Replies: 2 comments 5 replies
-
Then you have to configure separate connections for each combination of local and remote subnet as Fortigate does not support multiple traffic selectors per CHILD_SA. Also, NO_PORPOSAL_CHOSEN is the wrong error if the traffic selectors are the issue, so maybe there is some other issue (or maybe it's just Fortigate doing something wrong). |
Beta Was this translation helpful? Give feedback.
-
okay so i added leftid to the connectors each are in the subnet of the ETH0ip and now it works but its not really practical because if we change some of the ip's it could pose a problem, its not dynamic |
Beta Was this translation helpful? Give feedback.
-
System
Hello thank you for reading my inquiry
My setup consists of a raspberry pi with two interfaces : one for the ADSL router (eth0 in 192.168.1.x) and one for the dhcp address leasing (eth1 in 10.6.x.x) nat masquerade is enabled and traffic works through the tunnel but only one tunnel establishes if i load a second tunnel ,i've found a workaround which consists of using routes and two different left which is : %defaultroute and the ip of ETH0 192.168.1.x and the routing works only problem is that i need access to three different subnets , if i create 1 left parameter it doesnt work
when one tunnel is up and i try to load up another one it simply fails with an error
to have access to all three subnets
ERROR:
generating CREATE_CHILD_SA, request 2 [ SA No TSi TSr ]
Parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Failed to establish CHILD_SA, keeping IKE_SA
The right setting is fortigate equipment and traffic is working with the workaround
Was wondering if this error was common i couldnt find any similar issue thank you
config setup
charondebug = "4"
uniqueids = yes
conn %default
type = tunnel
auto = route
keyexchange = ikev2
ike = aes256-sha256-modp2048
esp = aes256-sha256
authby = psk
forceencaps = yes
rekeymargin = 3m
leftsubnet = 0.0.0.0/0
leftallowmany = yes
right = PublicVPN-IP
rightdns = 10.x.x.20
keyingtries = %forever
ikelifetime = 28800s
lifetime = 3600s
dpddelay = 20s
dpdtimeout = 120s
dpdaction = restart
conn strongswan-forti
left = [ETH0 IP]
rightsubnet = 10.3.x.x/24
conn net-10.4.0
also = strongswan-forti
left = %defaultroute
rightsubnet=10.4.x.x/24
Beta Was this translation helpful? Give feedback.
All reactions