An administrator is troubleshooting a scenario where IPSec VPN tunnels between two FortiGates are flapping. The logs show Phase 1 is up but Phase 2 fails with 'no proposal chosen'. The remote FortiGate has multiple Phase 2 selectors configured. What is the most likely cause?
Trap 1: Mismatched pre-shared keys.
Pre-shared key mismatch would cause Phase 1 to fail, not Phase 2.
Trap 2: Dead Peer Detection (DPD) settings are too aggressive.
DPD issues would cause the tunnel to drop after being established, not a Phase 2 failure.
Trap 3: Certificate validation failure.
Certificate issues would affect Phase 1 if certificate authentication is used, but logs show Phase 1 is up.
- A
Mismatched Phase 2 proxy IDs (local/remote subnets).
The error 'no proposal chosen' is often due to mismatched proxy IDs in Phase 2.
- B
Mismatched pre-shared keys.
Why wrong: Pre-shared key mismatch would cause Phase 1 to fail, not Phase 2.
- C
Dead Peer Detection (DPD) settings are too aggressive.
Why wrong: DPD issues would cause the tunnel to drop after being established, not a Phase 2 failure.
- D
Certificate validation failure.
Why wrong: Certificate issues would affect Phase 1 if certificate authentication is used, but logs show Phase 1 is up.