Troubleshooting Tip: IKE error 'no policy configured'

mle2802 · ‎01-08-2024

Description

This article describes the reasons why an IPsec tunnel does not show as 'up' and instead receives the IKE error 'no policy configured'.

Scope

FortiGate.

Solution

When running the IKE debug for IPsec VPN, the following error can appear:

ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=12....

ike 0: IKEv2 exchange=SA_INIT id=16c8b2b2cc27e688/0000000000000000 len=412

ike 0:16c8b2b2cc27e688/0000000000000000:70668: responder received SA_INIT msg

ike 0:16c8b2b2cc27e688/0000000000000000:70668: received notify type FRAGMENTATION_SUPPORTED

ike 0:16c8b2b2cc27e688/0000000000000000:70668: incoming proposal:

ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 1:

ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2:

ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_CBC (key_len = 128)

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=INTEGR, val=AUTH_HMAC_SHA2_256_128

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521.

ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 2:

ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2:

ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_CBC (key_len = 256)

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=INTEGR, val=AUTH_HMAC_SHA2_256_128

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521.

ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 3:

ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2:

ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_GCM_16 (key_len = 128)

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521.

ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 4:

ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2:

ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_GCM_16 (key_len = 256)

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_384

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521.

ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 5:

ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2:

ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=CHACHA20_POLY1305 (key_len = 256)

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256

ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521.

ike 0:MY_VPN: ignoring IKEv2 request, no policy configured

ike 0:16c8b2b2cc27e688/0000000000000000:70668: negotiation failure ike Negotiate SA Error: ike ike [10217]

As stated in the debug, the firewall is missing. To solve this issue, simply create a firewall policy accordingly.

However, in some cases where the policy with source or destination as tunnel interface is not required such as Vxlan over IPsec, it is possible to create a policy from the tunnel interface to the tunnel interface as a workaround.

config firewall policy
edit 1
set srcintf "tunnel_interface"

set dstintf "tunnel_interface"

set srcaddr "all"

set dstaddr "all"
next
end

After that, run the IKE debug again and see if the tunnel is up.

Related article:
Technical Tip: VXLAN over IPsec for multiple VLANs using software switch.