hiho,
I got a strange issue here:
I set up IPSec between two FGT with 6.0.x and one side behind NAT (LTE Box) with success using fortiddns as remote gw.
Now I had to to the same with an older FGT 80C which is behind NAT. Other Side is still a 100E with 6.0.x.
While this worked like out of the box with two FGT on 6.0.x right when the Policies and Routes were set, it refuses to work with remote side on 5.4.
I used the same config on both sides, so I am a 100% sure that my settings,psk, dh-groups and proposals do match. So does the IKE Version. As I said it worked fine between two FGT on 6.0.x.
With one side on 5.4 all I get is "ike Negotiate ISAKMP SA Error: ike 0:d2780712bdf9ea36/0000000000000000:71183: no SA proposal chosen" in ike debug log on the 6.0.x FGT. The other side also reports that no SA proposal was chosen.
I tried several combinations and enabled several dhgroups in p1 as well as in p2 with no success.
Do you have any advice?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So you've got the reason in cleartext...
It's about the phase1 settings. I noticed that in newer FortiOS, the default DH group settings are "14, 5". And an older FOS couldn't cope with that as it didn't feature DH group 14. As best practice, I always set one set of parameters (not a choice of) identical on both sides, and that works.
Hm there is DH Grup 14 in the dh groups in 5.4.
However there were more strange things.
Since I found there also is 5.6 for an 80C I went back to start, upgraded to the last 5.6 FortiOS did a factory reset and configured a new since there was not much to configure.
I with that also reset the ipsec tunnel to the settings it originally had and reset the psk to make sure it equals. Now the VPN works fine ;)
Maybe some 5.4 vs 6.0 issue I guess...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.