Description |
This article describes the reasons why an IPsec tunnel does not show as 'up' and instead receives the IKE error 'no policy configured'. |
Scope | FortiGate. |
Solution |
When running the IKE debug for IPsec VPN, the following error can appear:
ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=12.... ike 0: IKEv2 exchange=SA_INIT id=16c8b2b2cc27e688/0000000000000000 len=412 ike 0:16c8b2b2cc27e688/0000000000000000:70668: responder received SA_INIT msg ike 0:16c8b2b2cc27e688/0000000000000000:70668: received notify type FRAGMENTATION_SUPPORTED ike 0:16c8b2b2cc27e688/0000000000000000:70668: incoming proposal: ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 1: ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_CBC (key_len = 128) ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521. ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_CBC (key_len = 256) ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521. ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 3: ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_GCM_16 (key_len = 128) ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521. ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 4: ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_GCM_16 (key_len = 256) ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_384 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521. ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 5: ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=CHACHA20_POLY1305 (key_len = 256) ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521. ike 0:MY_VPN: ignoring IKEv2 request, no policy configured ike 0:16c8b2b2cc27e688/0000000000000000:70668: negotiation failure ike Negotiate SA Error: ike ike [10217]
As stated in the debug, the firewall is missing. To solve this issue, simply create a firewall policy accordingly.
However, in some cases where the policy with source or destination as tunnel interface is not required such as Vxlan over IPsec, it is possible to create a policy from the tunnel interface to the tunnel interface as a workaround. config firewall policy set dstintf "tunnel_interface" set srcaddr "all" set dstaddr "all"
After that, run the IKE debug again and see if the tunnel is up. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.