Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
technician
New Contributor

unable to do Site-to-Site ipsec VPN with a Sonicwall

Hi, this subject might sound common to all but it's just weird where I have all settings correct but its just not working, ok here it goes.

 

I have a Fortigate 60D and a Sonicwall TZ100. I'm trying to set a Site-to-Site ipsec vpn and settings for both are as follows below:

 

Fortigate 60D                                                                  Sonicewall TZ100

Firmware Version: 5.2.11                                                                           Firmware Version: 5.9.1.7-2o

SS-LOCAL-FG (192.168.x.x/24) LAN interface subnet where the Fortigate

SS-REMOTE-SW (10.5.x.x/24) ANY interface subnet where the Sonicwall 

 

On the Fortigate, I created a New > Custom VPN Tunnel:                                  

                                                                                                  General Tab

Name: SS-VPN-SW                                                                       Name: SS-VPN-FG

Remote gateway: 122.x.x.x                                                           IPsec Primary Gateway Name of Address: 122.49.216.42

Interface: WAN1                                                                           Auth Method: IKE using Preshared Secret

Auth Method: Pre-shared Key                                                         Shared secret: xxxxxxxx

Pre-shared Key: xxxxxxxx

IKE Version: 1                                                                               Network Tab

Mode: Main                                                                                   Choose local network from list: LAN Pri Subnet

                                                                                                    Choose Destination Network: SS-REMOTE-SW

Phase 1 proposal

Algorithms: 3DES-SHA1                                                                  Proposals Tab IKE (Phase 1)

DH Group: 2                                                                                   Exchange: Main Mode

Key Lifetime: 28800                                                                        DH Group: Group 2

XAUTH: none                                                                                  Encryption: 3DES

                                                                                                     Authentication: SHA1

Phase 2                                                                                           Life Time (secs): 28800

Name: SS-VPN-SW                                            

Local Address: <subnet> 192.168.x.x/24                                          Proposals Tab Ipsec (Phase 2)

Remote Address: <subnet> 10.5.x.x/24                                            Protocol: ESP

                                                                                                      Encryption: 3DES

inside Advanced                                                                                Auth: SHA1

3DES-SHA1                                                                                      Enable Perfect Forward Secrecy: no

Enable Replay Detection: no                                                              DH Group: 2 

Enable Perfect Forward Secrecy: no                                                    Life Time (secs): 28800

local port: yes

remote port: yes                                                                               Advanced

Protocol: yes                                                                                     Enable Keep Alive: yes

Autokey Keepalive: no

Auto-negotiate: no                                                                             Access Rules created automatically by SW

Key Lifetime: 28800

                                                                                                         Log Message

Access rules for Fortigate 60D                                                            IKE Initiator: Remote party timeout - Retransmitting                                                                                                           IKE request 

Outgoing

SS-LOCAL-FG(LAN int) > SS-REMOTE-SW (SS-VPN-SW int) Service: all 

 

Incoming

SS-REMOTE-SW (SS-VPN-SW int) > SS-LOCAL-FG(LAN int) Service: all

 

Static Route

10.5.x.x/24 using SS-VPN-SW tunnel/sub int

 

Log Message

negotiate_error     IPsec Phase 1 error

 

So Im not sure whats wrong with both configs. 

 

Thanks

Jeff

21 REPLIES 21
technician

Here is for the Sonicwall

 

 

technician

This is the General tab

brycemd

Make sure perfect secrecy matches on phase 2. It's on for the SonicWALL, can't tell on the fortigate.

 

Try the phase 2 on fortigate with the subnets rather than objects

 

Are there more than 1 network on each end?

technician

I did the diag command again and here's the results

 

FGT60D4Q16017935 # diag debug app ike -1
 
FGT60D4Q16017935 # diag debug enable
 
FGT60D4Q16017935 # ike 0: comes 24.x.x.x:500->122.x.x.x:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=d5c51fc261510bda/0000000000000000 len=172
ike 0: in D5C51FC261510BDA00000000000000000110020000000000000000AC0D00003400000001000000010000002801010001000000200101000080010005800200028004000280030001800B0001800C70800D00000C5B362BC820F600080D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D00001490CB80913EBB696E086381B5EC427B1F000000144485152D18B6BBCD0BE8A8469579DDCC
ike 0:d5c51fc261510bda/0000000000000000:33405: responder: main mode get 1st message...
ike 0:d5c51fc261510bda/0000000000000000:33405: VID unknown (8): 5B362BC820F60008
ike 0:d5c51fc261510bda/0000000000000000:33405: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:d5c51fc261510bda/0000000000000000:33405: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:d5c51fc261510bda/0000000000000000:33405: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:d5c51fc261510bda/0000000000000000:33405: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:SS-VPN-SW: ignoring IKE request, no policy configured
ike 0:d5c51fc261510bda/0000000000000000:33405: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:d5c51fc261510bda/0000000000000000:33405: no SA proposal chosen
ike shrank heap by 122880 bytes
ike 0: comes 24.x.x.x:500->122.x.x.x:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=f8bbeae3323d3066/0000000000000000 len=172
ike 0: in F8BBEAE3323D306600000000000000000110020000000000000000AC0D00003400000001000000010000002801010001000000200101000080010005800200028004000280030001800B0001800C70800D00000C5B362BC820F600080D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D00001490CB80913EBB696E086381B5EC427B1F000000144485152D18B6BBCD0BE8A8469579DDCC
ike 0:f8bbeae3323d3066/0000000000000000:33406: responder: main mode get 1st message...
ike 0:f8bbeae3323d3066/0000000000000000:33406: VID unknown (8): 5B362BC820F60008
ike 0:f8bbeae3323d3066/0000000000000000:33406: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:f8bbeae3323d3066/0000000000000000:33406: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:f8bbeae3323d3066/0000000000000000:33406: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:f8bbeae3323d3066/0000000000000000:33406: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:SS-VPN-SW: ignoring IKE request, no policy configured
ike 0:f8bbeae3323d3066/0000000000000000:33406: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:f8bbeae3323d3066/0000000000000000:33406: no SA proposal chosen
ike 0: comes 24.x.x.x:500->122.x.x.x:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=f8bbeae3323d3066/0000000000000000 len=172
ike 0: in F8BBEAE3323D306600000000000000000110020000000000000000AC0D00003400000001000000010000002801010001000000200101000080010005800200028004000280030001800B0001800C70800D00000C5B362BC820F600080D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D00001490CB80913EBB696E086381B5EC427B1F000000144485152D18B6BBCD0BE8A8469579DDCC
ike 0:f8bbeae3323d3066/0000000000000000:33407: responder: main mode get 1st message...
ike 0:f8bbeae3323d3066/0000000000000000:33407: VID unknown (8): 5B362BC820F60008
ike 0:f8bbeae3323d3066/0000000000000000:33407: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:f8bbeae3323d3066/0000000000000000:33407: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:f8bbeae3323d3066/0000000000000000:33407: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:f8bbeae3323d3066/0000000000000000:33407: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:SS-VPN-SW: ignoring IKE request, no policy configured
ike 0:f8bbeae3323d3066/0000000000000000:33407: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:f8bbeae3323d3066/0000000000000000:33407: no SA proposal chosen
ike shrank heap by 131072 bytes

brycemd

'No policy configured' refers to ipv4 policy

 

Tunnel won't come up if the traffic isn't allowed

 

But, it is showing IKEv1 now, so we are making progress.

emnoc
Esteemed Contributor III

[ul]
  • fwpolicy missing 
  • route for the remote-subnets or wrong subnet ( i see you have it listed )
  • no ike policy seems to indicate that you are not  matching a ike-policy , I would triple check  you have it bound to the right wan interface
  • also NAT-T might be involved , if the devices are behind an NAT'ing device [/ul]

     

    FWIW I found it funny that you   strike out the rfc1918 details in your cfg but post the public address of the FGT60 with serial#  ending in  "7935"  ;)

     

  • PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    technician

    Weird, let me double check but Im sure there is a policy from;

     

    LAN(SS-LOCAL-LAN) > WAN(SS-REMOTE-SW) 

    WAN(SS-REMOTE-SW) > LAN(SS-LOCAL-LAN)

     

    Jeff

    technician

    Here is the screenshot of IPv4 policies

    brycemd

    The interface on the rules needs to be the tunnel itself, not 'WAN'. LAN stays the same though.

     

    The same applies to any routes. Interface is the tunnel, not WAN.

     

    And, disable NAT on the tunnel policies

    technician

    Yes we are getting progress, after I changed the interface to the tunnel, on the sonicwall, it shows connected. 

     

    From Fortigate, I cant ping local ip of Sonicwall though ping is ticked

    From Sonicewall, I can ping local ip of FG

     

    Thanks

    Jeff

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors