- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Note: Phase 1 negotiation failure when V...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Solution
When the FortiGate is configured to terminate IPsec VPN tunnel on a secondary IP, the local-gw must be configured in the IKE phase 1. Otherwise it will result in a phase 1 negotiation failure. Debug IKE (level -1) will report “no SA proposal chosen” even if all the proposals are properly configured :
2015-08-27 14:59:43 ike 0: IKEv1 Aggressive, comes 172.31.18.191:500->172.31.192.205 36, peer-id=LAB
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: my proposal, gw Dialup_P1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: incoming proposal:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 0:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 0:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: negotiation failure
2015-08-27 14:59:43 ike Negotiate ISAKMP SA Error: 2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: no SA proposal chosen
2015-08-27 14:59:43 ike 0: IKEv1 Aggressive, comes 172.31.18.191:500->172.31.192.205 36, peer-id=LAB
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: my proposal, gw Dialup_P1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: incoming proposal:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 0:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 0:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: negotiation failure
2015-08-27 14:59:43 ike Negotiate ISAKMP SA Error: 2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: no SA proposal chosen
Solution
The interface bound to IKE is configured as follows, IPsec VPN is terminated on the secondary IP 172.31.192.205.
IPsec phase 1 must be configured as follows (dialup phase 1 configuration in this example).
FGT1KC # sh sys inter wan1
config system interface
edit "wan1"
set vdom "root"
set ip 1.2.3.4 255.255.255.0
set allowaccess ping
set snmp-index 31
set secondary-IP enable
config secondaryip
edit 1
set ip 172.31.192.205 255.255.252.0
set allowaccess ping https ssh http telnet
next
end
next
end
IPsec phase 1 must be configured as follows (dialup phase 1 configuration in this example).
config vpn ipsec phase1-interface
edit "Dialup_P1"
set type dynamic
set interface "wan1"
set local-gw 172.31.192.205
set mode aggressive
set peertype one
set proposal 3des-sha1 aes128-sha1
set peerid "LAB"
set psksecret ENC bWFpbgoVxDP89ru9ni9Ob9ulxYyFlnSrp3I7RRf9caGri/nTK/MhIV5J2MZ7c6+iH3lyXakWgFTaBapVCq+Vtoss3JTdzc4PtBw77AniaifJQzoBtG95vA3EXKHa0m/NfP6fIN9qIJ9axjzuxWYEifeilbXrx506pJhCY/1EdcFMHQRnXvF4vHzEXx3gD1MEskeNZg==
next
end
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.