this helps

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1616
0 Kudos
tinyadmin
New Contributor III
In response to rwpatterson

Created on ‎01-10-2017 10:38 PM

new box meens in most cases new operating system.

We had one time a problem with changed default settings with a new OS.

 

Do a "show full-config vpn ipsec phas ....." on both units and compare the configuration.

 

HTH

1616
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.