- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate FG30E IPSec Fail to Connect with "ignori...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate FG30E IPSec Fail to Connect with "ignoring IKEv2 request, no policy configured"
I've search all over the place and try everything I could to find where am I doing wrong. I hope you can help me to check where the problem is.
So I have fortigate FG30E, let's called Site1 (IP 1.1.1.1). And there is another fortigate called Site2 (IP 2.2.2.2, the firewall which I cannot control) that I tried to connect to.
I created a VPN Tunnel called "MY_VPN" to connect VPN Ipsec to Site2. But it just won't connect (cannot be brought up). On the log (diag debug app ike -1 , diag debug enable ) it said "ignoring IKEv2 request, no policy configured" which I've clearly created on "Policy & Objects" -> "Security Policy" (there is no "Ipv4 Policy" menu on my Fortigate).
I also has create static route. And to ensure disable the NAT on the Security Policy, I've created extra policy on "Policy & Objects > Central SNAT". Still unable to connect. I hope you can help me find out what the problem here.
Any help will be much appreciated
============================
config firewall security-policy ... edit 33 set uuid eabc671a-a6fc-51eb-306a-97212015e312 set name "SITE1_TO_SITE2" set srcintf "lan4" set dstintf "MY_VPN" set srcaddr4 "all" set dstaddr4 "all" set enforce-default-app-port disable set service "ALL" set action accept set schedule "always" set logtraffic all next edit 34 set uuid 4870034e-a6fd-51eb-4d1d-82bb53e942f1 set name "SITE2_TO_SITE1" set srcintf "MY_VPN" set dstintf "lan4" set srcaddr4 "all" set dstaddr4 "all" set enforce-default-app-port disable set service "ALL" set action accept set schedule "always" set logtraffic all next end =============================================== # show router static config router static ... edit 12 set dst 172.18.3.0 255.255.255.0 set device "MY_VPN" next end ============================================================= # show firewall central-snat-map config firewall central-snat-map edit 19 set orig-addr "all" set srcintf "lan4" set dst-addr "all" set dstintf "MY_VPN" set nat disable next edit 20 set orig-addr "all" set srcintf "MY_VPN" set dst-addr "all" set dstintf "lan4" set nat disable next ===================================================================== # show vpn ipsec phase1-interface MY_VPN config vpn ipsec phase1-interface edit "MY_VPN" set interface "CBN.iNET" set ike-version 2 set peertype any set net-device disable set proposal aes128-sha1 set dhgrp 21 set nattraversal disable set remote-gw 2.2.2.2 set psksecret ENC zkNe14wSA+nu5PUKnRxvGVSIJ77GcIANcIrvwplaGdznVkeCtKjSHe4gqySkSLWHCDgzM/KnqfmNFqVcaCNsLs1rAT80mrnmULIPSdDj1GxW9Ocg1qjrhtklq/H1Hg6he2pv36OjAyVx/2I4xHci0VXrbOmBPMzz4llxOiXvNQsrflkZl/779ZNxXX8xry/NHvQBAQ== next end # show vpn ipsec phase2-interface TEST config vpn ipsec phase2-interface edit "TEST" set phase1name "MY_VPN" set proposal aes128-sha1 set dhgrp 21 set auto-negotiate enable set keylifeseconds 86400 set src-subnet 10.100.79.0 255.255.255.0 set dst-subnet 172.18.3.0 255.255.255.0 next end ======================= # diag debug enable ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=12.... ike 0: IKEv2 exchange=SA_INIT id=16c8b2b2cc27e688/0000000000000000 len=412 ike 0: in 16C8B2B2CC27E688000000000000000021202208000000000000019C220000C80200002C010100040300000C0100000C800E00800300000802000005030000080300000C00000008040000150200002C020100040300000C0100000C800E01000300000802000005030000080300000C000000080400001502000024030100030300000C01000014800E00800300000802000005000000080400001502000024040100030300000C01000014800E01000300000802000006000000080400001500000024050100030300000C0100001C800E0100030000080200000500000008040000152800008C0015000001914E8583A6A189283121D4FDD107E1CD44679BC871BCED24624D5D80768FE0CB9839021F2C9F97FB2F28F08BCEEBC5D545C2D920686139709B99A8C7A52C1FC9B9002D5DBD5F65CAA8FF1C4788AF167BE92D6D447B20E7503F0EA48FA05EE0481B6795B602FB1E311E1F72B668F781C0297C9E17C5AA747DE0250283F1CAD19819527329000024F52B6DDED4E8063AE2EEBD2D5C0711D810F1FE1E05B7358A4DF77A686B9FB931000000080000402E ike 0:16c8b2b2cc27e688/0000000000000000:70668: responder received SA_INIT msg ike 0:16c8b2b2cc27e688/0000000000000000:70668: received notify type FRAGMENTATION_SUPPORTED ike 0:16c8b2b2cc27e688/0000000000000000:70668: incoming proposal: ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 1: ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_CBC (key_len = 128) ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521. ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_CBC (key_len = 256) ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521. ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 3: ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_GCM_16 (key_len = 128) ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521. ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 4: ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=AES_GCM_16 (key_len = 256) ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_384 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521. ike 0:16c8b2b2cc27e688/0000000000000000:70668: proposal id = 5: ike 0:16c8b2b2cc27e688/0000000000000000:70668: protocol = IKEv2: ike 0:16c8b2b2cc27e688/0000000000000000:70668: encapsulation = IKEv2/none ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=ENCR, val=CHACHA20_POLY1305 (key_len = 256) ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:16c8b2b2cc27e688/0000000000000000:70668: type=DH_GROUP, val=ECP521. ike 0:MY_VPN: ignoring IKEv2 request, no policy configured ike 0:16c8b2b2cc27e688/0000000000000000:70668: negotiation failure ike Negotiate SA Error: ike ike [10217]
Labels:
- Labels:
-
6.2
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is this correct ;
"config firewall security-policy ... set srcaddr4 "all" set dstaddr4 "all"
"
Do a "show firewall policy 33" and post that output.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The opposite side is not offering aes128-sha1 in ike policy prosals. Talk to who configured the opposite side.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've asked the opposite to change the request. Now the log has changed
ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=12.... ike 0: IKEv2 exchange=SA_INIT id=1bc042eb75fdaebe/0000000000000000 len=260 ike 0: in 1BC042EB75FDAEBE0000000000000000212022080000000000000104220000300000002C010100040300000C0100000C800E00800300000802000002030000080300000200000008040000152800008C00150000019F73F27D58AA648B9178B9F4CCA3F663836946C5A54E4B73125D9F026FFF377474C6456BA891E64C0820C3A14FA9D580EF990C4B24B4D253D22C236DEA3665D75401651A57ACCC659196D9F18B800B20886A563579BBA099E353050ED45D4418463DF45492342A4C90FD52FB0C08BA38AC93E578CA3BE75307F44AA354839148AA1AED29000024C44B1A19B6CA95589970FD377F337610E5D346F91C26611CFE4E35F76298FDBD000000080000402E ike 0:1bc042eb75fdaebe/0000000000000000:77501: responder received SA_INIT msg ike 0:1bc042eb75fdaebe/0000000000000000:77501: received notify type FRAGMENTATION_SUPPORTED ike 0:1bc042eb75fdaebe/0000000000000000:77501: incoming proposal: ike 0:1bc042eb75fdaebe/0000000000000000:77501: proposal id = 1: ike 0:1bc042eb75fdaebe/0000000000000000:77501: protocol = IKEv2: ike 0:1bc042eb75fdaebe/0000000000000000:77501: encapsulation = IKEv2/none ike 0:1bc042eb75fdaebe/0000000000000000:77501: type=ENCR, val=AES_CBC (key_len = 128) ike 0:1bc042eb75fdaebe/0000000000000000:77501: type=INTEGR, val=AUTH_HMAC_SHA_96 ike 0:1bc042eb75fdaebe/0000000000000000:77501: type=PRF, val=PRF_HMAC_SHA ike 0:1bc042eb75fdaebe/0000000000000000:77501: type=DH_GROUP, val=ECP521. ike 0:PAYLABS_TO_HANA: ignoring IKEv2 request, no policy configured ike 0:1bc042eb75fdaebe/0000000000000000:77501: negotiation failure ike Negotiate SA Error: ike ike [10217]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By changing the interface from "CBN.iNET" to "WAN" on the VPN IPSec Tunnel configuration has cause the log generate different message now
==========
# show vpn ipsec phase1-interface MY_VPN config vpn ipsec phase1-interface edit "MY_VPN" set interface "WAN" set ike-version 2
.....
===============
ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=12.... ike 0: IKEv2 exchange=SA_INIT id=762e938e83840e3c/0000000000000000 len=260 ike 0: in 762E938E83840E3C0000000000000000212022080000000000000104220000300000002C010100040300000C0100000C800E00800300000802000002030000080300000200000008040000152800008C00150000013468C6F4A6E987CFB49C718D14FF73F379475567E4F4904B9D04C1631F19B100736781EF6C74BCB4679730B046386AA239AE3D37F9C5B6898DA11B7F8A341CFDDA00E8A46598B4603C080567E1143DB309C2545BDF04611A4FD1FB17EE4CB7135DDDCF365C8312B857038C4DC6D3195614B76E7CD67A9CF7926CE1D1187B970F1CD54C290000247CBAA3D7CF5A10EE5D231F0A3CB385B04F56E3D478B17512E4862CC00B52CC66000000080000402E ike 0:762e938e83840e3c/0000000000000000:78877: responder received SA_INIT msg ike 0:762e938e83840e3c/0000000000000000:78877: received notify type FRAGMENTATION_SUPPORTED ike 0:762e938e83840e3c/0000000000000000:78877: incoming proposal: ike 0:762e938e83840e3c/0000000000000000:78877: proposal id = 1: ike 0:762e938e83840e3c/0000000000000000:78877: protocol = IKEv2: ike 0:762e938e83840e3c/0000000000000000:78877: encapsulation = IKEv2/none ike 0:762e938e83840e3c/0000000000000000:78877: type=ENCR, val=AES_CBC (key_len = 128) ike 0:762e938e83840e3c/0000000000000000:78877: type=INTEGR, val=AUTH_HMAC_SHA_96 ike 0:762e938e83840e3c/0000000000000000:78877: type=PRF, val=PRF_HMAC_SHA ike 0:762e938e83840e3c/0000000000000000:78877: type=DH_GROUP, val=ECP521. ike 0:762e938e83840e3c/0000000000000000:78877: no proposal chosen ike Negotiate SA Error: ike ike [10211] ike shrank heap by 126976 bytes
==========================
Not sure if this is getting near the solution or not
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok so now that you change interface no-proposal means what was said earlier by the other poster, you need a matching proposal
ike 0:762e938e83840e3c/0000000000000000:78877: no proposal chosen
interface can you change your proposal to match one of the incoming?AES128-sha256 ECP521?
e.g cli entries you need to add to phase1/phase2
set proposal aes128-sha256 aes256-sha256
So what model fortigate is this ? Can you do a "get system status" ? I know you say it''sa FGT30E but i would think it would have been the same cli commands like the rest of the FGTs.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is the result of :
# get system status
Version: FortiGate-30E v6.2.5,build1142,200819 (GA) Virus-DB: 85.00790(2021-04-28 15:21) Extended DB: 81.00850(2020-11-15 07:19) IPS-DB: 18.00063(2021-04-21 01:15) IPS-ETDB: 0.00000(2001-01-01 00:00) APP-DB: 18.00062(2021-04-20 00:12) INDUSTRIAL-DB: 6.00741(2015-12-01 02:30) Serial-Number: FGT30E5619024321 Botnet DB: 4.00689(2021-04-15 00:06) BIOS version: 05000016 System Part-Number: P17455-05 Log hard disk: Not available Hostname: WPD_FORTI-DC Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 5 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: standalone Branch point: 1142 Release Version Information: GA System time: Thu Apr 29 08:48:36 2021
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my fortigate don't have "show firewall policy" instead it is "show firewall security-policy". Here is it
# show firewall security-policy 33 config firewall security-policy edit 33 set uuid eabc671a-a6fc-51eb-306a-97212015e312 set name "SITE1_TO_SITE2" set srcintf "lan4" set dstintf "MY_VPN" set srcaddr4 "all" set dstaddr4 "all" set enforce-default-app-port disable set service "ALL" set action accept set schedule "always" set logtraffic all next end
Related Posts
- FortiGate system time and log timestamp... 34 Views
- IPSec tunnel error : no SA... 57 Views
- IPSEC Down After Changing the IP... 50 Views
- what "This can be a challenge... 130 Views
- SD-WAN and none interface 57 Views
Labels
-
FortiGate
6,510 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.