Skip to main content
Crown
Crown
New Member
February 3, 2015
Question

IKE v2 VPN malformed message

  • February 3, 2015
  • 4 replies
  • 29358 views

Hi guys,

I hope you will be able to point my head to the resolution for the following:

Env: FG 80C (4.0Mr1)  <> Windows 2012 r2 (AWS EC2) with tunnel setup using Windows Firewall (using connection rules)

 

I get the following, not sure is it phase1 or phase 2 errors, this "malformed message" is quite confusing honestly.

####

2015-02-03 09:47:21 ike 0:To_EC2:84265: NAT-T float port 4500 2015-02-03 09:47:21 ike 0:To_EC2:84265: send AUTH 2015-02-03 09:47:21 ike 0:To_EC2:84265: using nat-t 2015-02-03 09:47:21 ike 0:To_EC2:84265: sent IKE msg (AUTH): x.x.x.x:4500->y.y.y.y:4500, len=316 2015-02-03 09:47:21 ike 0: comes y.y.y.y:4500->x.x.x.x:4500,ifindex=4.... 2015-02-03 09:47:21 ike 0: IKEv2 exchange=AUTH_RESPONSE id=14e482d8d1101b65/51deffb86c87d0ea:00000001 len=76 2015-02-03 09:47:21 ike 0: found To_EC2 x.x.x.x 4 -> y.y.y.y:4500 2015-02-03 09:47:21 ike 0:To_EC2:84265: initiator received AUTH msg 2015-02-03 09:47:21 ike 0:To_EC2:84265: malformed message 2015-02-03 09:47:21 ike 0:To_EC2:84265: expiring IKE SA 14e482d8d1101b65/51deffb86c87d0ea 2015-02-03 09:47:21 ike 0:To_EC2: deleting 2015-02-03 09:47:21 ike 0:To_EC2: flushing 2015-02-03 09:47:21 ike 0:To_EC2: flushed 2015-02-03 09:47:21 ike 0:To_EC2: reset NAT-T 2015-02-03 09:47:21 ike 0:To_EC2: deleted 2015-02-03 09:47:26 ike 0:To_EC2: link fail 4 x.x.x.x->y.y.y.y:500 dpd=1 2015-02-03 09:47:26 ike 0:To_EC2: created DPD triggered connection: 0x90bb070 4 x.x.x.x->y.y.y.y:500. 2015-02-03 09:47:26 ike 0:To_EC2: new connection. 2015-02-03 09:47:26 ike 0:To_EC2:To_EC2_P2: chosen to populate IKE_SA traffic-selectors 2015-02-03 09:47:26 ike 0:To_EC2: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation 2015-02-03 09:47:26 ike 0:To_EC2:84266: send SA_INIT 2015-02-03 09:47:26 ike 0:To_EC2:84266: sent IKE msg (SA_INIT): x.x.x.x:500->y.y.y.y:500, len=332 2015-02-03 09:47:26 ike shrank heap by 126976 bytes 2015-02-03 09:47:26 ike 0: comes y.y.y.y:500->x.x.x.x:500,ifindex=4.... 2015-02-03 09:47:26 ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=b5d58d1a2df7f3a7/38fd44028e9b2ede len=364 2015-02-03 09:47:26 ike 0: found To_EC2 x.x.x.x 4 -> y.y.y.y:500 2015-02-03 09:47:26 ike 0:To_EC2:84266: initiator received SA_INIT response 2015-02-03 09:47:26 ike 0:To_EC2:84266: received notify type NAT_DETECTION_SOURCE_IP 2015-02-03 09:47:26 ike 0:To_EC2:84266: processing NAT-D payload 2015-02-03 09:47:26 ike 0:To_EC2:84266: NAT detected: PEER 2015-02-03 09:47:26 ike 0:To_EC2:84266: process NAT-D 2015-02-03 09:47:26 ike 0:To_EC2:84266: received notify type NAT_DETECTION_DESTINATION_IP 2015-02-03 09:47:26 ike 0:To_EC2:84266: processing NAT-D payload 2015-02-03 09:47:26 ike 0:To_EC2:84266: NAT detected: PEER 2015-02-03 09:47:26 ike 0:To_EC2:84266: process NAT-D 2015-02-03 09:47:26 ike 0:To_EC2:84266: incoming proposal: 2015-02-03 09:47:26 ike 0:To_EC2:84266: proposal id = 1: 2015-02-03 09:47:26 ike 0:To_EC2:84266: protocol = IKEv2: 2015-02-03 09:47:26 ike 0:To_EC2:84266: encapsulation = IKEv2/none 2015-02-03 09:47:26 ike 0:To_EC2:84266: type=ENCR, val=AES_CBC (key_len = 192) 2015-02-03 09:47:26 ike 0:To_EC2:84266: type=INTEGR, val=AUTH_HMAC_SHA_96 2015-02-03 09:47:26 ike 0:To_EC2:84266: type=PRF, val=PRF_HMAC_SHA 2015-02-03 09:47:26 ike 0:To_EC2:84266: type=DH_GROUP, val=1024. 2015-02-03 09:47:26 ike 0:To_EC2:84266: matched proposal id 1 2015-02-03 09:47:26 ike 0:To_EC2:84266: initiator preparing AUTH msg 2015-02-03 09:47:26 ike 0:To_EC2:84266: sending INITIAL-CONTACT 2015-02-03 09:47:26 ike 0:To_EC2:84266: detected NAT 2015-02-03 09:47:26 ike 0:To_EC2:84266: NAT-T float port 4500 2015-02-03 09:47:26 ike 0:To_EC2:84266: send AUTH 2015-02-03 09:47:26 ike 0:To_EC2:84266: using nat-t 2015-02-03 09:47:26 ike 0:To_EC2:84266: sent IKE msg (AUTH): x.x.x.x:4500->y.y.y.y:4500, len=316 2015-02-03 09:47:26 ike 0: comes y.y.y.y:4500->x.x.x.x:4500,ifindex=4.... 2015-02-03 09:47:26 ike 0: IKEv2 exchange=AUTH_RESPONSE id=b5d58d1a2df7f3a7/38fd44028e9b2ede:00000001 len=76 2015-02-03 09:47:26 ike 0: found To_EC2 x.x.x.x 4 -> y.y.y.y:4500 2015-02-03 09:47:26 ike 0:To_EC2:84266: initiator received AUTH msg 2015-02-03 09:47:26 ike 0:To_EC2:84266: malformed message 2015-02-03 09:47:26 ike 0:To_EC2:84266: expiring IKE SA b5d58d1a2df7f3a7/38fd44028e9b2ede 2015-02-03 09:47:26 ike 0:To_EC2: deleting 2015-02-03 09:47:26 ike 0:To_EC2: flushing 2015-02-03 09:47:26 ike 0:To_EC2: flushed 2015-02-03 09:47:26 ike 0:To_EC2: reset NAT-T 2015-02-03 09:47:26 ike 0:To_EC2: deleted

 

##

Any ideas ?

Thank you

4 replies

emnoc
emnoc
New Member
February 3, 2015

Either the initator or responder is mismatched. Have you done the following;

 

confirm a single proposal on phase1

confirm a single proposal on phase2

triple check that both sides match

 

Ken

 

 

Crown
CrownAuthor
New Member
February 3, 2015

Thank you Ken

Actually didn't make any difference.Please see my settings via:

#Fortigate

http://postimg.org/image/zfmqii9u3/

#Windows 2012 R2

http://postimg.org/image/4mu0rxvez/

 

Thank you

 

P.S.

I can see matched proposal logs, but, again what a hell is that malformed message :)

2015-02-03 10:52:39 ike 0:To_EC2:85042: matched proposal id 1 2015-02-03 10:52:39 ike 0:To_EC2:85042: initiator preparing AUTH msg 2015-02-03 10:52:39 ike 0:To_EC2:85042: sending INITIAL-CONTACT 2015-02-03 10:52:39 ike 0:To_EC2:85042: detected NAT 2015-02-03 10:52:39 ike 0:To_EC2:85042: NAT-T float port 4500 2015-02-03 10:52:39 ike 0:To_EC2:85042: send AUTH 2015-02-03 10:52:39 ike 0:To_EC2:85042: using nat-t 2015-02-03 10:52:39 ike 0:To_EC2:85042: sent IKE msg (AUTH): x.x.x.x:4500->y.y.y.y:4500, len=220 2015-02-03 10:52:39 ike 0: comes y.y.y.y:4500->x.x.x.x:4500,ifindex=4.... 2015-02-03 10:52:39 ike 0: IKEv2 exchange=AUTH_RESPONSE id=cde35e7f74e41826/b39f30e8f71bef3b:00000001 len=76 2015-02-03 10:52:39 ike 0: found To_EC2 x.x.x.x 4 -> y.y.y.y:4500 2015-02-03 10:52:39 ike 0:To_EC2:85042: initiator received AUTH msg 2015-02-03 10:52:39 ike 0:To_EC2:85042: malformed message 2015-02-03 10:52:39 ike 0:To_EC2:85042: expiring IKE SA cde35e7f74e41826/b39f30e8f71bef3b 2015-02-03 10:52:39 ike 0:To_EC2: deleting 2015-02-03 10:52:39 ike 0:To_EC2: flushing 2015-02-03 10:52:39 ike 0:To_EC2: flushed 2015-02-03 10:52:39 ike 0:To_EC2: reset NAT-T 2015-02-03 10:52:39 ike 0:To_EC2: deleted

 

lkorbasiewicz_FTNT
Staff
lkorbasiewicz_FTNT
Staff
February 3, 2015

Hello,

 

Considering following two lines:

2015-02-03 10:52:39 ike 0:To_EC2:85042: initiator received AUTH msg

2015-02-03 10:52:39 ike 0:To_EC2:85042: malformed message

 

I would say that it may be a problem with pre-shared key.

Please try to set it to something simple like 1234567890 on both sides to confirm if they both match. Enter them manually (do not use copy/paste) to make sure no white sign will sneak in.

 

    emnoc
    emnoc
    New Member
    February 3, 2015

    What's the default auth-method for wind$zes?

     

    You know ikev2 support different  authentication methods initiator>>>responder  and responder>>>>initiator can  have different authorization methods ( uni-directional )

     

    I also see you have pfs enable on FGT but where and how do you do this under the window host?

     

    btw: if you happen to get this working, post your final note/cfgs.

     

     

     

    Terms & ConditionsAccessibility statement