Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luca1994
New Contributor III

Created on ‎03-12-2024 05:07 AM

VPN IPSec between two fortigate: phase 1 ike msg retransmit

Hello team,

 

this is the scenario:

IPSec peers are both public ip so I left NAT-T disabled and enabled DPD Peer detection on demand for both firewalls.
As authentication I set PSK, IKEv1 Main (id protection) for both firewalls.
For the Phase1 Proposal part I configured AES256-SHA1 and DH 21 and 2 for both firewalls.
After that I configured the relevant policies and static route for both firewalls.

The problem is that phase1 does not go up. Running some debugging I see this in the logs:

ike debug1.pngike debug2.png

I also ran a packet capture and I see traffic on port 500 for both firewalls:

 

sniffer2.pngsniffer1.png

 

 

Thanks in advance for the support

BR

Labels:
273
0 Kudos
1 Solution
AEK
SuperUser
SuperUser
In response to luca1994

Created on ‎03-12-2024 07:05 AM

Hi Luca

I mean your issue may occur if the remote peer IP (FG-B) is conflicting with an IP set on the local FortiGate (FG-A).

Try check on FG-A may be you have a VIP or IP pool that contains the remote peer IP. In that case during negotiation packets are sent to the local FG instead of FG-B.

AEK

View solution in original post

AEK
238
0 Kudos
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎03-12-2024 06:18 AM Edited on ‎03-12-2024 06:18 AM

Hi Luca

Check on your local FG if the remote peer IP is set on some interface or as VIP or IP pool.

AEK
AEK
251
0 Kudos
luca1994
New Contributor III
In response to AEK

Created on ‎03-12-2024 06:22 AM

Hi @AEK ,

 

the remote peer IP is set on interface, also local peer.

 

BR

248
0 Kudos
AEK
SuperUser
SuperUser
In response to luca1994

Created on ‎03-12-2024 07:05 AM

Hi Luca

I mean your issue may occur if the remote peer IP (FG-B) is conflicting with an IP set on the local FortiGate (FG-A).

Try check on FG-A may be you have a VIP or IP pool that contains the remote peer IP. In that case during negotiation packets are sent to the local FG instead of FG-B.

AEK
AEK
239
0 Kudos
hbac
Staff
Staff

Created on ‎03-12-2024 07:12 AM

Hi @luca1994,

 

Can you run debugs on the other side? 

 

Regards, 

237
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.