Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vinceneil666
Contributor

VPN, phase one stuck.

hi all.

I have two Fortigates running 5.2 and 5.4 - the 5.4 (30E) is behind a NAT device - thus nat'ing its outbound traffic.

 

For some reason I am unable to get this vpn up n runnin. I have been trough all of google allready :) .. The thing is I keep getting this on the 5.2 (thats the device I am connecting to)

 

ke 2: cache dirty, wait for rebuild ike 2:1995709eec1ddf64/0000000000000000:13895: incoming proposal: ike 2:1995709eec1ddf64/0000000000000000:13895: proposal id = 0: ike 2:1995709eec1ddf64/0000000000000000:13895: protocol id = ISAKMP: ike 2:1995709eec1ddf64/0000000000000000:13895: trans_id = KEY_IKE. ike 2:1995709eec1ddf64/0000000000000000:13895: encapsulation = IKE/none ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_HASH_ALG, val=SHA. ike 2:1995709eec1ddf64/0000000000000000:13895: type=AUTH_METHOD, val=PRESHARED_KEY. ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_GROUP, val=MODP1024. ike 2:1995709eec1ddf64/0000000000000000:13895: ISAKMP SA lifetime=25000 ike 2:1995709eec1ddf64/0000000000000000:13895: negotiation failure ike Negotiate ISAKMP SA Error: ike 2:1995709eec1ddf64/0000000000000000:13895: no SA proposal chosen

 

And thats pretty much it.. I have tried tuning all kinds - but no way... I have made sure my policy is ok for traffik, NAT-t . routing.. PSK is checked and checked again, and again. I have made very - very - sure that proposals match on both phase1 and phase 2... and now I am stuck.

 

Note that I need to have this running over NAT, its not an option to not have this in place...

 

anyone ? :)

22 REPLIES 22
kurtli_FTNT
Staff
Staff

Hi there,

    Have you enable "NAT-traversal" on each site?

 

 

 

Thanks

 

vinceneil666

Yep!

emnoc
Esteemed Contributor III

check for;

 

IKEv1 vrs IKEv2 mismach

 

3DES-SHA mismatch w/DHGRP 2

 

 

FWIW: if you use IKEv2, NAT-T is built in ;)

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vinceneil666

Tried a number of proposals and dh combos. I control both devices so I have verified that they match... Also tried with both ike1 and 2 :)

emnoc
Esteemed Contributor III

 

cli-cmd

 

diag sniffer packet <interface name > " host x.x.x.x and y.y.y.y and port 500 or 4500"

 

Do you see traffic bi-directional?

 

if yes , what ports

 

Does the I and R  ( initiator and Responder )  talks for the gateway peers?

 

Are you using a peer-id of any or is it defined

 

Does your traffic passes thru a upstream  firewall/packetFiletring device

 

Ken

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vinceneil666

Hi - I only see port 500 hitting the firewall I am trying to connect to.. It pretty much just tells me that "no proposal chosen".

 

I have tried with peer id definition on both firewalls, and also with the option of "any id" on both firewalls. I was pretty sure for a while that configuring the local id on both ends would fix it..but no.

 

My traffic flows trough another firewall that provides me with NAT, yes.

vinceneil666

So, vpn from the 30E to the 90E .. NAT, DDNS. And so on.

 

I have checked the proposals in both ph1 and ph2 at least 2000 times :) Also the psk :) .. I see port 500 hitting the FG90 from the NAT address, and I get no proposal chosen.

emnoc
Esteemed Contributor III

ok nice a picture says a 1k words ;)

 

 

1: okay transient FW needsa  fwpolicy to allow ESP/IKE/IKE-NAT-t between the two peers. For now make it  any for services an then  tight it down

 

e.g ( transient firewall needs to allow  IKE udp500 IKE-NAT-T 4500

 

 

config firewall address

    edit FGT90-34

        set subnet x.x.x.34/32

    next

    edit  FGT30

      set subnet  x.x.x.x/32

      set comment " use the proper address "

end

 

 

config firewall policy

    edit 0

       set srcint "insert the proper int "

       set dstint  " again insert the proper in "

       set service any

       set schedule always

       set  srcaddr  FGT90-34

       set dstaddr FGT30

       set action accept

     next

edit 0

       set srcint "insert the proper int "

       set dstint  " again insert the proper in "

       set service any

       set schedule always

       set  dstaddr  FGT90-34

       set  srcaddr FGT30

       set action accept

     next

end

 

 

Now on the two vpn-gateway set the exact sme phase1-interfaces details

 

config vpn ipsec phase1-interface

 

   edit "MYVPNFGT90"

 

        set interface "wan1"

 

        set dhgrp 2

 

        set proposal aes256-sha1

 

        set remote-gw < insert the far >

 

        set psksecret  cd,.,3djk3jj3j3j3j3kdshsysh

 

        set keepalive 30

 

    next

 

end

 

 

repeat above on the FGT30D, this should get your  phase1 up

 

Phase2 again specify the correct proxy-id

 

config vpn ipsec phase2-interface

 

   edit "MYVPNFGT90-PH2-1"

 

        set auto-negotiate enable

 

        set pfs disable

 

        set phase1name "MYVPNFGT90"

 

        set proposal aes256-sha1

 

        set replay disable

 

        set dst-subnet x.x.x.x 255.255.255.255

 

        set keylifeseconds 3600

 

        set src-subnet y.y.y.y 255.255.255.0

 

    next

 

end   again both vpn-peers will look the exact same for ph2 , just swap src/dst-subnet x.x.x.x/y.y.y.y for the opposite side   Ken

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vinceneil666

Thank you - I will try again tomorrow. But with DDNS running on the 30E, and it being behind nat. Will I not need to think at all about how to the define the peer types different one either of fgt? And the local-id is not an issue? aggressive mode? Ike v1 vs v2 ..and so on. This might come down to the NAT fw is messing something up - but I do get the packets troug. port 500.. and a packet sniffer tells me that the only traffic my 30e is sending..is the port 500.
Top Kudoed Authors