Problem with an IPsec site-to-site VPN connection between OPNsense and FortiGate

[vpx]

Hi, I have a problem connecting our OPNsense with a FortiGate device.

Here is the IPsec log:

Code Select Expand

2026-02-25T15:00:59    Informational    charon    07[ENC] <353286> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]   
2026-02-25T15:00:59    Informational    charon    07[CFG] <353286> no matching peer config found   
2026-02-25T15:00:59    Informational    charon    07[CFG] <353286> looking for peer configs matching 185.xxx.xx.xx[%any]...195.yyy.yyy.yyy[195.yyy.yyy.yyy]   
2026-02-25T15:00:59    Informational    charon    07[ENC] <353286> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]   
2026-02-25T15:00:59    Informational    charon    07[NET] <353286> received packet: from 195.yyy.yyy.yyy[500] to 185.xxx.xx.xx[500] (480 bytes)   
2026-02-25T15:00:59    Informational    charon    07[NET] <353286> sending packet: from 185.xxx.xx.xx[500] to 195.yyy.yyy.yyy[500] (456 bytes)   
2026-02-25T15:00:59    Informational    charon    07[ENC] <353286> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]   
2026-02-25T15:00:59    Informational    charon    07[CFG] <353286> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048   
2026-02-25T15:00:59    Informational    charon    07[IKE] <353286> 195.yyy.yyy.yyy is initiating an IKE_SA   
2026-02-25T15:00:59    Informational    charon    07[ENC] <353286> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]   
2026-02-25T15:00:59    Informational    charon    07[NET] <353286> received packet: from 195.yyy.yyy.yyy[500] to 185.xxx.xx.xx[500] (672 bytes)   
2026-02-25T15:00:58    Informational    charon    09[NET] <353285> sending packet: from 185.xxx.xx.xx[500] to 195.yyy.yyy.yyy[500] (80 bytes)
IKE IDs are set on both sides and proposals are on default on both sides. Any suggestion?

There is already an old working IKEv1 connection to the same peer with a different firewall (Sophos Astaro) so there won't a be firewall issue.

But I wonder why the line with "looking for peer configs matching" says "[%any]" for the IKE ID when I specifically provided that. Could that prevent OPNsense from finding the Pre-Shared Key combination in the list?

I now added a screenshot which states "When left empty %any is chosen as default" yet it still shows "%any" in the log despite a defined local IP address, is this a bug?

[viragomann]

IKE IDs are set on both sides and proposals are on default on both sides. Any suggestion?

I've read a recommendation to disable the default and specify certain proposal instead.

But I wonder why the line with "looking for peer configs matching" says "[%any]" for the IKE ID when I specifically provided that.

Maybe it is complaining about the remote site's id. Possibly it's different from the IP address?

[vpx]

I've read a recommendation to disable the default and specify certain proposal instead.

I doubt the proposals are the problem because as you can see in the log a cipher is already negotiated.

Maybe it is complaining about the remote site's id. Possibly it's different from the IP address?

As you can see or can't see because I redacted the rest of the IP, the remote IP and remote ID are identical.

The FAQs of strongSwan have a section for the error message "no matching peer config found":

https://docs.strongswan.org/docs/5.9/support/faq.html#_no_matching_peer_config_found

So the problem can only be the ID or the proposals (which I already exluded as a cause).

The FAQ also mentions the allowed format for the ID: https://docs.strongswan.org/docs/5.9/config/identityParsing.html

I already tried to change the ID to the explicit <type>:<value> format under "VPN: IPsec: Connections: Local Authentication" to force the ID but it still shows "%any" in the log file.

I downloaded the swanctl.conf and it doesn't mention "%any" anwhere, this doesn't look right.

I also set the debugging level of "IKE_SA/ISAKMP SA" in "VPN: IPsec: Mobile & Advanced Settings: Syslog" to 2 ("More detailed debugging control flow") for some seconds, see also https://docs.strongswan.org/docs/latest/config/logging.html.

Here is the more detailed log, I don't think level 3 would make sense, it just shows hex data and "natd_chunk => 22 bytes @ 0x..." and similar messages.

Code Select Expand

2026-02-26T07:52:41    Informational    charon    10[ENC] <421129> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]   
2026-02-26T07:52:41    Informational    charon    10[CFG] <421129> no matching peer config found   
2026-02-26T07:52:41    Informational    charon    10[CFG] <421129> looking for peer configs matching 185.xxx.xx.xx[%any]...195.yyy.yyy.yyy[195.yyy.yyy.yyy]   
2026-02-26T07:52:41    Informational    charon    10[ENC] <421129> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]   
2026-02-26T07:52:41    Informational    charon    10[NET] <421129> received packet: from 195.yyy.yyy.yyy[500] to 185.xxx.xx.xx[500] (480 bytes)   
2026-02-26T07:52:41    Informational    charon    10[NET] <421129> sending packet: from 185.xxx.xx.xx[500] to 195.yyy.yyy.yyy[500] (456 bytes)   
2026-02-26T07:52:41    Informational    charon    10[ENC] <421129> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]   
2026-02-26T07:52:41    Informational    charon    10[CFG] <421129> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048   
2026-02-26T07:52:41    Informational    charon    10[IKE] <421129> IKE_SA (unnamed)[421129] state change: CREATED => CONNECTING   
2026-02-26T07:52:41    Informational    charon    10[IKE] <421129> 195.yyy.yyy.yyy is initiating an IKE_SA   
2026-02-26T07:52:41    Informational    charon    10[IKE] <421129> remote endpoint changed from 0.0.0.0 to 195.yyy.yyy.yyy[500]   
2026-02-26T07:52:41    Informational    charon    10[IKE] <421129> local endpoint changed from 0.0.0.0[500] to 185.xxx.xx.xx[500]   
2026-02-26T07:52:41    Informational    charon    10[ENC] <421129> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]   
2026-02-26T07:52:41    Informational    charon    10[NET] <421129> received packet: from 195.yyy.yyy.yyy[500] to 185.xxx.xx.xx[500] (672 bytes)   
2026-02-26T07:52:40    Informational    charon    10[IKE] <421128> IKE_SA (unnamed)[421128] state change: CONNECTING => DESTROYING   
2026-02-26T07:52:40    Informational    charon    10[NET] <421128> sending packet: from 185.xxx.xx.xx[500] to 195.yyy.yyy.yyy[500] (80 bytes)(By the way when did the logs change direction from down to up because I saw old posts where the log goes from up to down? :) )

Also how would I know the default proposals? Even the swanctl.conf just says "proposals = default" and "esp_proposals = default".

It would be nice if there was a place in the GUI where you can actually see them.

I actually found the default proposals by setting CFG ("Configuration management and plugins") to level 2, here they are:

Code Select Expand

2026-02-26T08:18:01 Informational charon 15[CFG] <422831> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048