Hot!Fortigate FG30E IPSec Fail to Connect with "ignoring IKEv2 request, no policy configured"

Author
garry3peace
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/04/27 04:09:20
  • Status: offline
2021/04/27 04:38:35 (permalink) 6.2
0

Fortigate FG30E IPSec Fail to Connect with "ignoring IKEv2 request, no policy configured"

I've search all over the place and try everything I could to find where am I doing wrong. I hope you can help me to check where the problem is.
 
So I have fortigate FG30E, let's called Site1 (IP 1.1.1.1). And there is another fortigate called Site2 (IP 2.2.2.2, the firewall which I cannot control) that I tried to connect to.
 
I created a VPN Tunnel called "MY_VPN" to connect VPN Ipsec to Site2. But it just won't connect (cannot be brought up). On the log (diag debug app ike -1 , diag debug enable ) it said "ignoring IKEv2 request, no policy configured" which I've clearly created on "Policy & Objects" -> "Security Policy" (there is no "Ipv4 Policy" menu on my Fortigate).
 
I also has create static route. And to ensure disable the NAT on the Security Policy, I've created extra policy on "Policy & Objects > Central SNAT". Still unable to connect. I hope you can help me find out what the problem here.
 
Any help will be much appreciated
 
============================

config firewall security-policy
    ...
    edit 33
        set uuid eabc671a-a6fc-51eb-306a-97212015e312
        set name "SITE1_TO_SITE2"
        set srcintf "lan4"
        set dstintf "MY_VPN"
        set srcaddr4 "all"
        set dstaddr4 "all"
        set enforce-default-app-port disable
        set service "ALL"
        set action accept
        set schedule "always"
        set logtraffic all
    next
    edit 34
        set uuid 4870034e-a6fd-51eb-4d1d-82bb53e942f1
        set name "SITE2_TO_SITE1"
        set srcintf "MY_VPN"
        set dstintf "lan4"
        set srcaddr4 "all"
        set dstaddr4 "all"
        set enforce-default-app-port disable
        set service "ALL"
        set action accept
        set schedule "always"
        set logtraffic all
    next
end
===============================================
# show router static
config router static
    ...
    edit 12
        set dst 172.18.3.0 255.255.255.0
        set device "MY_VPN"
    next
end
=============================================================
# show firewall central-snat-map
config firewall central-snat-map
    edit 19
        set orig-addr "all"
        set srcintf "lan4"
        set dst-addr "all"
        set dstintf "MY_VPN"
        set nat disable
    next
    edit 20
        set orig-addr "all"
        set srcintf "MY_VPN"
        set dst-addr "all"
        set dstintf "lan4"
        set nat disable
    next

=====================================================================

# show vpn ipsec phase1-interface MY_VPN
config vpn ipsec phase1-interface
    edit "MY_VPN"
        set interface "CBN.iNET"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha1
        set dhgrp 21
        set nattraversal disable
        set remote-gw 2.2.2.2
        set psksecret ENC zkNe14wSA+nu5PUKnRxvGVSIJ77GcIANcIrvwplaGdznVkeCtKjSHe4gqySkSLWHCDgzM/KnqfmNFqVcaCNsLs1rAT80mrnmULIPSdDj1GxW9Ocg1qjrhtklq/H1Hg6he2pv36OjAyVx/2I4xHci0VXrbOmBPMzz4llxOiXvNQsrflkZl/779ZNxXX8xry/NHvQBAQ==
    next
end
 
# show vpn ipsec phase2-interface TEST
config vpn ipsec phase2-interface
    edit "TEST"
        set phase1name "MY_VPN"
        set proposal aes128-sha1
        set dhgrp 21
        set auto-negotiate enable
        set keylifeseconds 86400
        set src-subnet 10.100.79.0 255.255.255.0
        set dst-subnet 172.18.3.0 255.255.255.0
    next
end

=======================
# diag debug enable
 
ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=12....
ike 0: IKEv2 exchange=SA_INIT id=16c8b2b2cc27e688/0000000000000000 len=412
ike 0: in 16C8B2B2CC27E688000000000000000021202208000000000000019C220000C80200002C010100040300000C0100000C800E00800300000802000005030000080300000C00000008040000150200002C020100040300000C0100000C800E01000300000802000005030000080300000C000000080400001502000024030100030300000C01000014800E00800300000802000005000000080400001502000024040100030300000C01000014800E01000300000802000006000000080400001500000024050100030300000C0100001C800E0100030000080200000500000008040000152800008C0015000001914E8583A6A189283121D4FDD107E1CD44679BC871BCED24624D5D80768FE0CB9839021F2C9F97FB2F28F08BCEEBC5D545C2D920686139709B99A8C7A52C1FC9B9002D5DBD5F65CAA8FF1C4788AF167BE92D6D447B20E7503F0EA48FA05EE0481B6795B602FB1E311E1F72B668F781C0297C9E17C5AA747DE0250283F1CAD19819527329000024F52B6DDED4E8063AE2EEBD2D5C0711D810F1FE1E05B7358A4DF77A686B9FB931000000080000402E
ike 0:16c8b2b2cc27e688/0000000000000000:70668: responder received SA_INIT msg
ike 0:16c8b2b2cc27e688/0000000000000000:70668: received notify type FRAGMENTATION_SUPPORTED
ike 0:16c8b2b2cc27e688/0000000000000000:70668: incoming proposal:
ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 1:
ike 0:16c8b2b2cc27e688/0000000000000000:70668:   protocol = IKEv2:
ike 0:16c8b2b2cc27e688/0000000000000000:70668:      encapsulation = IKEv2/none
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=ENCR, val=AES_CBC (key_len = 128)
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=PRF, val=PRF_HMAC_SHA2_256
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=DH_GROUP, val=ECP521.
ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 2:
ike 0:16c8b2b2cc27e688/0000000000000000:70668:   protocol = IKEv2:
ike 0:16c8b2b2cc27e688/0000000000000000:70668:      encapsulation = IKEv2/none
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=ENCR, val=AES_CBC (key_len = 256)
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=PRF, val=PRF_HMAC_SHA2_256
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=DH_GROUP, val=ECP521.
ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 3:
ike 0:16c8b2b2cc27e688/0000000000000000:70668:   protocol = IKEv2:
ike 0:16c8b2b2cc27e688/0000000000000000:70668:      encapsulation = IKEv2/none
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=ENCR, val=AES_GCM_16 (key_len = 128)
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=PRF, val=PRF_HMAC_SHA2_256
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=DH_GROUP, val=ECP521.
ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 4:
ike 0:16c8b2b2cc27e688/0000000000000000:70668:   protocol = IKEv2:
ike 0:16c8b2b2cc27e688/0000000000000000:70668:      encapsulation = IKEv2/none
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=ENCR, val=AES_GCM_16 (key_len = 256)
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=PRF, val=PRF_HMAC_SHA2_384
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=DH_GROUP, val=ECP521.
ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 5:
ike 0:16c8b2b2cc27e688/0000000000000000:70668:   protocol = IKEv2:
ike 0:16c8b2b2cc27e688/0000000000000000:70668:      encapsulation = IKEv2/none
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=ENCR, val=CHACHA20_POLY1305 (key_len = 256)
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=PRF, val=PRF_HMAC_SHA2_256
ike 0:16c8b2b2cc27e688/0000000000000000:70668:         type=DH_GROUP, val=ECP521.
ike 0:MY_VPN: ignoring IKEv2 request, no policy configured
ike 0:16c8b2b2cc27e688/0000000000000000:70668: negotiation failure
ike Negotiate SA Error: ike ike  [10217]
#1

7 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 6137
    • Scores: 422
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate FG30E IPSec Fail to Connect with "ignoring IKEv2 request, no policy configur 2021/04/27 07:25:09 (permalink)
    0
    is this correct ;
     
     
    "config firewall security-policy
        ...
       
            set srcaddr4 "all"
            set dstaddr4 "all"
    "
     
    Do a "show firewall policy 33" and post that output.
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #2
    Toshi Esumi
    Expert Member
    • Total Posts : 2596
    • Scores: 255
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortigate FG30E IPSec Fail to Connect with "ignoring IKEv2 request, no policy configur 2021/04/27 09:04:42 (permalink)
    0
    The opposite side is not offering aes128-sha1 in ike policy prosals. Talk to who configured the opposite side.
    #3
    garry3peace
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/27 04:09:20
    • Status: offline
    Re: Fortigate FG30E IPSec Fail to Connect with "ignoring IKEv2 request, no policy configur 2021/04/27 18:05:00 (permalink)
    0
    my fortigate don't have "show firewall policy" instead it is "show firewall security-policy". Here is it
     
    # show firewall security-policy 33
    config firewall security-policy
        edit 33
            set uuid eabc671a-a6fc-51eb-306a-97212015e312
            set name "SITE1_TO_SITE2"
            set srcintf "lan4"
            set dstintf "MY_VPN"
            set srcaddr4 "all"
            set dstaddr4 "all"
            set enforce-default-app-port disable
            set service "ALL"
            set action accept
            set schedule "always"
            set logtraffic all
        next
    end
    #4
    garry3peace
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/27 04:09:20
    • Status: offline
    Re: Fortigate FG30E IPSec Fail to Connect with "ignoring IKEv2 request, no policy configur 2021/04/27 18:05:59 (permalink)
    0
    I've asked the opposite to change the request. Now the log has changed
     
    ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=12....
    ike 0: IKEv2 exchange=SA_INIT id=1bc042eb75fdaebe/0000000000000000 len=260
    ike 0: in 1BC042EB75FDAEBE0000000000000000212022080000000000000104220000300000002C010100040300000C0100000C800E00800300000802000002030000080300000200000008040000152800008C00150000019F73F27D58AA648B9178B9F4CCA3F663836946C5A54E4B73125D9F026FFF377474C6456BA891E64C0820C3A14FA9D580EF990C4B24B4D253D22C236DEA3665D75401651A57ACCC659196D9F18B800B20886A563579BBA099E353050ED45D4418463DF45492342A4C90FD52FB0C08BA38AC93E578CA3BE75307F44AA354839148AA1AED29000024C44B1A19B6CA95589970FD377F337610E5D346F91C26611CFE4E35F76298FDBD000000080000402E
    ike 0:1bc042eb75fdaebe/0000000000000000:77501: responder received SA_INIT msg
    ike 0:1bc042eb75fdaebe/0000000000000000:77501: received notify type FRAGMENTATION_SUPPORTED
    ike 0:1bc042eb75fdaebe/0000000000000000:77501: incoming proposal:
    ike 0:1bc042eb75fdaebe/0000000000000000:77501: proposal id = 1:
    ike 0:1bc042eb75fdaebe/0000000000000000:77501:   protocol = IKEv2:
    ike 0:1bc042eb75fdaebe/0000000000000000:77501:      encapsulation = IKEv2/none
    ike 0:1bc042eb75fdaebe/0000000000000000:77501:         type=ENCR, val=AES_CBC (key_len = 128)
    ike 0:1bc042eb75fdaebe/0000000000000000:77501:         type=INTEGR, val=AUTH_HMAC_SHA_96
    ike 0:1bc042eb75fdaebe/0000000000000000:77501:         type=PRF, val=PRF_HMAC_SHA
    ike 0:1bc042eb75fdaebe/0000000000000000:77501:         type=DH_GROUP, val=ECP521.
    ike 0:PAYLABS_TO_HANA: ignoring IKEv2 request, no policy configured
    ike 0:1bc042eb75fdaebe/0000000000000000:77501: negotiation failure
    ike Negotiate SA Error: ike ike  [10217]
    post edited by garry3peace - 2021/04/27 19:04:53
    #5
    garry3peace
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/27 04:09:20
    • Status: offline
    Re: Fortigate FG30E IPSec Fail to Connect with "ignoring IKEv2 request, no policy configur 2021/04/27 21:59:50 (permalink)
    0
    By changing the interface from "CBN.iNET" to "WAN" on the VPN IPSec Tunnel configuration has cause the log generate different message now
     
    ==========
    # show vpn ipsec phase1-interface MY_VPN
    config vpn ipsec phase1-interface
        edit "MY_VPN"
            set interface "WAN"
            set ike-version 2
            .....
    ===============
     
    ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=12....
    ike 0: IKEv2 exchange=SA_INIT id=762e938e83840e3c/0000000000000000 len=260
    ike 0: in 762E938E83840E3C0000000000000000212022080000000000000104220000300000002C010100040300000C0100000C800E00800300000802000002030000080300000200000008040000152800008C00150000013468C6F4A6E987CFB49C718D14FF73F379475567E4F4904B9D04C1631F19B100736781EF6C74BCB4679730B046386AA239AE3D37F9C5B6898DA11B7F8A341CFDDA00E8A46598B4603C080567E1143DB309C2545BDF04611A4FD1FB17EE4CB7135DDDCF365C8312B857038C4DC6D3195614B76E7CD67A9CF7926CE1D1187B970F1CD54C290000247CBAA3D7CF5A10EE5D231F0A3CB385B04F56E3D478B17512E4862CC00B52CC66000000080000402E
    ike 0:762e938e83840e3c/0000000000000000:78877: responder received SA_INIT msg
    ike 0:762e938e83840e3c/0000000000000000:78877: received notify type FRAGMENTATION_SUPPORTED
    ike 0:762e938e83840e3c/0000000000000000:78877: incoming proposal:
    ike 0:762e938e83840e3c/0000000000000000:78877: proposal id = 1:
    ike 0:762e938e83840e3c/0000000000000000:78877:   protocol = IKEv2:
    ike 0:762e938e83840e3c/0000000000000000:78877:      encapsulation = IKEv2/none
    ike 0:762e938e83840e3c/0000000000000000:78877:         type=ENCR, val=AES_CBC (key_len = 128)
    ike 0:762e938e83840e3c/0000000000000000:78877:         type=INTEGR, val=AUTH_HMAC_SHA_96
    ike 0:762e938e83840e3c/0000000000000000:78877:         type=PRF, val=PRF_HMAC_SHA
    ike 0:762e938e83840e3c/0000000000000000:78877:         type=DH_GROUP, val=ECP521.
    ike 0:762e938e83840e3c/0000000000000000:78877: no proposal chosen
    ike Negotiate SA Error: ike ike  [10211]
    ike shrank heap by 126976 bytes
    ==========================
     
    Not sure if this is getting near the solution or not
    #6
    emnoc
    Expert Member
    • Total Posts : 6137
    • Scores: 422
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate FG30E IPSec Fail to Connect with "ignoring IKEv2 request, no policy configur 2021/04/28 04:43:46 (permalink)
    0
    Ok so now that you change interface no-proposal means what was said earlier by the other poster, you need a matching proposal
     
    ike 0:762e938e83840e3c/0000000000000000:78877: no proposal chosen
     
     
    interface can you change your proposal to match one of the incoming?AES128-sha256 ECP521?
     
    e.g  cli entries you need to add to phase1/phase2
     
    set proposal aes128-sha256  aes256-sha256


    So what model fortigate is this ? Can you do a "get system status" ? I know you say it''sa FGT30E but i would think it would have been the same cli commands like the rest of the FGTs.


    Ken Felix

     
     

    PCNSE 
    NSE 
    StrongSwan  
    #7
    garry3peace
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/27 04:09:20
    • Status: offline
    Re: Fortigate FG30E IPSec Fail to Connect with "ignoring IKEv2 request, no policy configur 2021/04/28 18:56:01 (permalink)
    0
    this is the result of :
    # get system status
    Version: FortiGate-30E v6.2.5,build1142,200819 (GA)
    Virus-DB: 85.00790(2021-04-28 15:21)
    Extended DB: 81.00850(2020-11-15 07:19)
    IPS-DB: 18.00063(2021-04-21 01:15)
    IPS-ETDB: 0.00000(2001-01-01 00:00)
    APP-DB: 18.00062(2021-04-20 00:12)
    INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
    Serial-Number: FGT30E5619024321
    Botnet DB: 4.00689(2021-04-15 00:06)
    BIOS version: 05000016
    System Part-Number: P17455-05
    Log hard disk: Not available
    Hostname: WPD_FORTI-DC
    Operation Mode: NAT
    Current virtual domain: root
    Max number of virtual domains: 5
    Virtual domains status: 1 in NAT mode, 0 in TP mode
    Virtual domain configuration: disable
    FIPS-CC mode: disable
    Current HA mode: standalone
    Branch point: 1142
    Release Version Information: GA
    System time: Thu Apr 29 08:48:36 2021
    #8
    Jump to:
    © 2021 APG vNext Commercial Version 5.5