DescriptionWhen the FortiGate is configured to terminate IPsec VPN tunnel on a secondary IP, the local-gw must be configured in the IKE phase 1. Otherwise it will result in a phase 1 negotiation failure. Debug IKE (level -1) will report “no SA proposal chosen” even if all the proposals are properly configured :
2015-08-27 14:59:43 ike 0: IKEv1 Aggressive, comes 172.31.18.191:500->172.31.192.205 36, peer-id=LAB
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: my proposal, gw Dialup_P1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 1:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: incoming proposal:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 0:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: proposal id = 0:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: protocol id = ISAKMP:
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: trans_id = KEY_IKE.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: encapsulation = IKE/none
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_HASH_ALG, val=SHA.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=AUTH_METHOD, val=PRESHARED_KEY.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: type=OAKLEY_GROUP, val=1536.
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: ISAKMP SA lifetime=28800
2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: negotiation failure
2015-08-27 14:59:43 ike Negotiate ISAKMP SA Error: 2015-08-27 14:59:43 ike 0:169c956278af2a9a/0000000000000000:84: no SA proposal chosen
SolutionThe interface bound to IKE is configured as follows, IPsec VPN is terminated on the secondary IP 172.31.192.205.
FGT1KC # sh sys inter wan1
config system interface
edit "wan1"
set vdom "root"
set ip 1.2.3.4 255.255.255.0
set allowaccess ping
set snmp-index 31
set secondary-IP enable
config secondaryip
edit 1
set ip 172.31.192.205 255.255.252.0
set allowaccess ping https ssh http telnet
next
end
next
end
IPsec phase 1 must be configured as follows (dialup phase 1 configuration in this example).
config vpn ipsec phase1-interface
edit "Dialup_P1"
set type dynamic
set interface "wan1"
set local-gw 172.31.192.205
set mode aggressive
set peertype one
set proposal 3des-sha1 aes128-sha1
set peerid "LAB"
set psksecret ENC bWFpbgoVxDP89ru9ni9Ob9ulxYyFlnSrp3I7RRf9caGri/nTK/MhIV5J2MZ7c6+iH3lyXakWgFTaBapVCq+Vtoss3JTdzc4PtBw77AniaifJQzoBtG95vA3EXKHa0m/NfP6fIN9qIJ9axjzuxWYEifeilbXrx506pJhCY/1EdcFMHQRnXvF4vHzEXx3gD1MEskeNZg==
next
end