- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSec Tunnel Doesn't Work with Dynamic DNS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec Tunnel Doesn't Work with Dynamic DNS
Hi
I'm using a Teltonika RUT240 in passthrough mode to add 4G to a Fortigate 60E running 7.0.12. It seems to work well enough, and the Forti interface connected to the Teltonika gets its public IP. The idea is to create a second IPsec tunnel on the 4G interface and aggregate it with the main IPsec tunnel on the main WAN interface for redundancy.
I can only get a tunnel up on the 4G interface if I set the 200e at the other end to expect dial-up. If I try it using the dynamic DNS FQDN of the 60E, I get "no SA proposal chosen" and it fails.
It appears you can't add a dial-up IPSec tunnel to an aggregate - set type dynamic and set aggregate enable appear to be mutually exclusive - so I want to get it working using dynamic DNS.
Does anyone have any idea why IPSec is failing when I try to use dynamic DNS at the 200E end?
Error reads "ike Negotiate ISAKMP SA Error: ike 0:b822f87e5d0c811d/0000000000000000:17474: no SA proposal chosen"
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got it working by changing the APN on the 4G device. This bypasses the CGNAT. I asked in a local forum for the 4G provider, and someone knew the correct APN name to use.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @hillsitsupp,
Does the dynamic DNS resolve to the correct IP address? We need to run ike debugs on both sides to find the root cause. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955
No proposal chosen usually means there is a configuration mismatch.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It turns out the DDNS address isn't the address the other Forti sees the tunnel originating from.
There must be some NAT happening downstream of the 4G interface :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @hillsitsupp ,
It's likely that some form of NAT is taking place downstream of your 4G interface. This could be happening at the Teltonika RUT240, or it could be done by the 4G service provider itself. Make sure the Teltonika RUT240 is in passthrough mode, as you mentioned, to ensure it's not performing NAT. Check if there are any settings related to NAT or firewall that could be affecting the traffic. Enable NAT traversal (NAT-T) on both ends of the IPSec tunnel. This is designed to help VPN traffic traverse NAT devices.If your 4G service provider offers the option, consider using a static public IP address for your 4G connection. This would make the VPN configuration simpler and more reliable.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got it working by changing the APN on the 4G device. This bypasses the CGNAT. I asked in a local forum for the 4G provider, and someone knew the correct APN name to use.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
I believe the issue is with DNS cache on the 200E. As the IP is changed and 200E still have the DNS cache to an old one, the SA is not matching. In dialup, 200E will always responder and does not expect any IP from the other peer as long as the other site initiated the negotiation, the tunnel will be up.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also had issues with ipsec and ddns. In my case the problem is that the other side does nothave a static public ip so I have to use ddns. DDNS itself works fine on my FGT and resolves correctly. However even though the IPSec goes down once the other side's public ip changes the first time because the DDNS does update but the IPSec stack does not and I still see an old ip listed as remote gw on that tunnel.
Due to that I changed to dial up because that only needs a remote gw on the side that is dialling in but not on the side it is dialling into. That worked.
However using dial up I ran into yet annother issue with sd-wan vpn and routing and dial up tunnels...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @hillsitsupp
The "no SA proposal chosen" error typically indicates a mismatch in the security settings between the two ends of the IPSec tunnel. However, your situation is a bit more complex due to the use of Dynamic DNS and the desire to aggregate tunnels. Double-check that the Phase 1 and Phase 2 settings match exactly on both ends of the tunnel. This includes encryption algorithms, hash algorithms, DH groups, and lifetime settings. Ensure that the Dynamic DNS is correctly configured and updated on the FortiGate 60E. Verify that the FQDN resolves to the correct IP address. Make sure that the FortiGate 200E is configured to use the FQDN and not an IP address for the remote gateway. If NAT is involved (which is likely, given the 4G interface), ensure that NAT traversal is enabled on both ends. Dial-up and static tunnels have different behaviors. Dial-up is generally used when you have a dynamic IP address, but it may not support all the features you need (like aggregation). The command diag debug application ike -1 can provide detailed information about the IKE negotiation process. Ensure that the Teltonika device is not altering the IPSec packets in a way that causes the FortiGate to reject them. Check logs on both ends for any additional clues as to why the SA proposal is not being accepted.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was the 4G provider using some carrier grade NAT. I managed to get it working by changing the APN on the 4G device, which bypasses the NAT.
Thanks for taking a look at it.
Related Posts
- SD-WAN IPSec Main Backup tunnels with... 145 Views
- FortiGate GRE Tunnel with Dynamically obtain... 117 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 272 Views
- Dial-up IPsec tunnels with same source... 717 Views
- FGSP Dynamic Tunnel VPN in SD-WAN 215 Views
Labels
-
FortiGate
6,532 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.