IPSec tunnel error : no SA proposal chosen

hugo-spie · ‎04-25-2024

Hi,

I try to implement site to site vpn between 2 Fortigate in my lab but I got this error on both side :

ike Negotiate ISAKMP SA Error: ike 0:ffd4573d1a2ff133/0000000000000000:220: no SA proposal chosen

Commands output :

Hub # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "VPN-to-spoke"
set interface "port2"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: VPN-to-spoke (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw Spoke_IP
set psksecret ENC pkX9mSvmif/AZCPktG9xlCHmSNyAmQ2L3IigVETGNrOEVgH1t22s1u6cEl2aLk+V/WMJn7Qnm246 TgPqCL6nchuxAdm0bbBpKQvAODxUp72Vfror9YyanMzw2iwhFEIG2KABhJnUGGgkIWql3lxk0SUmefRrVdRahgC2HLiGJ0+TaqhF3U sjhCTKE5K6zP4ACd1yCQ==
next
end

Hub # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "VPN-to-spoke"
set phase1name "VPN-to-spoke"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20p oly1305
set comments "VPN: VPN-to-spoke (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "VPN-to-spoke_local"
set dst-name "VPN-to-spoke_remote"
next
end

Spoke # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "VPN-to-hub"
set phase1name "VPN-to-hub"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20p oly1305
set comments "VPN: VPN-to-hub (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "VPN-to-hub_local"
set dst-name "VPN-to-hub_remote"
next
end

Spoke # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "VPN-to-hub"
set interface "port2"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: VPN-to-hub (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw Hub_IP
set psksecret ENC kEfDI1zLYsPFkFz9bysnnV0332UzuFtMFjLdcv2BRD9F9tm6zF7Ipe5LaEukmtEY0Gc duvY5pP86mlEQfHi3Bl0y5N6QPXWQ5IwlPnc2f+CAy4q3nNF5vRZlKrxKk0OU2JCmWxC7TiNIJG2Hxczn4YvtnuFiYe6p ay5y/kcM7Myp2ZoW0aXU1CYIlfB5MBiyxMwinw==
next
end

The proposal are the same. I can ping Spoke from Hub and Hub from Spoke so I don't know what is the problem. If someone could help me, I would be thankful.

it's the first time I use a Fortigate so maybe I missed something

Hugo

ozkanaltas · ‎04-25-2024

Hello @hugo-spie ,

It seems interesting. Both site IPs look different.

HUB: ike 0: comes 2.2.2.5:500->77.77.77.254:500,

Spoke: ike 0: comes 2.2.2.25:500->99.99.99.254:500,ifindex=4,vrf=0

If you get a trial license from Fortinet, no need to use lower encryption. What I said is valid for an eval license.

Can you start over and follow this document for the ipsec configuration?

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/913287/basic-site-to-site-vp...

P.S

I found one video about ipsec configuration on two FortiGates. You can also follow this video.

https://www.youtube.com/watch?v=MHfjI13WiNI&ab_channel=ToThePointFortinet

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

funkylicious · ‎04-25-2024

Are you using trial VM FortiGates ?

geek

hugo-spie · ‎04-25-2024

Yes, I use 60 days temporary licences from FortiNet. Is it a problem ?

ozkanaltas · ‎04-25-2024

Hello @hugo-spie ,

Do you have a valid license on both sides? If you use a eval license you need to create vpn with lower encryption keys. Because the eval license doesn't support all encryption algorithms.

Can you share these command outputs with us?

diagnose debug application ike -1
diagnose debug enable

Also, can you try to configure custom ipsec vpn instead of vpn wizard?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

hugo-spie · ‎04-25-2024

Yes, I use 60 days temporary licences from FortiNet. Do you have a link for the documention about creating vpn with lower encryption keys please ?

Spoke # ike 0: comes 2.2.2.25:500->99.99.99.254:500,ifindex=4,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=fd920908b9fe5f5f/0000000000000000 len=632 vrf=0
ike 0: in FD920908B9FE5F5F00000000000000000110020000000000000002780D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000149B15E65A871AFF342666623BA5022E600D000014CA4A4CBB12EAB6C58C57067C2E6537860D000014A58FEC5036F57B21E8B499E336C76EE60D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:fd920908b9fe5f5f/0000000000000000:1291: responder: main mode get 1st message...
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID Fortinet Auto-Discovery Sender 9B15E65A871AFF342666623BA5022E60
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID Fortinet Auto-Discovery Receiver CA4A4CBB12EAB6C58C57067C2E653786
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID Fortinet Exchange Interface IP A58FEC5036F57B21E8B499E336C76EE6
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:fd920908b9fe5f5f/0000000000000000:1291: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:fd920908b9fe5f5f/0000000000000000:1291: incoming proposal:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: proposal id = 0:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: protocol id = ISAKMP:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: trans_id = KEY_IKE.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: encapsulation = IKE/none
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_GROUP, val=MODP2048.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: ISAKMP SA lifetime=86400
ike 0:fd920908b9fe5f5f/0000000000000000:1291: proposal id = 0:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: protocol id = ISAKMP:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: trans_id = KEY_IKE.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: encapsulation = IKE/none
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_GROUP, val=MODP1536.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: ISAKMP SA lifetime=86400
ike 0:fd920908b9fe5f5f/0000000000000000:1291: proposal id = 0:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: protocol id = ISAKMP:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: trans_id = KEY_IKE.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: encapsulation = IKE/none
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_GROUP, val=MODP2048.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: ISAKMP SA lifetime=86400
ike 0:fd920908b9fe5f5f/0000000000000000:1291: proposal id = 0:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: protocol id = ISAKMP:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: trans_id = KEY_IKE.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: encapsulation = IKE/none
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_GROUP, val=MODP1536.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: ISAKMP SA lifetime=86400
ike 0:fd920908b9fe5f5f/0000000000000000:1291: proposal id = 0:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: protocol id = ISAKMP:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: trans_id = KEY_IKE.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: encapsulation = IKE/none
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_GROUP, val=MODP2048.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: ISAKMP SA lifetime=86400
ike 0:fd920908b9fe5f5f/0000000000000000:1291: proposal id = 0:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: protocol id = ISAKMP:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: trans_id = KEY_IKE.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: encapsulation = IKE/none
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_GROUP, val=MODP1536.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: ISAKMP SA lifetime=86400
ike 0:fd920908b9fe5f5f/0000000000000000:1291: proposal id = 0:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: protocol id = ISAKMP:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: trans_id = KEY_IKE.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: encapsulation = IKE/none
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_GROUP, val=MODP2048.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: ISAKMP SA lifetime=86400
ike 0:fd920908b9fe5f5f/0000000000000000:1291: proposal id = 0:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: protocol id = ISAKMP:
ike 0:fd920908b9fe5f5f/0000000000000000:1291: trans_id = KEY_IKE.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: encapsulation = IKE/none
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: type=OAKLEY_GROUP, val=MODP1536.
ike 0:fd920908b9fe5f5f/0000000000000000:1291: ISAKMP SA lifetime=86400
ike 0:fd920908b9fe5f5f/0000000000000000:1291: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:fd920908b9fe5f5f/0000000000000000:1291: no SA proposal chosen
ike 0:VPN-to-hub:1289: out 0089726556465204000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN-to-hub:1289: sent IKE msg (P1_RETRANSMIT): 2.2.2.5:500->77.77.77.254:500, len=572, vrf=0, id=0089726556465204/0000000000000000

Hub # ike shrank heap by 159744 bytes
ike 0:VPN-to-spoke:1286: out F35F06DE9334D5A300000000000000000110020000000000000002780D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000149B15E65A871AFF342666623BA5022E600D000014CA4A4CBB12EAB6C58C57067C2E6537860D000014A58FEC5036F57B21E8B499E336C76EE60D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN-to-spoke:1286: sent IKE msg (P1_RETRANSMIT): 2.2.2.25:500->99.99.99.254:500, len=632, vrf=0, id=f35f06de9334d5a3/0000000000000000
ike 0: comes 2.2.2.5:500->77.77.77.254:500,ifindex=4,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=13d44c5be41bf62a/0000000000000000 len=572 vrf=0
ike 0: in 13D44C5BE41BF62A000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:13d44c5be41bf62a/0000000000000000:1290: responder: main mode get 1st message...
ike 0:13d44c5be41bf62a/0000000000000000:1290: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:13d44c5be41bf62a/0000000000000000:1290: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:13d44c5be41bf62a/0000000000000000:1290: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:13d44c5be41bf62a/0000000000000000:1290: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:13d44c5be41bf62a/0000000000000000:1290: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:13d44c5be41bf62a/0000000000000000:1290: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:13d44c5be41bf62a/0000000000000000:1290: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:13d44c5be41bf62a/0000000000000000:1290: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:13d44c5be41bf62a/0000000000000000:1290: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:13d44c5be41bf62a/0000000000000000:1290: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:13d44c5be41bf62a/0000000000000000:1290: incoming proposal:
ike 0:13d44c5be41bf62a/0000000000000000:1290: proposal id = 0:
ike 0:13d44c5be41bf62a/0000000000000000:1290: protocol id = ISAKMP:
ike 0:13d44c5be41bf62a/0000000000000000:1290: trans_id = KEY_IKE.
ike 0:13d44c5be41bf62a/0000000000000000:1290: encapsulation = IKE/none
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_GROUP, val=MODP2048.
ike 0:13d44c5be41bf62a/0000000000000000:1290: ISAKMP SA lifetime=86400
ike 0:13d44c5be41bf62a/0000000000000000:1290: proposal id = 0:
ike 0:13d44c5be41bf62a/0000000000000000:1290: protocol id = ISAKMP:
ike 0:13d44c5be41bf62a/0000000000000000:1290: trans_id = KEY_IKE.
ike 0:13d44c5be41bf62a/0000000000000000:1290: encapsulation = IKE/none
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_GROUP, val=MODP1536.
ike 0:13d44c5be41bf62a/0000000000000000:1290: ISAKMP SA lifetime=86400
ike 0:13d44c5be41bf62a/0000000000000000:1290: proposal id = 0:
ike 0:13d44c5be41bf62a/0000000000000000:1290: protocol id = ISAKMP:
ike 0:13d44c5be41bf62a/0000000000000000:1290: trans_id = KEY_IKE.
ike 0:13d44c5be41bf62a/0000000000000000:1290: encapsulation = IKE/none
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_GROUP, val=MODP2048.
ike 0:13d44c5be41bf62a/0000000000000000:1290: ISAKMP SA lifetime=86400
ike 0:13d44c5be41bf62a/0000000000000000:1290: proposal id = 0:
ike 0:13d44c5be41bf62a/0000000000000000:1290: protocol id = ISAKMP:
ike 0:13d44c5be41bf62a/0000000000000000:1290: trans_id = KEY_IKE.
ike 0:13d44c5be41bf62a/0000000000000000:1290: encapsulation = IKE/none
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_GROUP, val=MODP1536.
ike 0:13d44c5be41bf62a/0000000000000000:1290: ISAKMP SA lifetime=86400
ike 0:13d44c5be41bf62a/0000000000000000:1290: proposal id = 0:
ike 0:13d44c5be41bf62a/0000000000000000:1290: protocol id = ISAKMP:
ike 0:13d44c5be41bf62a/0000000000000000:1290: trans_id = KEY_IKE.
ike 0:13d44c5be41bf62a/0000000000000000:1290: encapsulation = IKE/none
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_GROUP, val=MODP2048.
ike 0:13d44c5be41bf62a/0000000000000000:1290: ISAKMP SA lifetime=86400
ike 0:13d44c5be41bf62a/0000000000000000:1290: proposal id = 0:
ike 0:13d44c5be41bf62a/0000000000000000:1290: protocol id = ISAKMP:
ike 0:13d44c5be41bf62a/0000000000000000:1290: trans_id = KEY_IKE.
ike 0:13d44c5be41bf62a/0000000000000000:1290: encapsulation = IKE/none
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_GROUP, val=MODP1536.
ike 0:13d44c5be41bf62a/0000000000000000:1290: ISAKMP SA lifetime=86400
ike 0:13d44c5be41bf62a/0000000000000000:1290: proposal id = 0:
ike 0:13d44c5be41bf62a/0000000000000000:1290: protocol id = ISAKMP:
ike 0:13d44c5be41bf62a/0000000000000000:1290: trans_id = KEY_IKE.
ike 0:13d44c5be41bf62a/0000000000000000:1290: encapsulation = IKE/none
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_GROUP, val=MODP2048.
ike 0:13d44c5be41bf62a/0000000000000000:1290: ISAKMP SA lifetime=86400
ike 0:13d44c5be41bf62a/0000000000000000:1290: proposal id = 0:
ike 0:13d44c5be41bf62a/0000000000000000:1290: protocol id = ISAKMP:
ike 0:13d44c5be41bf62a/0000000000000000:1290: trans_id = KEY_IKE.
ike 0:13d44c5be41bf62a/0000000000000000:1290: encapsulation = IKE/none
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:13d44c5be41bf62a/0000000000000000:1290: type=OAKLEY_GROUP, val=MODP1536.
ike 0:13d44c5be41bf62a/0000000000000000:1290: ISAKMP SA lifetime=86400
ike 0:13d44c5be41bf62a/0000000000000000:1290: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:13d44c5be41bf62a/0000000000000000:1290: no SA proposal chosen

ozkanaltas · ‎04-25-2024

Hello @hugo-spie ,

It seems interesting. Both site IPs look different.

HUB: ike 0: comes 2.2.2.5:500->77.77.77.254:500,

Spoke: ike 0: comes 2.2.2.25:500->99.99.99.254:500,ifindex=4,vrf=0

If you get a trial license from Fortinet, no need to use lower encryption. What I said is valid for an eval license.

Can you start over and follow this document for the ipsec configuration?

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/913287/basic-site-to-site-vp...

P.S

I found one video about ipsec configuration on two FortiGates. You can also follow this video.

https://www.youtube.com/watch?v=MHfjI13WiNI&ab_channel=ToThePointFortinet

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

hugo-spie · ‎04-25-2024

It works with the good IP address, thanks. I will review my IPs and change the architecture.