Fortinet vpn no sa proposal chosen
![fortinet vpn no sa proposal chosen fortinet vpn no sa proposal chosen](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/598118ae-ea1f-11e9-8977-00505692583a/images/0b783f3aff212af4e71e4468fa3f07c1_FGT3.png)
- #Fortinet vpn no sa proposal chosen update#
- #Fortinet vpn no sa proposal chosen software#
- #Fortinet vpn no sa proposal chosen Pc#
I tried doing the connect multiple times and came up with same numbers, and tried different ways to initiate the tunnel, like with remote desktop, and come up with the same number of bytes sent as the ping attempt.Īfter that, I'm not sure why it appears the ASA returns no proposal from the ping initation vs a proposal from the connect initiation. I noticed it seems the number of bytes sent is different. Mar 30 20:10:43 charon: 09 authentication of 'REMOTEPUBIP' with pre-shared key successful Mar 30 20:10:43 charon: 09 received NON_FIRST_FRAGMENTS_ALSO notify Mar 30 20:10:43 charon: 09 received ESP_TFC_PADDING_NOT_SUPPORTED notify Mar 30 20:10:43 charon: 09 parsed IKE_AUTH response 1 Mar 30 20:10:43 charon: 09 received packet: from REMOTEPUBIP to SOURCEPUBIP (256 bytes) Mar 30 20:10:43 charon: 09 sending packet: from SOURCEPUBIP to REMOTEPUBIP (272 bytes) Mar 30 20:06:48 charon: 12 authentication of 'REMOTEPUBIP' with pre-shared key successful Mar 30 20:06:48 charon: 12 parsed IKE_AUTH response 1 Mar 30 20:06:48 charon: 12 received packet: from REMOTEPUBIP to SOURCEPUBIP (160 bytes) Mar 30 20:06:48 charon: 12 sending packet: from SOURCEPUBIP to REMOTEPUBIP (304 bytes) The IPs have been changed to SOURCEPUBIP and REMOTEPUBIP. Mar 30 20:10:43 charon: 09 establishing CHILD_SA con3Īlso, I see where things get different in the NET section. In the IKE log section, I noticed there is a difference in that one has I set all of the debugs to the recommended settings and attempted to start a tunnel using the connect button on the status page and another time doing a ping from my local PC.
![fortinet vpn no sa proposal chosen fortinet vpn no sa proposal chosen](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/598118ae-ea1f-11e9-8977-00505692583a/images/257cc55187719daec65666d5a3993bdf_2b-bookmark.png)
#Fortinet vpn no sa proposal chosen update#
I tried looking at the current open IPsec bugs and saw there was something to do with ASAs and the Unity plugin, so I tried disabling that after the 2.2.1 update but that didn't help. If something didn't match, I would assume the tunnel would never come up, but it seems as the other threads had mentioned and I discovered myself, that the negotiation from pfSense sends something different depending on how you initiate the tunnel. Phase 1 and 2 encryption, hashing, DH and PF groups and lifetime all match Most of the time, my side ends up being the responder so my connection stays up, so at least it's not causing a continuous issue with the connection. I decided to wait until 2.2.1 came out to see if it addressed the issue since there were some IPsec fixes coming but after upgrading to 2.2.1 yesterday, the issue persists. When I first noticed the issue I had seen some other threads mention this exact same thing, but I can't find them now. Mar 18 08:31:53 charon: 11 failed to establish CHILD_SA, keeping IKE_SA Mar 18 08:31:53 charon: 11 received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built In the log, I noticed this: Mar 18 08:31:53 charon: 11 received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built When I checked the status page, it was showing the phase 1 entry with the green icon, but there were no phase 2 entries.
#Fortinet vpn no sa proposal chosen Pc#
However, if I try to initiate the tunnel by pinging an address at work either from a PC at home or using the Diagnostics:Ping page choosing LAN as the source, I noticed I was getting no traffic. If I initiate the tunnel on the pfSense side by clicking the connect button on the IPsec status page, the tunnel works. After some testing, it looks like if the ASA initiates the connection (pfSense is the responder) the tunnel comes up fine.
![fortinet vpn no sa proposal chosen fortinet vpn no sa proposal chosen](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/4afb0436-a998-11e9-81a4-00505692583a/images/d36c9207f8671305d3eeb615e8ec063c_PacketCapture.jpg)
I was able to configure both sides and get the tunnel up but noticed some inconsistent behavior where the tunnel rarely wouldn't work.
#Fortinet vpn no sa proposal chosen software#
I recently decided it would be better to switch that connection to another device at work that has a faster internet connection, which is a Cisco ASA5512 running software version 9.0(4). Everything seemed to be working fine, even after upgrading to 2.2. I had an IPsec VPN set up from my 32-bit pfSense laptop at home to a Cisco IOS router at work.