It looks like the Algorithm for AES is not correct. I performed a packet capture yesterday and found that the two firewalls are communicating. If you want the VPN to work, all the parameters have to match on both sides. Sometimes the parameters have a slightly different name, but in general it's not too hard to guess the 'translation'. The alternative parameters are useful, when the other side does not support the proposed parameter, so he can check what of the alternative parameters might be supported on his gear. Usually one will write down the defaults that show up when he configures the VPN and asks the other side, if it supports the same parameters and agrees to use this settings. So the best practice is to exchange a document, where one side writes down the parameters he proposes for the connection, including some alternative parameters his gear supports. When you establish a VPN with a 3rd party, specially when this one uses a different brand (or sometimes version) of VPN gateway device, this one will usually have different defaults for all these Phase 1/2 parameters. So you don't run so fast into mismatches. When you set up a VPN between firewalls from the same vendor, you will be usually be offered the same default SA's (Phase 1/2 parameters). Graeme.N wrote:And while you are at it, check the phase 2 settings as well - if you have phase 1 settings that are mismatched, you are likely to have phase 2 settings that are mismatched as well. Below is the output from the FortiWifi 60Cĭate= time=09:52:36 logid=0101037128 type=event subtype=vpn level=error vd="root" logdesc="progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip= locip=67.53.XXX.XXX remport=500 locport=500 outintf="wan1" cookies="40b9e860259787fa/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=failure init=remote mode=main dir=inbound stage=1 role=responder result=ERRORĭate= time=09:52:36 logid=0101037124 type=event subtype=vpn level=error vd="root" logdesc="IPsec phase 1 error" msg="IPsec phase 1 error" action=negotiate remip= locip=67.53.XXX.XXX remport=500 locport=500 outintf="wan1" cookies="40b9e860259787fa/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status=negotiate_error reason="peer SA proposal not match local policy" peer_notif="NOT-APPLICABLE" Hoping you all might be able to come up with some suggestions. I'm stuck trying to figure out what the issue is and without help from their engineer, I am stuck. The engineer on the other end says that there is nothing in his logs to indicate a problem, but the error message is coming from his firewall. I have an error message in my logs that there is a policy mismatch in Phase 1. I am trying to configure a site to site VPN with a Fortiwifi 60C (on my end) to a Checkpoint Firewall.
0 kommentar(er)
