Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: vpx on February 25, 2026, 03:11:18 PM

Title: Problem with an IPsec site-to-site VPN connection between OPNsense and FortiGate
Post by: vpx on February 25, 2026, 03:11:18 PM
Hi, I have a problem connecting our OPNsense with a FortiGate device.

Here is the IPsec log:

Code Select
2026-02-25T15:00:59    Informational    charon    07[ENC] <353286> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]   
2026-02-25T15:00:59    Informational    charon    07[CFG] <353286> no matching peer config found   
2026-02-25T15:00:59    Informational    charon    07[CFG] <353286> looking for peer configs matching 185.xxx.xx.xx[%any]...195.yyy.yyy.yyy[195.yyy.yyy.yyy]   
2026-02-25T15:00:59    Informational    charon    07[ENC] <353286> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]   
2026-02-25T15:00:59    Informational    charon    07[NET] <353286> received packet: from 195.yyy.yyy.yyy[500] to 185.xxx.xx.xx[500] (480 bytes)   
2026-02-25T15:00:59    Informational    charon    07[NET] <353286> sending packet: from 185.xxx.xx.xx[500] to 195.yyy.yyy.yyy[500] (456 bytes)   
2026-02-25T15:00:59    Informational    charon    07[ENC] <353286> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]   
2026-02-25T15:00:59    Informational    charon    07[CFG] <353286> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048   
2026-02-25T15:00:59    Informational    charon    07[IKE] <353286> 195.yyy.yyy.yyy is initiating an IKE_SA   
2026-02-25T15:00:59    Informational    charon    07[ENC] <353286> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]   
2026-02-25T15:00:59    Informational    charon    07[NET] <353286> received packet: from 195.yyy.yyy.yyy[500] to 185.xxx.xx.xx[500] (672 bytes)   
2026-02-25T15:00:58    Informational    charon    09[NET] <353285> sending packet: from 185.xxx.xx.xx[500] to 195.yyy.yyy.yyy[500] (80 bytes)
IKE IDs are set on both sides and proposals are on default on both sides. Any suggestion?

There is already an old working IKEv1 connection to the same peer with a different firewall (Sophos Astaro) so there won't a be firewall issue.

But I wonder why the line with "looking for peer configs matching" says "[%any]" for the IKE ID when I specifically provided that. Could that prevent OPNsense from finding the Pre-Shared Key combination in the list?

I now added a screenshot which states "When left empty %any is chosen as default" yet it still shows "%any" in the log despite a defined local IP address, is this a bug?
Title: Re: Problem with an IPsec site-to-site VPN connection between OPNsense and FortiGate
Post by: viragomann on February 25, 2026, 05:35:49 PM
Quote from: vpx on Today at 03:11:18 PMIKE IDs are set on both sides and proposals are on default on both sides. Any suggestion?
I've read a recommendation to disable the default and specify certain proposal instead.

Quote from: vpx on Today at 03:11:18 PMBut I wonder why the line with "looking for peer configs matching" says "[%any]" for the IKE ID when I specifically provided that.
Maybe it is complaining about the remote site's id. Possibly it's different from the IP address?
Text only | Text with Images