Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vinceneil666
Contributor

VPN, phase one stuck.

hi all.

I have two Fortigates running 5.2 and 5.4 - the 5.4 (30E) is behind a NAT device - thus nat'ing its outbound traffic.

 

For some reason I am unable to get this vpn up n runnin. I have been trough all of google allready :) .. The thing is I keep getting this on the 5.2 (thats the device I am connecting to)

 

ke 2: cache dirty, wait for rebuild ike 2:1995709eec1ddf64/0000000000000000:13895: incoming proposal: ike 2:1995709eec1ddf64/0000000000000000:13895: proposal id = 0: ike 2:1995709eec1ddf64/0000000000000000:13895: protocol id = ISAKMP: ike 2:1995709eec1ddf64/0000000000000000:13895: trans_id = KEY_IKE. ike 2:1995709eec1ddf64/0000000000000000:13895: encapsulation = IKE/none ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_HASH_ALG, val=SHA. ike 2:1995709eec1ddf64/0000000000000000:13895: type=AUTH_METHOD, val=PRESHARED_KEY. ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_GROUP, val=MODP1024. ike 2:1995709eec1ddf64/0000000000000000:13895: ISAKMP SA lifetime=25000 ike 2:1995709eec1ddf64/0000000000000000:13895: negotiation failure ike Negotiate ISAKMP SA Error: ike 2:1995709eec1ddf64/0000000000000000:13895: no SA proposal chosen

 

And thats pretty much it.. I have tried tuning all kinds - but no way... I have made sure my policy is ok for traffik, NAT-t . routing.. PSK is checked and checked again, and again. I have made very - very - sure that proposals match on both phase1 and phase 2... and now I am stuck.

 

Note that I need to have this running over NAT, its not an option to not have this in place...

 

anyone ? :)

22 REPLIES 22
vinceneil666

Hi everybody - so just some feedback here. (and again thanks for all help!)

 

I had a ticket at Fortinet - spent lot of time running trough everything. And my config was verified to be correct. It ended up being escalated within Fortinet.

 

The 90D was running on an old firmware, this because of "stuff" - we where not able to find a window for upgrade due to customer traffic and up-time needs. But now we actually got to to the upgrade, and also a boot, of the cluster. I upgraded it to 5.4.8 ......

 

After this my vpn connection came UP straigt away, no problems. So my 30 box is now running DDNS (with the DDNS name configured as peer on the 90D), behind NAT.. All good..  worst week ever :D .. happy now. Again tnx for all input ! 

kurtli_FTNT

Good to know the feedback. Take care.

tommytriger

Had this issue for days. The IKE debug only give me this "dirty cache" error today, I was only seeing IKE phase 1 errors for ages, upgraded from 5.4.3 to 5.4.10 and both VPN's came up. Thank god for forums and people taking the time to post! thanks vinceneil666 for starting and updating this post!

Top Kudoed Authors