PF-60D IPSEC tunnel SA error



  • Hello Everyone,

    I am trying to build an IPSEC tunnel between my pfsense fw and a fortigate 60D fw but it is not working and I have a hard time to understand the reason behind that.

    Logs in PF showing that there showing an invalid SA (always checkout in this phase). and i checked everything related to SA and couldn't find any mismatch.

    I tried to build another tunnel with Juniper SSG20 with same result except SSG20 logs didn't show any logs from the tunnel, it is like it is a ghost  :o

    Attached the ph1, ph2, logs config for pf side. Also attached logs of 60D and below the configs.

    edit "VPN-xxxx"
            set type ddns
            set interface "wan1"
            set proposal 3des-sha1
            set comments "for test purpose"
            set dhgrp 2
            set remotegw-ddns "xxxx"
            set psksecret ENC xxxx
        next
    end
    
     edit "VPN-xxxxx"
            set phase1name "VPN-xxxxx"
            set proposal 3des-sha1
            set pfs disable
            set keylifeseconds 3600
            set src-subnet 172.16.208.0 255.255.255.0
            set dst-subnet 172.16.206.0 255.255.255.0
        next
    end
    
    ```![phase1.jpg](/public/_imported_attachments_/1/phase1.jpg)
    ![phase1.jpg_thumb](/public/_imported_attachments_/1/phase1.jpg_thumb)
    ![phase2.jpg](/public/_imported_attachments_/1/phase2.jpg)
    ![phase2.jpg_thumb](/public/_imported_attachments_/1/phase2.jpg_thumb)
    ![pf logs.jpg](/public/_imported_attachments_/1/pf logs.jpg)
    ![pf logs.jpg_thumb](/public/_imported_attachments_/1/pf logs.jpg_thumb)
    ![60D logs.jpg](/public/_imported_attachments_/1/60D logs.jpg)
    ![60D logs.jpg_thumb](/public/_imported_attachments_/1/60D logs.jpg_thumb)


  • Can anyone at least guide me to the right location for the material regarding IPSEC troubleshooting in PFSENSE


  • Rebel Alliance Developer Netgate

    https://doc.pfsense.org/index.php/IPsec_Troubleshooting

    Set the log options as described there and see if you can initiate from the Fortigate side. Even if it doesn't work, the logs will be much more useful in that direction.

    Odds are you have a P1 or P2 mismatch