Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
SuperUser
SuperUser

strange ipsec issue

hiho,

 

I got a strange issue here:

 

I set up IPSec between two FGT with 6.0.x and one side behind NAT (LTE Box) with success using fortiddns as remote gw.

Now I had to to the same with an older FGT 80C which is behind NAT. Other Side is still a 100E with 6.0.x.

While this worked like out of the box with two FGT on 6.0.x right when the Policies and Routes were set, it refuses to work with remote side on 5.4. 

I used the same config on both sides, so I am a 100% sure that my settings,psk, dh-groups and proposals do match. So does the IKE Version. As I said it worked fine between two FGT on 6.0.x.

 

With one side on 5.4 all I get is "ike Negotiate ISAKMP SA Error: ike 0:d2780712bdf9ea36/0000000000000000:71183: no SA proposal chosen" in ike debug log on the 6.0.x FGT. The other side also reports that no SA proposal was chosen.

 

I tried several combinations and enabled several dhgroups in p1 as well as in p2 with no success.

 

Do you have any advice?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
2 REPLIES 2
ede_pfau
SuperUser
SuperUser

So you've got the reason in cleartext...

It's about the phase1 settings. I noticed that in newer FortiOS, the default DH group settings are "14, 5". And an older FOS couldn't cope with that as it didn't feature DH group 14. As best practice, I always set one set of parameters (not a choice of) identical on both sides, and that works.


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
sw2090

Hm there is DH Grup 14 in the dh groups in 5.4.

However there were more strange things.

Since I found there also is 5.6 for an 80C I went back to start, upgraded to the last 5.6 FortiOS did a factory reset and configured a new since there was not much to configure.

I with that also reset the ipsec tunnel to the settings it originally had and reset the psk to make sure it equals. Now the VPN works fine ;)

 

Maybe some 5.4 vs 6.0 issue I guess...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors