Hi, this subject might sound common to all but it's just weird where I have all settings correct but its just not working, ok here it goes.
I have a Fortigate 60D and a Sonicwall TZ100. I'm trying to set a Site-to-Site ipsec vpn and settings for both are as follows below:
Fortigate 60D Sonicewall TZ100
Firmware Version: 5.2.11 Firmware Version: 5.9.1.7-2o
SS-LOCAL-FG (192.168.x.x/24) LAN interface subnet where the Fortigate
SS-REMOTE-SW (10.5.x.x/24) ANY interface subnet where the Sonicwall
On the Fortigate, I created a New > Custom VPN Tunnel:
General Tab
Name: SS-VPN-SW Name: SS-VPN-FG
Remote gateway: 122.x.x.x IPsec Primary Gateway Name of Address: 122.49.216.42
Interface: WAN1 Auth Method: IKE using Preshared Secret
Auth Method: Pre-shared Key Shared secret: xxxxxxxx
Pre-shared Key: xxxxxxxx
IKE Version: 1 Network Tab
Mode: Main Choose local network from list: LAN Pri Subnet
Choose Destination Network: SS-REMOTE-SW
Phase 1 proposal
Algorithms: 3DES-SHA1 Proposals Tab IKE (Phase 1)
DH Group: 2 Exchange: Main Mode
Key Lifetime: 28800 DH Group: Group 2
XAUTH: none Encryption: 3DES
Authentication: SHA1
Phase 2 Life Time (secs): 28800
Name: SS-VPN-SW
Local Address: <subnet> 192.168.x.x/24 Proposals Tab Ipsec (Phase 2)
Remote Address: <subnet> 10.5.x.x/24 Protocol: ESP
Encryption: 3DES
inside Advanced Auth: SHA1
3DES-SHA1 Enable Perfect Forward Secrecy: no
Enable Replay Detection: no DH Group: 2
Enable Perfect Forward Secrecy: no Life Time (secs): 28800
local port: yes
remote port: yes Advanced
Protocol: yes Enable Keep Alive: yes
Autokey Keepalive: no
Auto-negotiate: no Access Rules created automatically by SW
Key Lifetime: 28800
Log Message
Access rules for Fortigate 60D IKE Initiator: Remote party timeout - Retransmitting IKE request
Outgoing
SS-LOCAL-FG(LAN int) > SS-REMOTE-SW (SS-VPN-SW int) Service: all
Incoming
SS-REMOTE-SW (SS-VPN-SW int) > SS-LOCAL-FG(LAN int) Service: all
Static Route
10.5.x.x/24 using SS-VPN-SW tunnel/sub int
Log Message
negotiate_error IPsec Phase 1 error
So Im not sure whats wrong with both configs.
Thanks
Jeff
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Are you using Local/Peer IDs or no?
Also, your phase 2 on sonicwall shows DH 2 and Forigate shows no secrecy
pls make it sure that under Sonicwall FW Policies you allowed WANx-Internal/LAN, by default it was set to disabled.
Fortigate Newbie
No local/peer ID.
Tick the Enable Perfect Forward Secrecy. Though Ive did this before and it didn't work as well. I'll try to tick it again and see what happens.
Thanks
Jeff
The only issues i've had were when using local/peer ID, always had to leave them blank/accept any peer for sonicwall connections
Beyond that the config looks ok to me. You'll have to see what happening to point you in the right direction
diag debug app ike -1
diag debug enable
after putting in those commands, it showed me these...
FGT60D4Q16017935 # diag debug app ike -1
FGT60D4Q16017935 # diag debug enable
FGT60D4Q16017935 # ike 0: comes 24..x.x.x:500->122.x.x.x:500,ifindex=5....
ike 0: IKEv2 exchange=SA_INIT id=1125ef47c9a516d5/0000000000000000 len=312
ike 0: in 1125EF47C9A516D500000000000000002120220800000000000001382200002C0000002801010004030000080100000303000008030000020300000802000002000000080400000228000088000200000D001E7399E1B121FC012297A37EF2568955B20F55D73A04C6385964B18A5D16CAF699CCD5E9BA18A2C2F17E52163A7BAA11E9265F24542D5CBD764C143FB3F480E6AFB5B3B316753110C032D49042FE33DDD26196C5F53DC730DF4BBBA36B561578F1B87C6A8E6F09C7B0349CF145E7E036539B24DEF245049AC62F03AA1C3029000018BEE6FC5B49230A9DC769AF47430601619167F3802900001C0000400444E23C65F52D7B5BEA824290ED788D780B501BE52B00001C000040053308529EEC72A599E7040F86E40A4F85B37B1676000000182A6775D0AD2AA7887C33FE1D68BAF308966F0001
ike 0:1125ef47c9a516d5/0000000000000000:33189: responder received SA_INIT msg
ike 0:1125ef47c9a516d5/0000000000000000:33189: received notify type NAT_DETECTION_SOURCE_IP
ike 0:1125ef47c9a516d5/0000000000000000:33189: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:1125ef47c9a516d5/0000000000000000:33189: incoming proposal:
ike 0:1125ef47c9a516d5/0000000000000000:33189: proposal id = 1:
ike 0:1125ef47c9a516d5/0000000000000000:33189: protocol = IKEv2:
ike 0:1125ef47c9a516d5/0000000000000000:33189: encapsulation = IKEv2/none
ike 0:1125ef47c9a516d5/0000000000000000:33189: type=ENCR, val=3DES_CBC
ike 0:1125ef47c9a516d5/0000000000000000:33189: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:1125ef47c9a516d5/0000000000000000:33189: type=PRF, val=PRF_HMAC_SHA
ike 0:1125ef47c9a516d5/0000000000000000:33189: type=DH_GROUP, val=MODP1024.
ike 0:1125ef47c9a516d5/0000000000000000:33189: no proposal chosen
ike Negotiate SA Error: ike ike [6633]
ike shrank heap by 122880 bytes
ike 0: comes 24.x.x.x:500->122.x.x.x:500,ifindex=5....
ike 0: IKEv2 exchange=SA_INIT id=83d34e61515b5442/0000000000000000 len=312
ike 0: in 83D34E61515B544200000000000000002120220800000000000001382200002C000000280101000403000008010000030300000803000002030000080200000200000008040000022800008800020000129255572827FC5629264F4B991D85C19DC615B01D97B42F3C4915461D45DC6BA519A77132319123A4CDC3E9626513008F757561173127345CF8041986319ED1E153BBB5B4690540748F3B8BB0D1689A812E3B854CACC512FC0D0387149EE113EB1506125EEE9C107625E1F3D8099DCE029C10C2A412F13B830E4517C56D1C0129000018830BF2600B473B783621BEE4363ED91E2D1487492900001C00004004879139726CB80065A8383E1AF2723FB6866B51CD2B00001C00004005202F3968FCB7536055220BB2CEC5ABA581341CF1000000182A6775D0AD2AA7887C33FE1D68BAF308966F0001
ike 0:83d34e61515b5442/0000000000000000:33190: responder received SA_INIT msg
ike 0:83d34e61515b5442/0000000000000000:33190: received notify type NAT_DETECTION_SOURCE_IP
ike 0:83d34e61515b5442/0000000000000000:33190: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:83d34e61515b5442/0000000000000000:33190: incoming proposal:
ike 0:83d34e61515b5442/0000000000000000:33190: proposal id = 1:
ike 0:83d34e61515b5442/0000000000000000:33190: protocol = IKEv2:
ike 0:83d34e61515b5442/0000000000000000:33190: encapsulation = IKEv2/none
ike 0:83d34e61515b5442/0000000000000000:33190: type=ENCR, val=3DES_CBC
ike 0:83d34e61515b5442/0000000000000000:33190: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:83d34e61515b5442/0000000000000000:33190: type=PRF, val=PRF_HMAC_SHA
ike 0:83d34e61515b5442/0000000000000000:33190: type=DH_GROUP, val=MODP1024.
ike 0:83d34e61515b5442/0000000000000000:33190: no proposal chosen
ike Negotiate SA Error: ike ike [6633]
ike 0: comes 24.x.x.x:500->122.x.x.x:500,ifindex=5....
ike 0: IKEv2 exchange=SA_INIT id=83d34e61515b5442/0000000000000000 len=312
ike 0: in 83D34E61515B544200000000000000002120220800000000000001382200002C000000280101000403000008010000030300000803000002030000080200000200000008040000022800008800020000129255572827FC5629264F4B991D85C19DC615B01D97B42F3C4915461D45DC6BA519A77132319123A4CDC3E9626513008F757561173127345CF8041986319ED1E153BBB5B4690540748F3B8BB0D1689A812E3B854CACC512FC0D0387149EE113EB1506125EEE9C107625E1F3D8099DCE029C10C2A412F13B830E4517C56D1C0129000018830BF2600B473B783621BEE4363ED91E2D1487492900001C00004004879139726CB80065A8383E1AF2723FB6866B51CD2B00001C00004005202F3968FCB7536055220BB2CEC5ABA581341CF1000000182A6775D0AD2AA7887C33FE1D68BAF308966F0001
ike 0:83d34e61515b5442/0000000000000000:33191: responder received SA_INIT msg
ike 0:83d34e61515b5442/0000000000000000:33191: received notify type NAT_DETECTION_SOURCE_IP
ike 0:83d34e61515b5442/0000000000000000:33191: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:83d34e61515b5442/0000000000000000:33191: incoming proposal:
ike 0:83d34e61515b5442/0000000000000000:33191: proposal id = 1:
ike 0:83d34e61515b5442/0000000000000000:33191: protocol = IKEv2:
ike 0:83d34e61515b5442/0000000000000000:33191: encapsulation = IKEv2/none
ike 0:83d34e61515b5442/0000000000000000:33191: type=ENCR, val=3DES_CBC
ike 0:83d34e61515b5442/0000000000000000:33191: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:83d34e61515b5442/0000000000000000:33191: type=PRF, val=PRF_HMAC_SHA
ike 0:83d34e61515b5442/0000000000000000:33191: type=DH_GROUP, val=MODP1024.
ike 0:83d34e61515b5442/0000000000000000:33191: no proposal chosen
ike Negotiate SA Error: ike ike [6633]
ike 0: comes 24.x.x.x:500->122.x.x.x:500,ifindex=5....
ike 0: IKEv2 exchange=SA_INIT id=83d34e61515b5442/0000000000000000 len=312
ike 0: in 83D34E61515B544200000000000000002120220800000000000001382200002C000000280101000403000008010000030300000803000002030000080200000200000008040000022800008800020000129255572827FC5629264F4B991D85C19DC615B01D97B42F3C4915461D45DC6BA519A77132319123A4CDC3E9626513008F757561173127345CF8041986319ED1E153BBB5B4690540748F3B8BB0D1689A812E3B854CACC512FC0D0387149EE113EB1506125EEE9C107625E1F3D8099DCE029C10C2A412F13B830E4517C56D1C0129000018830BF2600B473B783621BEE4363ED91E2D1487492900001C00004004879139726CB80065A8383E1AF2723FB6866B51CD2B00001C00004005202F3968FCB7536055220BB2CEC5ABA581341CF1000000182A6775D0AD2AA7887C33FE1D68BAF308966F0001
ike 0:83d34e61515b5442/0000000000000000:33192: responder received SA_INIT msg
ike 0:83d34e61515b5442/0000000000000000:33192: received notify type NAT_DETECTION_SOURCE_IP
ike 0:83d34e61515b5442/0000000000000000:33192: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:83d34e61515b5442/0000000000000000:33192: incoming proposal:
ike 0:83d34e61515b5442/0000000000000000:33192: proposal id = 1:
ike 0:83d34e61515b5442/0000000000000000:33192: protocol = IKEv2:
ike 0:83d34e61515b5442/0000000000000000:33192: encapsulation = IKEv2/none
ike 0:83d34e61515b5442/0000000000000000:33192: type=ENCR, val=3DES_CBC
ike 0:83d34e61515b5442/0000000000000000:33192: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:83d34e61515b5442/0000000000000000:33192: type=PRF, val=PRF_HMAC_SHA
ike 0:83d34e61515b5442/0000000000000000:33192: type=DH_GROUP, val=MODP1024.
ike 0:83d34e61515b5442/0000000000000000:33192: no proposal chosen
ike Negotiate SA Error: ike ike [6633]
ike 0: comes 24.x.x.x:500->122.x.x.x:500,ifindex=5....
ike 0: IKEv2 exchange=SA_INIT id=83d34e61515b5442/0000000000000000 len=312
ike 0: in 83D34E61515B544200000000000000002120220800000000000001382200002C000000280101000403000008010000030300000803000002030000080200000200000008040000022800008800020000129255572827FC5629264F4B991D85C19DC615B01D97B42F3C4915461D45DC6BA519A77132319123A4CDC3E9626513008F757561173127345CF8041986319ED1E153BBB5B4690540748F3B8BB0D1689A812E3B854CACC512FC0D0387149EE113EB1506125EEE9C107625E1F3D8099DCE029C10C2A412F13B830E4517C56D1C0129000018830BF2600B473B783621BEE4363ED91E2D1487492900001C00004004879139726CB80065A8383E1AF2723FB6866B51CD2B00001C00004005202F3968FCB7536055220BB2CEC5ABA581341CF1000000182A6775D0AD2AA7887C33FE1D68BAF308966F0001
ike 0:83d34e61515b5442/0000000000000000:33193: responder received SA_INIT msg
ike 0:83d34e61515b5442/0000000000000000:33193: received notify type NAT_DETECTION_SOURCE_IP
ike 0:83d34e61515b5442/0000000000000000:33193: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:83d34e61515b5442/0000000000000000:33193: incoming proposal:
ike 0:83d34e61515b5442/0000000000000000:33193: proposal id = 1:
ike 0:83d34e61515b5442/0000000000000000:33193: protocol = IKEv2:
ike 0:83d34e61515b5442/0000000000000000:33193: encapsulation = IKEv2/none
ike 0:83d34e61515b5442/0000000000000000:33193: type=ENCR, val=3DES_CBC
ike 0:83d34e61515b5442/0000000000000000:33193: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:83d34e61515b5442/0000000000000000:33193: type=PRF, val=PRF_HMAC_SHA
ike 0:83d34e61515b5442/0000000000000000:33193: type=DH_GROUP, val=MODP1024.
ike 0:83d34e61515b5442/0000000000000000:33193: no proposal chosen
ike Negotiate SA Error: ike ike [6633]
ike 0: comes 24.x.x.x:500->122.x.x.x:500,ifindex=5....
ike 0: IKEv2 exchange=SA_INIT id=83d34e61515b5442/0000000000000000 len=312
ike 0: in 83D34E61515B544200000000000000002120220800000000000001382200002C000000280101000403000008010000030300000803000002030000080200000200000008040000022800008800020000129255572827FC5629264F4B991D85C19DC615B01D97B42F3C4915461D45DC6BA519A77132319123A4CDC3E9626513008F757561173127345CF8041986319ED1E153BBB5B4690540748F3B8BB0D1689A812E3B854CACC512FC0D0387149EE113EB1506125EEE9C107625E1F3D8099DCE029C10C2A412F13B830E4517C56D1C0129000018830BF2600B473B783621BEE4363ED91E2D1487492900001C00004004879139726CB80065A8383E1AF2723FB6866B51CD2B00001C00004005202F3968FCB7536055220BB2CEC5ABA581341CF1000000182A6775D0AD2AA7887C33FE1D68BAF308966F0001
ike 0:83d34e61515b5442/0000000000000000:33194: responder received SA_INIT msg
ike 0:83d34e61515b5442/0000000000000000:33194: received notify type NAT_DETECTION_SOURCE_IP
ike 0:83d34e61515b5442/0000000000000000:33194: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:83d34e61515b5442/0000000000000000:33194: incoming proposal:
ike 0:83d34e61515b5442/0000000000000000:33194: proposal id = 1:
ike 0:83d34e61515b5442/0000000000000000:33194: protocol = IKEv2:
ike 0:83d34e61515b5442/0000000000000000:33194: encapsulation = IKEv2/none
ike 0:83d34e61515b5442/0000000000000000:33194: type=ENCR, val=3DES_CBC
ike 0:83d34e61515b5442/0000000000000000:33194: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:83d34e61515b5442/0000000000000000:33194: type=PRF, val=PRF_HMAC_SHA
ike 0:83d34e61515b5442/0000000000000000:33194: type=DH_GROUP, val=MODP1024.
ike 0:83d34e61515b5442/0000000000000000:33194: no proposal chosen
ike Negotiate SA Error: ike ike [6633]
The incoming proposal is showing as IKEv2 and in your fortigate config you posted it's showing IKEv1
Also, you may want to edit out the public IPs
Ok, I'll double check the IKE version but Im pretty sure it was set on 1.
Thanks for the reminder :)
Jeff
What about the SonicWALL? It's the incoming proposal listed in the diag, so it's making it look like the SonicWALL is coming in on IKEv2
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.