hi all.
I have two Fortigates running 5.2 and 5.4 - the 5.4 (30E) is behind a NAT device - thus nat'ing its outbound traffic.
For some reason I am unable to get this vpn up n runnin. I have been trough all of google allready :) .. The thing is I keep getting this on the 5.2 (thats the device I am connecting to)
ke 2: cache dirty, wait for rebuild ike 2:1995709eec1ddf64/0000000000000000:13895: incoming proposal: ike 2:1995709eec1ddf64/0000000000000000:13895: proposal id = 0: ike 2:1995709eec1ddf64/0000000000000000:13895: protocol id = ISAKMP: ike 2:1995709eec1ddf64/0000000000000000:13895: trans_id = KEY_IKE. ike 2:1995709eec1ddf64/0000000000000000:13895: encapsulation = IKE/none ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_HASH_ALG, val=SHA. ike 2:1995709eec1ddf64/0000000000000000:13895: type=AUTH_METHOD, val=PRESHARED_KEY. ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_GROUP, val=MODP1024. ike 2:1995709eec1ddf64/0000000000000000:13895: ISAKMP SA lifetime=25000 ike 2:1995709eec1ddf64/0000000000000000:13895: negotiation failure ike Negotiate ISAKMP SA Error: ike 2:1995709eec1ddf64/0000000000000000:13895: no SA proposal chosen
And thats pretty much it.. I have tried tuning all kinds - but no way... I have made sure my policy is ok for traffik, NAT-t . routing.. PSK is checked and checked again, and again. I have made very - very - sure that proposals match on both phase1 and phase 2... and now I am stuck.
Note that I need to have this running over NAT, its not an option to not have this in place...
anyone ? :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi there,
Have you enable "NAT-traversal" on each site?
Thanks
Yep!
check for;
IKEv1 vrs IKEv2 mismach
3DES-SHA mismatch w/DHGRP 2
FWIW: if you use IKEv2, NAT-T is built in ;)
PCNSE
NSE
StrongSwan
Tried a number of proposals and dh combos. I control both devices so I have verified that they match... Also tried with both ike1 and 2 :)
cli-cmd
diag sniffer packet <interface name > " host x.x.x.x and y.y.y.y and port 500 or 4500"
Do you see traffic bi-directional?
if yes , what ports
Does the I and R ( initiator and Responder ) talks for the gateway peers?
Are you using a peer-id of any or is it defined
Does your traffic passes thru a upstream firewall/packetFiletring device
Ken
PCNSE
NSE
StrongSwan
Hi - I only see port 500 hitting the firewall I am trying to connect to.. It pretty much just tells me that "no proposal chosen".
I have tried with peer id definition on both firewalls, and also with the option of "any id" on both firewalls. I was pretty sure for a while that configuring the local id on both ends would fix it..but no.
My traffic flows trough another firewall that provides me with NAT, yes.
ok nice a picture says a 1k words ;)
1: okay transient FW needsa fwpolicy to allow ESP/IKE/IKE-NAT-t between the two peers. For now make it any for services an then tight it down
e.g ( transient firewall needs to allow IKE udp500 IKE-NAT-T 4500
config firewall address
edit FGT90-34
set subnet x.x.x.34/32
next
edit FGT30
set subnet x.x.x.x/32
set comment " use the proper address "
end
config firewall policy
edit 0
set srcint "insert the proper int "
set dstint " again insert the proper in "
set service any
set schedule always
set srcaddr FGT90-34
set dstaddr FGT30
set action accept
next
edit 0
set srcint "insert the proper int "
set dstint " again insert the proper in "
set service any
set schedule always
set dstaddr FGT90-34
set srcaddr FGT30
set action accept
next
end
Now on the two vpn-gateway set the exact sme phase1-interfaces details
config vpn ipsec phase1-interface
edit "MYVPNFGT90"
set interface "wan1"
set dhgrp 2
set proposal aes256-sha1
set remote-gw < insert the far >
set psksecret cd,.,3djk3jj3j3j3j3kdshsysh
set keepalive 30
next
end
repeat above on the FGT30D, this should get your phase1 up
Phase2 again specify the correct proxy-id
config vpn ipsec phase2-interface
edit "MYVPNFGT90-PH2-1"
set auto-negotiate enable
set pfs disable
set phase1name "MYVPNFGT90"
set proposal aes256-sha1
set replay disable
set dst-subnet x.x.x.x 255.255.255.255
set keylifeseconds 3600
set src-subnet y.y.y.y 255.255.255.0
next
end again both vpn-peers will look the exact same for ph2 , just swap src/dst-subnet x.x.x.x/y.y.y.y for the opposite side Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.