Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase
2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?
In an IPsec VPN setup, both ends must have matching parameters for the tunnel to come up. In the given configuration exhibit, the HQ-FortiGate is set to use AES128 encryption, whereas the Remote-FortiGate is configured to use AES256 encryption. For phase 2 to be successful, the encryption algorithms must match on both sides. Therefore, changing the encryption on HQ-FortiGate to AES256 will align it with the Remote-FortiGate and allow phase 2 to come up.
Yes, the encrypt must be the same on both Fortigates.
Of course answer correct is C
C, change to 256 to match remote ipsec
C. On HQ-FortiGate, set Encryption to AES256. FortiGate Infrastructure 7.2 Study Guide (p.263): "A phase 2 proposal defines the algorithms supported by the peer for encrypting and decrypting the data over the tunnel. You can configure multiple proposals to offer more options to the remote peer when negotiating the IPsec SAs. Like in phase 1, you need to select a combination of encryption and authentication algorithms." Reference and download study guide: https://ebin.pub/fortinet-fortigate-infrastructure-study-guide-for-fortios-72.html
C. On HQ-FortiGate, set Encryption to AES256.