Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PF-60D IPSEC tunnel SA error

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 914 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      khamamo
      last edited by

      Hello Everyone,

      I am trying to build an IPSEC tunnel between my pfsense fw and a fortigate 60D fw but it is not working and I have a hard time to understand the reason behind that.

      Logs in PF showing that there showing an invalid SA (always checkout in this phase). and i checked everything related to SA and couldn't find any mismatch.

      I tried to build another tunnel with Juniper SSG20 with same result except SSG20 logs didn't show any logs from the tunnel, it is like it is a ghost  :o

      Attached the ph1, ph2, logs config for pf side. Also attached logs of 60D and below the configs.

      edit "VPN-xxxx"
              set type ddns
              set interface "wan1"
              set proposal 3des-sha1
              set comments "for test purpose"
              set dhgrp 2
              set remotegw-ddns "xxxx"
              set psksecret ENC xxxx
          next
      end
      
       edit "VPN-xxxxx"
              set phase1name "VPN-xxxxx"
              set proposal 3des-sha1
              set pfs disable
              set keylifeseconds 3600
              set src-subnet 172.16.208.0 255.255.255.0
              set dst-subnet 172.16.206.0 255.255.255.0
          next
      end
      
      ```![phase1.jpg](/public/_imported_attachments_/1/phase1.jpg)
      ![phase1.jpg_thumb](/public/_imported_attachments_/1/phase1.jpg_thumb)
      ![phase2.jpg](/public/_imported_attachments_/1/phase2.jpg)
      ![phase2.jpg_thumb](/public/_imported_attachments_/1/phase2.jpg_thumb)
      ![pf logs.jpg](/public/_imported_attachments_/1/pf logs.jpg)
      ![pf logs.jpg_thumb](/public/_imported_attachments_/1/pf logs.jpg_thumb)
      ![60D logs.jpg](/public/_imported_attachments_/1/60D logs.jpg)
      ![60D logs.jpg_thumb](/public/_imported_attachments_/1/60D logs.jpg_thumb)
      1 Reply Last reply Reply Quote 0
      • K
        khamamo
        last edited by

        Can anyone at least guide me to the right location for the material regarding IPSEC troubleshooting in PFSENSE

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          https://doc.pfsense.org/index.php/IPsec_Troubleshooting

          Set the log options as described there and see if you can initiate from the Fortigate side. Even if it doesn't work, the logs will be much more useful in that direction.

          Odds are you have a P1 or P2 mismatch

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.