Fortigate 800C - SRX 240 ike problem

Hi,

I'm trying to configure vpn between Fortigate 800C and SRX 240 in test environment (the same subnet for WAN interfaces). I have a problem with ike:

Juniper:

 show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2842773 DOWN f819d2c735939f64 a267c13f16767608 Any A.B.C.24

Fortigate:

 diagnose vpn ike gateway
name: VPN-SRX
version: 1
interface: wan1 5
addr: A.B.C.24:500 -> A.B.C.25:500
created: 6s ago
auto-discovery: 0
IKE SA: created 1/1
IPsec SA: created 0/0

id/spi: 375 82b42b5847a79362/0000000000000000
direction: responder
status: connecting, state 3, started 6s ago

SRX debug:

[Nov 14 19:07:46]ike_free_sa: Start
[Nov 14 19:07:47]ikev2_packet_allocate: Allocated packet dc0400 from freelist
[Nov 14 19:07:47]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Nov 14 19:07:47]ike_get_sa: Start, SA = { dac663eb 94378770 - 00000000 00000000 } / 00000000, remote = A.B.C.24:500
[Nov 14 19:07:47]ike_sa_allocate: Start, SA = { dac663eb 94378770 - 0ccc7df7 e063728a }
[Nov 14 19:07:47]ike_init_isakmp_sa: Start, remote = A.B.C.24:500, initiator = 0
[Nov 14 19:07:47]ike_decode_packet: Start
[Nov 14 19:07:47]ike_decode_packet: Start, SA = { dac663eb 94378770 - 0c97b2f3 dd18068f} / 00000000, nego = -1
[Nov 14 19:07:47]ike_decode_payload_sa: Start
[Nov 14 19:07:47]ike_decode_payload_t: Start, # trans = 1
[Nov 14 19:07:47]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Nov 14 19:07:47]ike_st_i_vid: VID[0..16] = 4048b7d5 6ebce885 ...
[Nov 14 19:07:47]ike_st_i_vid: VID[0..20] = 4048b7d5 6ebce885 ...
[Nov 14 19:07:47]ike_st_i_vid: VID[0..16] = 82990317 57a36082 ...
[Nov 14 19:07:47]ike_st_i_sa_proposal: Start
[Nov 14 19:07:47]iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Nov 14 19:07:47]ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg e06800)
[Nov 14 19:07:47]ike_isakmp_sa_reply: Start
[Nov 14 19:07:47]ike_state_restart_packet: Start, restart packet SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}, nego = -1
[Nov 14 19:07:47]ike_st_i_sa_proposal: Start
[Nov 14 19:07:47]ike_st_i_cr: Start
[Nov 14 19:07:47]ike_st_i_cert: Start
[Nov 14 19:07:47]ike_st_i_private: Start
[Nov 14 19:07:47]ike_st_o_sa_values: Start
[Nov 14 19:07:47]A.B.C.25:500 (Responder) <-> A.B.C.24:500 { dac663eb 94378770 - 0c97b2f3 dd18068f [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
[Nov 14 19:07:47]ike_alloc_negotiation: Start, SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}
[Nov 14 19:07:47]ike_encode_packet: Start, SA = { 0xdac663eb 94378770 - 0c97b2f3 dd18068f } / d4330be2, nego = 0
[Nov 14 19:07:47]ike_send_packet: Start, send SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}, nego = 0, dst = A.B.C.24:500,  routing table id = 0
[Nov 14 19:07:47]ike_delete_negotiation: Start, SA = { dac663eb 94378770 - 0c97b2f3 dd18068f}, nego = 0
[Nov 14 19:07:47]ike_free_negotiation_info: Start, nego = 0
[Nov 14 19:07:47]ike_free_negotiation: Start, nego = 0
[Nov 14 19:07:47]IKE negotiation fail for local:A.B.C.25, remote:A.B.C.24 IKEv1 with status: No proposal chosen
[Nov 14 19:07:47]  IKEv1 Error : No proposal chosen

Fortigate debug:

ike 0:VPN-SRX-PL: schedule auto-negotiate
ike 0:VPN-SRX-PL: auto-negotiate connection
ike 0:VPN-SRX-PL: created connection: 0x399fb00 5 A.B.C.24->A.B.C.25:500.
ike 0:VPN-SRX-PL:383: initiator: main mode is sending 1st message...
ike 0:VPN-SRX-PL:383: cookie 04dc6135a7b58c34/0000000000000000
ike 0:VPN-SRX-PL:383: out 04DC6135A7B58C3400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00050428
ike 0:VPN-SRX-PL:383: sent IKE msg (ident_i1send): A.B.C.24:500->A.B.C.25:500, len=172, id=04dc6135a7b58c34/0000000000000000
ike 0: comes A.B.C.25:500->A.B.C.24:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=04dc6135a7b58c34/b68f181de8ae682f:18ad0f9b len=102
ike 0: in 04DC6135A7B58C34B68F181DE8AE682F0B10050018AD0F9B000000660000004A000000010110000E04DC6135A7B58C34B68F181DE8AE682F800C000100060022436F756C64206E6F742066696E642061636365707461626C652070726F706F73616C80080000
ike 0:VPN-SRX-PL:383: ignoring unsupported INFORMATIONAL message 0.
ike 0:VPN-SRX-PL:383: out 04DC6135A7B58C3400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00050428
ike 0:VPN-SRX-PL:383: sent IKE msg (P1_RETRANSMIT): A.B.C.24:500->A.B.C.25:500, len=172, id=04dc6135a7b58c34/0000000000000000
ike 0:VPN-SRX-PL:383: out 04DC6135A7B58C3400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00050428
ike 0:VPN-SRX-PL:383: sent IKE msg (P1_RETRANSMIT): A.B.C.24:500->A.B.C.25:500, len=172, id=04dc6135a7b58c34/0000000000000000
ike 0: comes A.B.C.25:500->A.B.C.24:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=04dc6135a7b58c34/b68f181de8ae682f:18ad0f9b len=102
ike 0: in 04DC6135A7B58C34B68F181DE8AE682F0B10050018AD0F9B000000660000004A000000010110000E04DC6135A7B58C34B68F181DE8AE682F800C000100060022436F756C64206E6F742066696E642061636365707461626C652070726F706F73616C80080000
ike 0:VPN-SRX-PL:383: ignoring unsupported INFORMATIONAL message 0.
ike 0:VPN-SRX-PL:383: negotiation timeout, deleting
ike 0:VPN-SRX-PL: connection expiring due to phase1 down

I've tried with compatibile proposals and selecting manually some of them.

Current p1 for SRX:

authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;

Current p1 for Fortigate:

edit "VPN-SRX"
set interface "wan1"
set proposal aes128-sha1
set dhgrp 2
set nattraversal disable
set remote-gw A.B.C.25
set psksecret ENC qtJ/743mzf[cut]8nsg==
next

I'm new in Fortinet.

Maybe someone have experience with connecting these boxes?

Regards, Kacper