![fortinet vpn no sa proposal chosen fortinet vpn no sa proposal chosen](https://cdn.slidesharecdn.com/ss_thumbnails/creatingafortigatevpnnetworksecurityblog-130412040633-phpapp01-thumbnail-4.jpg)
![fortinet vpn no sa proposal chosen fortinet vpn no sa proposal chosen](https://support.zyxel.eu/hc/article_attachments/4407225072018/Screenshot_2021-09-24_113604.png)
Seems like the router is just ignoring the proposal/policy?Ĭrypto map outside_map 10 set pfs group19Ĭrypto map outside_map 10 set ikev2 ipsec-proposal 5Ĭrypto map outside_map 10 match address Enc_Domain The customer has sent me their config and it looks like it matches mine. Is there anything missing? I feel like i'm chasing shadows with this one at the moment. Set security-association lifetime seconds 86400 The 'no proposal chosen' error is the one that's causing me a bit of a headache.Ĭrypto ipsec transform-set esp-aes 256 esp-sha256-hmac Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN NOTIFY(NO_PROPOSAL_CHOSEN) Next payload: NONE, reserved: 0x0, length: 8 Initiator SPI : A7B3A162BD1F8B21 - Responder SPI : A5C59A29D3E3BB9A Message id: 0 Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28 Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 VID Next payload: NOTIFY, reserved: 0x0, length: 21 VID Next payload: VID, reserved: 0x0, length: 23 N Next payload: VID, reserved: 0x0, length: 36 KE Next payload: N, reserved: 0x0, length: 136 Type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group Last transform: 0x0, reserved: 0x0: length: 8 Last transform: 0x3, reserved: 0x0: length: 8 Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12 It seems like the newly configured VPN isn't using the configured ikev2 policy/proposal and looks like it's defaulting to the 'Smart Default' settings. I'm configuring a new Ikev2 site-to-site VPN on a Cisco 2921 to a customer/3rd party Cisco ASA, we're running both Ikev1 + Ikev2 vpns on here at the moment. After a period of IPSEC tunnel being succesfully up and working beteen Azure VPN Gateway and Fortigate 200 E firewall running FortiOS v6.4.4 build1803 (GA), the tunnel drops and does not re-establish itself for a while (in my case about an hour) and then resume again as if nothing happened.įortigate log file contains the following useful entries of which the error "peer SA proposal not match local policy" is indicative: date= time=04:22:03 eventtime=1609618924346452242 tz="+0800" logid="0101037129" type="event" subtype="vpn" level="notice" vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action="negotiate" remip=1.2.3.4 locip=5.6.7.8 remport=500 locport=500 outintf="wan1" cookies="xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="AZURE-XYZ" status="success" init="remote" exch="CREATE_CHILD" dir="outbound" role="responder" result="DONE" version="IKEv2"ĭate= time=04:22:03 eventtime=1609618924346420462 tz="+0800" logid="0101037125" type="event" subtype="vpn" level="error" vd="root" logdesc="IPsec phase 2 error" msg="IPsec phase 2 error" action="negotiate" remip=1.2.3.4 locip=5.6.7.8 remport=500 locport=500 outintf="wan1" cookies="xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="AZURE-XYZ" status="negotiate_error" reason="peer SA proposal not match local policy"ĭate= time=04:22:03 eventtime=1609618924346376500 tz="+0800" logid="0101037120" type="event" subtype="vpn" level="notice" vd="root" logdesc="Negotiate IPsec phase 1" msg="negotiate IPsec phase 1" action="negotiate" remip=1.2.3.4 locip=5.6.7.8 remport=500 locport=500 outintf="wan1" cookies="xxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="AZURE-XYZ" status="success" result="N/A" peer_notif="N/A"Īzure VPN gateway contains no useful diagnostics.Bit of a strange one.