Hello,
I try in every mode to come up vpn tunnel between Fortigate with 5.2.2 and pfSense, I receive error before phase 1, with message "ignoring ike request, no policy configured" but I check 100 times... every is correct on both side. This is first time I do vpn to pfSense, I have other vpn with Cisco and Watchguard without problem, then I try change pfSense with Sophos but same result, I know that both use vpn based on openswan.
Thanks
M.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
"ignoring ike request, no policy configured" usually suggests firewall policy missing for Virtual IPSEC interface.
You might want to cross check firewall policies on Fortigate, there should be following two polices configured:
1>IPSEC virtual interface -> Internal interface (Where network for which traffic is to be send over VPN is connected)
2>Internal interface -> IPSEC virtual interface
Assuming VPN configured are in interface mode
Also don't forget about policies on the pfsense side
pfctl -s rule | grep ike
pfctl -s rule | grep esp
Make sure you correct the phase1-cfg as suggested b4.
ken
PCNSE
NSE
StrongSwan
Hi Everyone!!
you got enable DPD in your PfSense and disabled in your Fortigate, i bet thats why is not working!
try to change it, and let both sides with equal config.
Let us know if it helps.
Bye!
Also disable "auto-negotiate enable" in IKE Phase2 in the Fortigate Side.
Hello,
thanks to yours reply, I try and come back update you.
M.
Hello,
I solve, the problem is I don't set firewall rule on Fortigate, I mean from local to remote network. I think I can do after tunnel up only to flow traffic.
Thanks to all for helps
M.
FWIW
auto-negotiate enable will not keep a vpn tunnel from coming up. It actually helps with automatica tunnel setup when interesting traffic is to encrypted.
For dpd yes the pfsense uses cisco dpd in the initial contact, but that also will not keep a tunnel from coming up either. typically if they follow cisco DPD which I think they do, the side that starts the conservation and has DPD enable will send attempt DPD only if the peer accepts and sends RU-THERE-ACKs
Once again, I don't think that's a issues at this point, since his phase1 errors so no acceptable policies.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.