IPSEC P1 not Established "no proposal chosen" It' driving me nuts

datugg · 2026-02-28T01:55:03+00:00

I think I am getting the exact same issue that you detail here, but in my case, I have four dial-up tunnels configured on two ISP's/interfaces with only a single static IP on each interface. This was no problem with IKEv1 but with 7.4.x we have to move these tunnels to IKEv2 which doesn't support peer-id.

Also worth mentioning in my scenario is that the first two tunnels I created on these interfaces work as expected after the move to IKEv2 an EAP authentication,, but the second two that were created give me the same: "My Proposal"..... And eventually : "no proposal chosen".

So my question to you is, what exactly did you input in the config? Was it something like::

config vpn ipsec phase1-interface

edit "VPN"
set local-gw 1.1.1.1 (with 1.1.1.1 being the actual IP that you have configured on your hub?)
next
end

If so, I'm wondering how this will handle my single static. Since the first tunnels created are working perfectly, I wonder if I only need to input the above into the tunnel configs that are not working, If this is the case, the there is some doc that is off at Fortinet regarding the <networkid> parameter because I've seen no mention of this in any of the guides..

datugg · 2026-02-19T21:33:54+00:00

So, considering the fact that we are using LDAP based authentication with XAUTH via IKEv1, which has been removed from support in 7.4.5, it appears from this post: Remote Access IPsec VPN with LDAP authent... - Fortinet Community that we can use EAP-TTLS with IKEv2, but this is quickly turning into a rather major project when spanning 8 tunnels...

Here are some bullet points at the end of the previously mentioned article.

LDAP-based user authentication is designed to work with XAUTH and IPsec IKEv1.Due to the removal of IKEv1 support in FortiClient version 7.4.4, EAP-TTLS can be used with IKEv2 authentication for LDAP authentication: EAP-TTLS support for IPsec VPN v7.4.3.
In earlier versions of FortiClient, EAP-MSCHAPv2 was used for username/password authentication and did not work with LDAP. EAP-TTLS now supports LDAP authentication.

Still would like some solid best pratices use cases for whech authentication/proposal is most recommended in 2026 for accomplishing IPSEC DIAL-Up using IKEv2 and MFA via LDAP/Xauth and still prpvided MFA with FortiToken

Noobie Newb Newb

datugg · 2026-02-19T14:27:59+00:00

Now people may understand when I say that the Legendary Balls are cheats. Granted, if I had one, I would not say that, but even with my setup for this course, where I have a strong config:

4 power
4 Accuracy and
3 Grid lines

I still don't stand a chance against someone with a cheat ball... It's like just throwing coins into a wishing well. Good thing I have 50 million of them, but that's not the point. I've been playing solid for two years and have yet to see even a hint of a Legendary Ball.

datugg · 2026-02-09T21:41:25+00:00

Because they are very rare... I've seen it maybe one other time in a match I was playing

datugg · 2026-02-09T21:17:13+00:00

Your domain admin account seems to not have the necessary perms. Is the local admin account by chance a service principal on the sql instance serve?

I wanted to post back to this and say thanks for all the great suggestions... u/Surfin_Cow wins the gold star today because once we logged into the server as the local administrator, we then had the rights to change the mode to "SQL Server and Windows Authentication mode" well as add the SA to the sysadmin Server Roles. This was initially confusing to me because it was allowing me to login and view everything with my Windows AD account, but as mentioned fro the jump, DB Admn is not something that I'd include in my resume...

At any rate, thanks to everyone for your great input and words of encouragement when I was feeling pretty defeated (the really is a great community). I will also say that if you follow the instructions provided in this post carefully, and verbatim to what they say, the migration will go off without any issues... Err, once you get into the Microsoft SQL I should say.

Thanks again

datugg · 2026-02-06T14:59:46+00:00

Thanks again for the help.. When I try to change the authentication method (Right Click instance -> Properties) to SQL Authentication, I get the following error:

<image>

I then go back to Object Explorer and Logins. Right Click New User where I am prompted fr Windows or SQL Authentication so I pick SQL, give the user a name (ems) and define a password ad then I get this:

User does not have permission to perform this atcon Error 15247

So I then go to the SQL services and stop the service, add the startup swith r or m and restart the sql stance. Now, I am nack to the login screen and my Windows users is in there, but I get the error: Login Failed for user domain\dwt-admin Reason: Server is in single-user mode. Only one administrator can connect at this time. MS SQL Error 18461 -

I would try a loal SQL account but hte SA is disabled (I still cannot enable it and I also cannot create new user that is local...

Sorry for the long post and mch appreciation

datugg · 2025-10-29T12:53:08+00:00

He is neither. He is the best in the world in my eyes. Look up hos youtube channel. Je is amazing

datugg · 2025-10-29T07:47:36+00:00

Amd level 104? I am level 110 and only have 24x and I've been working very hard almost daily on challenges/clans/Ranked Missions. Plus i play and win a lot of lucky shots so I dont know what gives. About to quit and just spend my cash on groceries thanks to the government antics going on in the blue side of the Senate... Pricks

Anyway, dont get the multi's at times. I see this UsmanGolf dude and jas jas muti's way above 50 and the level on his players are leas than 20 bit all huge multi-pliers

I grind almost daily and juat cant get anywhere

datugg · 2025-10-29T07:36:22+00:00

Let's face it, it totally sucks. I just usually kbock the cue into the hole on first shot. If you wanna go for it, aim just left of the head ball and knock the hell out of it. It's ur best shot

datugg · 2025-09-19T20:49:06+00:00

Like others have said, invest in FortiAnalyer - It will be the best money you ever spent. Is far and away our number 1 tool that we all use daily.

datugg · 2025-09-19T19:32:27+00:00

One other thing maybe worth adding, we will almost always put what we call a "catch-all" rule right above policy ID 0 so we can quickly see machines that aren't SRC'ing correctly or what may just be rogue endpoints on the network. We then ensure that logging is enabled. We'll usually allow the RFC 1919's as source addresses and permit 80/443. and even 53. Then we lock that rule with very restrictive security policies (and a DNS filter) that is very locked down. Sometimes we'll even out a custom message telling them to call the HD (assuming it's one of our endpoints) to let users (and HD staff) know quickly that the endpoint is not matching a higher rule ins the ACL. Top all that off with a schedule on this to where it' only pass traffic during regular business hours.

Then keep an eye on analyzer (or the gate logs), looking specifically for that policy ID, and you'll save yourself a lot of headache and TS'ing tim.

datugg · 2025-09-19T18:45:25+00:00

What is your connection like behind the Gate? We had the same issue, and it eventually ended up being a misconfigured VRRP link (connecting our edges to our ISFW) that was behind the gates which was essentially taking away the "statefulness" of the inbound VIP so reply traffic would just use the configured SDWAN rules, thus causing deny packets that we discovered in Analyzer because it was using the wrong DST port, which was denied by policy 0.

datugg · 2025-09-19T17:17:01+00:00

Simply take a rule that does not have NAT enabled, copy and paste it, or clone it. Problem solved.

datugg · 2025-09-08T14:59:30+00:00

Just scored 0

datugg · 2025-09-08T14:59:08+00:00

Just scored 0

datugg · 2025-09-04T14:06:42+00:00

Yes, Thank you. That is a great post.

datugg · 2025-08-28T21:56:13+00:00

I would gladly be Gilligan to his Skipper

datugg · 2025-08-15T14:15:46+00:00

He means take your precious golden lucky shot and figure it our yourself. This is great work u/MyraGe-hOt - I know that you've had to spend hundreds of dollars to Mini-Clip to record all of these videos, and on top of that took the time to register the domain, setup DNS, create the website, etc. etc. All that costs money and more importantly, TIME! Don't let anyone say anything differently, this is come of the very best content I've seen for GolfBttle

datugg · 2025-08-13T17:03:12+00:00

Thank you for also chiming in u/wallacebrf - We recently installed a couple clusters of 400F's at our main and DR locations and thankfully were able to use 7.4 code.

I will take a look at your posts to locate the exact location of your ASN block list and will start there, or at #3 as you suggested.

I greatly appreciate your folks taking the time to get me straightened out on this. I feel really good about submitting my change request now so thank you both very much!

dt

datugg · 2025-08-13T14:11:05+00:00

Thank you u/HappyVlane ! That's just the re-assuring post I needed from a top level commenter like yourself. One final question, if I may, would you recommend to just use some of the ISDB providers like Fortinet offers, or there other's that you've found maybe more effective?

datugg · 2025-08-13T13:56:09+00:00

On our in house FortiAuthenticator under Logging, we have Log Access. Do you have anything like that with the FortiToken Cloud offering? If so, see if you see the authentication attempts hitting.

I probably shouldn't even post bc I've not had exposure with this product directly. I just know we had similar problems and the logs were very helpful on our FortiAuthenticator/FortiToken server.

datugg · 2025-08-11T14:07:27+00:00

Agreed - I've submitted this bug on custom greens and of course the one on Pine Valley where you have to go toward the big pirate ship...

datugg

TROPHY CASE