New Member

Question

IPsec site to site Sophos Fortinet not established

Forum|Forum|4 years ago
June 9, 2022
12 replies
16011 views

Hi all,

Does someone successfully setup IPsec vpn between Sophos and Fortigate. If somebody can post working configuration I would appreciate.

thank you all

FortiGate

ntaneja

Staff & Editor

Hi yns_sa

Please elaborate the issue you are facing in ipsec between fortigate and sophos?
Are you looking for document explaining config on devices OR you have done the required config and tunnel is not coming up or working as expected.

Thanks

seshuganesh

Staff

Hi Team,

Please execute the below commands in the fortigate firewall:

diag vpn ike log-filter dst-addr4 a.b.c.d (where a.b.c.d is the remote sophos public ip)

diag debug application ike -1

diag debug enable

Please try to make the tunnel up again, and then collect the logs.
Once you get required logs you can disable debug by executing this command "diag debug disable"

Please share output with us

sw2090

SuperUser

yeah logs would be good (thus even with them ipsec debugging sometimes is a pain in the a** [which is not fortinet's fault but more one of ipsec itself]).

Probably also a log of your sophos vpn might be helpful because it depends on which side the issue happens. If the error occurs on sophos side you might not see a clue of it in the FGT logs.

yns_saAuthor

New Member

hi ALL

find attached all logs on fortinet and sophos

ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: negotiation timeout, deleting
ike 0:vpn_sophos: connection expiring due to phase1 down
ike 0:vpn_sophos: deleting
ike 0:vpn_sophos: deleted
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: created connection: 0x5519690 7 10.10.20.2->196.206.X.X:500.
ike 0:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:500 negotiating
ike 0:vpn_sophos: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:vpn_sophos:52504: initiator: main mode is sending 1st message...
ike 0:vpn_sophos:52504: cookie 512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (ident_i1send): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue fortinet event.PNG sophos error.PNG

A

Anonymous_User

Contributor

Hi there,

I noticed below error:

ike 0:vpn_sophos: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation

Most probably the issue is on Phase2 subnet.
Please make sure both side, Fortigate and Sophos configured with same information. Avoid to use 0.0.0.0/0 segment as it may not "compatible" with Sophos to negotiation proper segment.

yns_saAuthor

New Member

Mr @Anonymous

I don't use 0.0.0.0/0, i maked the correct subnet on both sides.

yns_saAuthor

New Member

this is the configuration that i configured on both sides

How to config IPSec VPN Site-to-Site between Sophos and Fortinet with WAN IP as static IP – Techbast

nithincs

Staff & Editor

Hi @yns_sa,

1. phase1 and phase2 ipsec proposal such as dh group, Authentication Encryption and key life is same on both end.
2. Run below sniffer command and see whether udpport 500 communication is happening between both the peers

fgt# dia sniffer packet any "host x.x.x.x and (port 500 or port 4500)" 4 0 l

Replace x.x.x.x with your remote peer ip.

If in case you are not seeing the reverse traffic from remote peer, please cross check whether udp port 500, 4500 and ESP packet are allowed b both the end ISP.

If there is a response, run the below debug and capture the ike debug logs.

diag vpn ike log-filter dst-addr4 x.x.x.x (where x.x.x.x is the remote sophos public ip)
diag debug application ike -1
diag debug enable

Please try to make the tunnel up again, and then collect the logs.
Once you get required logs you can disable debug by executing this command "diag debug disable"

Please share output with us

yns_saAuthor

New Member

this is the output of diag vpn ike log-filter dst-addr4 x.x.x.x (where x.x.x.x is the remote sophos public ip)
diag debug application ike -1
diag debug enable

ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: negotiation timeout, deleting
ike 0:vpn_sophos: connection expiring due to phase1 down
ike 0:vpn_sophos: deleting
ike 0:vpn_sophos: deleted
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: created connection: 0x5519690 7 10.10.20.2->196.206.X.X:500.
ike 0:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:500 negotiating
ike 0:vpn_sophos: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:vpn_sophos:52504: initiator: main mode is sending 1st message...
ike 0:vpn_sophos:52504: cookie 512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (ident_i1send): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue

vponmuniraj

Staff

Hi,

Looking at the debug, we can see P1_RETRANSMIT and timeouts. There are no responses from the peer for the 1st message or even the 1st message from peer did not reach FGT.

Check if config is done on the peer and if ISP / any other device is blocking UDP 500.

Regards,

yns_saAuthor

New Member

Is the same result from sophos.by the way the Fg is paired by an other Fg correctly.and i succeed to peer this fortigate with Zyxel firewall.also the sophos with the Zyxel.

So that why i demand the correct configuration to peer sophos with Fg

sagha

Staff

Hi,

There seems to be an issue with communication between the two devices as we can see alot P1_Retransmits. You need to check if you have two way traffic between the FGT and remote host.

Share the output of this command:

diagnose sniffer packet any "host 196.206.X.X and (port 500 or port 4500)" 4 0 l

On FGT, it appears that you are using Private IP on FGT and probably there is NAT in place on some other device. You will have to ensure that there is inbound NATing also configured so the traffic for IPsec is making to the FGT.

Thank you.

Shahan Agha

rarumugam

Staff

Hello yns_sa,

As per the logs , FortiGate is acting as the initiator where it starts the VPN negotiation by sending the 1st message of Phase-1. The below is the snippet,

ike 0:vpn_sophos:52504: initiator: main mode is sending 1st message...
ike 0:vpn_sophos:52504: cookie 512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out

ike 0:vpn_sophos:52504: sent IKE msg (ident_i1send): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000

However, there are no response from the peer end (i.e. Sophos). Hence the negotiation times out/fails after few retries.

ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000 >>> retry/retransmit

ike 0:vpn_sophos:52503: negotiation timeout, deleting
ike 0:vpn_sophos: connection expiring due to phase1 down
ike 0:vpn_sophos: deleting
ike 0:vpn_sophos: deleted

There could be two possibilities,

1) Reachability issue between the two sites (FortiGate and Sophos)

2) Sophos not accepting the VPN message from FortiGate (could be due any proposal mismatch).

Possibility#1:

- Run packet capture at the Sophos to verify whether the VPN message sent from FortiGate is reaching its end or not. If the messages are not received at the sophos end, then this indicates a connectivity problem between the sites.
-Ping Sophos VPN gateway IP- 196.206.X.X from FortiGate and check if it is pingable. If not, run a regular traceroute to 196.206.X.X from FortiGate to identify the hop on which the traffic is failing. Then check with the respective ISP to rectify the connectivity.
-Incase, the ping between two sites are successful but the VPN messages on UDP-500 from one end is not reaching the other. Then run a UDP traceroute from a PC behind FortiGate to Sophos IP on UDP port-500 to identify the hop on which the traffic is failing.
- You could use "udptrace.exe" tool for running UDP traceroute and it could be downloaded from "https://chrislloyd.co/udptrace/"

Possibility#2:

If the VPN messages are reaching the Sophos but it is not responding. Then make sure the phase1 proposals are same on both ends and check the sophos logs for more detailed reason.

sw2090

SuperUser

ok we see the FGT (re)transmitting messages to the Sophos but we do not see any response. This could mean - as Rambharati wrote - either there is some issue in reachability between FGT and Sopho. It could also mean that some error occured on the Sophos which prevents it from responding.

This is a weak point in basic IPSec debugging (not Fortinet specific): if there is an error on one side, mostly the opposite site doesn't get the error but only no response from peer or similar.

So you might also check the logs on the sophos to see if it reported any error during negotiation...

One reason why I don't like to debug IPSec ;)

yns_saAuthor

New Member

thank you now i have the following error :

Branch-Oncorad # ike 0:forti_sofos_vpn:forti_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:forti_sofos_vpn:forti_sophos: config found
ike 0:forti_sofos_vpn: created connection: 0x553f5d8 7 10.10.20.2->196.206.X.X:500.
ike 0:forti_sofos_vpn: IPsec SA connect 7 10.10.20.2->196.206.X.X:500 negotiating
ike 0:forti_sofos_vpn: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:forti_sofos_vpn:66050: out 28A194BA6754F0F000000000000000002120220800000000000001502200007C0200003C010100060300000C0100000C800E01000300000802000007030000080300000E0300000804000010030000080400001300000008040000150000003C020100060300000C0100000C800E01000300000802000006030000080300000D0300000804000010030000080400001300000008040000152800008C0015000001D77582AE9FC72290864DD9692983D2FC2C1377A58D8D9E028955A0836B9DFC60C34629A3CDCB62D484FF7242C0F1C6EFC4389746688EC63C450C99C19596A0632A01300210569EC02208212B7DAB8C9F5426CAC9D19ED1FBB9A36172792B3BA4BBC43EF4B05AC37EDB69F05109AE4132C1F822B707CD66B7BDFE48D406890E983B375F29000024FB3E662DA8BB0E7FD58AB5D7D9B513DD0C409B28B42C8935602C81D8597A3C68000000080000402E
ike 0:forti_sofos_vpn:66050: sent IKE msg (SA_INIT): 10.10.20.2:500->196.206.X.X:500, len=336, id=28a194ba6754f0f0/0000000000000000
ike 0: comes 196.206.X.X:500->10.10.20.2:500,ifindex=7....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=28a194ba6754f0f0/81c07845925bf6c6 len=268
ike 0: in 28A194BA6754F0F081C07845925BF6C621202220000000000000010C220000300000002C010100040300000C0100000C800E0100030000080300000E030000080200000700000008040000152800008C00150000019BF54AF29DA7BC0F8EBF45992C1DC4CE7780FC08322750D338F002234B531485E122B2D886EDB44EBEBBAE56F567B81688F77A6550E90EBE33F30A3A91162565200073D093AB3AE5774FDFE17547691FB3D3EAE3EE1982DF0090C952218F6B811B645B97A2133C9A644F738DEB71447E089527E136F38C8D4ED0ACA971B637C57BD7322900002448A9F7EDE38075623561494B28040DB41DD9AB7B7C71F8C3F3CBFECB33794F59290000080000402E0000000800004014
ike 0:forti_sofos_vpn:66050: initiator received SA_INIT response
ike 0:forti_sofos_vpn:66050: processing notify type FRAGMENTATION_SUPPORTED
ike 0:forti_sofos_vpn:66050: processing notify type 16404
ike 0:forti_sofos_vpn:66050: incoming proposal:
ike 0:forti_sofos_vpn:66050: proposal id = 1:
ike 0:forti_sofos_vpn:66050: protocol = IKEv2:
ike 0:forti_sofos_vpn:66050: encapsulation = IKEv2/none
ike 0:forti_sofos_vpn:66050: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:forti_sofos_vpn:66050: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:forti_sofos_vpn:66050: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:forti_sofos_vpn:66050: type=DH_GROUP, val=ECP521.
ike 0:forti_sofos_vpn:66050: matched proposal id 1
ike 0:forti_sofos_vpn:66050: proposal id = 1:
ike 0:forti_sofos_vpn:66050: protocol = IKEv2:
ike 0:forti_sofos_vpn:66050: encapsulation = IKEv2/none
ike 0:forti_sofos_vpn:66050: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:forti_sofos_vpn:66050: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:forti_sofos_vpn:66050: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:forti_sofos_vpn:66050: type=DH_GROUP, val=ECP521.
ike 0:forti_sofos_vpn:66050: lifetime=5400
ike 0:forti_sofos_vpn:66050: IKE SA 28a194ba6754f0f0/81c07845925bf6c6 SK_ei 32:92BFBC565828DC025F8576394E8B9E1E6B3B726264692B8B661996E7852C0B0B
ike 0:forti_sofos_vpn:66050: IKE SA 28a194ba6754f0f0/81c07845925bf6c6 SK_er 32:D7C56DFFB2F2C8981941E86D56594BF5541085DCF7FE99E07AE7E9867E08F482
ike 0:forti_sofos_vpn:66050: IKE SA 28a194ba6754f0f0/81c07845925bf6c6 SK_ai 64:96EC1CE33F02A1CEBDB38E4EDFE3AE115A4B6EC00FC4033DEF2B737DD0BB56F8A1B39925F2A606CF10C23C00CF9037C71AE4ADA0AA91A996E3AD31AFE380AA60
ike 0:forti_sofos_vpn:66050: IKE SA 28a194ba6754f0f0/81c07845925bf6c6 SK_ar 64:185A1FF1098AC21D2D069DB4BCAE25E04B50732D8F4BD47E0E4A187FD439EEF7FFD5C1B5CAD28C4A1D22B8EEEA2EF66EE3755A94B5310C51B181CD5198877459
ike 0:forti_sofos_vpn:66050: initiator preparing AUTH msg
ike 0:forti_sofos_vpn:66050: sending INITIAL-CONTACT
ike 0:forti_sofos_vpn:66050: enc 29000016020000003130322E35302E3234382E3133362700000800004000290000480200000070794AA2C825B420A0746DB9B5AE4537E773D82687D3A1FB6C774368481755E56F0471B4F04A6A2182575C53387B175DE3642C48377B25C3D4E713E78D43714521000008000040242C00005402000028010304036155FE6B0300000C0100000C800E0100030000080300000E000000080500000000000028020304036155FE6B0300000C0100000C800E0100030000080300000D00000008050000002D00001801000000070000100000FFFFAC100A00AC100BFF0000001801000000070000100000FFFFAC101000AC1010FF0D0C0B0A0908070605040302010D
ike 0:forti_sofos_vpn:66050: out 28A194BA6754F0F081C07845925BF6C62E202308000000010000015023000134BA7227F461B3B04F3BD5B3E0ECDF3722B6A3F05926C13D97902C7CDF54184CCE15E92C7C20DD3A6FB17D65512E3EFC1D0F73B3A276A156BD92FD57BE44366EC66126BDFB25D631A18BAF1097F54EED779BFEA4255F9E69BA9A24E49E84A86E213BBD988DE6ACAD6E45618E60F30B054FD78F6D2E8479AC516F7B4491AD6E327297E9344DA431EC6FEBE4063990962D5F9A72D9E0E960E82ADC029B09399F499A2A4777CEE8E042D0028D8E96DFE8FC29DEAAE126A95D7602CC574DFF2AD45DA40B782297D74503DC0F716DC1FF7FB5932BA335D355C66337A76537DCB60EB04400BCDEB8FEE787386E9ABF72575C3E607C0ABC5EBBEAC2B1B24B757B03C01A6EF76C1ACA08EC491BA901367DEF3C89E3253B37C7B0143168CB5B2A18185BA86B58400F9781E1F55EA08EA78F08CAB8DB
ike 0:forti_sofos_vpn:66050: sent IKE msg (AUTH): 10.10.20.2:500->196.206.X.X:500, len=336, id=28a194ba6754f0f0/81c07845925bf6c6:00000001
ike 0: comes 196.206.X.X:500->10.10.20.2:500,ifindex=7....
ike 0: IKEv2 exchange=AUTH_RESPONSE id=28a194ba6754f0f0/81c07845925bf6c6:00000001 len=96
ike 0: in 28A194BA6754F0F081C07845925BF6C62E202320000000010000006029000044D98D5792F8C4637E1A42B3B232B5D8B58AED86DBC0B83AB684023A49D067C94EB2489DE85F692D2B8482AC79B7AB4C17D8F056B88F65C6654DFFAB06C30EA7E9
ike 0:forti_sofos_vpn:66050: dec 28A194BA6754F0F081C07845925BF6C62E2023200000000100000028290000040000000800000018
ike 0:forti_sofos_vpn:66050: initiator received AUTH msg
ike 0:forti_sofos_vpn:66050: received notify type AUTHENTICATION_FAILED
ike 0:forti_sofos_vpn:66050: schedule delete of IKE SA 28a194ba6754f0f0/81c07845925bf6c6
ike 0:forti_sofos_vpn:66050: scheduled delete of IKE SA 28a194ba6754f0f0/81c07845925bf6c6
ike 0:forti_sofos_vpn: connection expiring due to phase1 down
ike 0:forti_sofos_vpn: deleting
ike 0:forti_sofos_vpn: deleted
ike 0:forti_sofos_vpn: set oper down
ike 0:forti_sofos_vpn:forti_sophos: chosen to populate IKE_SA traffic-selectors
ike 0:forti_sofos_vpn: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:forti_sofos_vpn:66051: out 8BD50917EC0DDD0900000000000000002120220800000000000001502200007C0200003C010100060300000C0100000C800E01000300000802000007030000080300000E0300000804000010030000080400001300000008040000150000003C020100060300000C0100000C800E01000300000802000006030000080300000D0300000804000010030000080400001300000008040000152800008C00150000002BA7C53FCE6C99471ABE9D8FE051BEDEB367EDAE6704A20DB4FA1E1DD99BF66F3254A5E92C67154515616C73DD76EDB7C8743B3D1269B5AD14B4109D5CECDB9DC70174CFC4EBC0750872439851858F0E6CB3DE630AC4D368DB1E50FAFA21078BD17EC58974D181F78B3127A7438906DE17F18F4C739224B4AD90ED859A422477B4ADE72900002401233AF4F23CD1FCF68E1E01E52318A1F1CE4050BE8548EB61E8ABAE3B354637000000080000402E
ike 0:forti_sofos_vpn:66051: sent IKE msg (SA_INIT): 10.10.20.2:500->196.206.X.X:500, len=336, id=8bd50917ec0ddd09/0000000000000000
ike 0: comes 196.206.X.X:500->10.10.20.2:500,ifindex=7....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=8bd50917ec0ddd09/35558bd5e04599df len=268
ike 0: in 8BD50917EC0DDD0935558BD5E04599DF21202220000000000000010C220000300000002C010100040300000C0100000C800E0100030000080300000E030000080200000700000008040000152800008C0015000001107DBDF0DA3209383318D79A1DCE8E98DFFE2060AFB2AB79D29FB76CFF43F42B0BB1DE64C888945DD242689E61E66FF00B477CAB15EE4121A12FDC2DE3B0365FD8000D22AAAF9522117391830EBE56231159F43748D136608DE1706F0787ED4320639F49AB3D30D4403085EBFAB595B26119EA51A90677FB290627118291BF0A1282872900002406F0CEDBCB6F94491234E9F7000247672546B935F746475DA80023FE6BB6778C290000080000402E0000000800004014
ike 0:forti_sofos_vpn:66051: initiator received SA_INIT response
ike 0:forti_sofos_vpn:66051: processing notify type FRAGMENTATION_SUPPORTED
ike 0:forti_sofos_vpn:66051: processing notify type 16404
ike 0:forti_sofos_vpn:66051: incoming proposal:
ike 0:forti_sofos_vpn:66051: proposal id = 1:
ike 0:forti_sofos_vpn:66051: protocol = IKEv2:
ike 0:forti_sofos_vpn:66051: encapsulation = IKEv2/none
ike 0:forti_sofos_vpn:66051: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:forti_sofos_vpn:66051: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:forti_sofos_vpn:66051: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:forti_sofos_vpn:66051: type=DH_GROUP, val=ECP521.
ike 0:forti_sofos_vpn:66051: matched proposal id 1
ike 0:forti_sofos_vpn:66051: proposal id = 1:
ike 0:forti_sofos_vpn:66051: protocol = IKEv2:
ike 0:forti_sofos_vpn:66051: encapsulation = IKEv2/none
ike 0:forti_sofos_vpn:66051: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:forti_sofos_vpn:66051: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:forti_sofos_vpn:66051: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:forti_sofos_vpn:66051: type=DH_GROUP, val=ECP521.
ike 0:forti_sofos_vpn:66051: lifetime=5400
ike 0:forti_sofos_vpn:66051: IKE SA 8bd50917ec0ddd09/35558bd5e04599df SK_ei 32:FD9EF2351B5FC6771386F85F35153D4B7B0B9B51D65EA5606D6EE9F3A9F1DA60
ike 0:forti_sofos_vpn:66051: IKE SA 8bd50917ec0ddd09/35558bd5e04599df SK_er 32:3CEF112C69BE7384B65E916A44FCEAA616796F6D3348AFE48993A3C8D832E3B9
ike 0:forti_sofos_vpn:66051: IKE SA 8bd50917ec0ddd09/35558bd5e04599df SK_ai 64:31B8A8D8A7275EBB1327875406F2782D67DD3D49CA2272E2984488B3362DD21D1C31D3E4BCB4592F8B12C99C0A4814DAE7DC8BFE42C903F418B1A183FB1AC8AF
ike 0:forti_sofos_vpn:66051: IKE SA 8bd50917ec0ddd09/35558bd5e04599df SK_ar 64:1CF94E9D627347BA19155DD9772CD7529DB872B9A893883C7E40A3A93EA82608AA865DBAED992ABF90C46424FC0E327CA759334FA37EC27BE1BAA8B1629645DC
ike 0:forti_sofos_vpn:66051: initiator preparing AUTH msg
ike 0:forti_sofos_vpn:66051: sending INITIAL-CONTACT
ike 0:forti_sofos_vpn:66051: enc 29000016020000003130322E35302E3234382E3133362700000800004000290000480200000089110A588A0262754B4B00E2A5B15656CB762EC95DD226A932F6164BC559DD2FFAB3704AE80D4D44433D86FB7946AB2CDA281B766B2D38E284D9CEFE34841A9621000008000040242C00005402000028010304036155FE6C0300000C0100000C800E0100030000080300000E000000080500000000000028020304036155FE6C0300000C0100000C800E0100030000080300000D00000008050000002D00001801000000070000100000FFFFAC100A00AC100BFF0000001801000000070000100000FFFFAC101000AC1010FF0D0C0B0A0908070605040302010D
ike 0:forti_sofos_vpn:66051: out 8BD50917EC0DDD0935558BD5E04599DF2E202308000000010000015023000134BA693EA86F130F0AF2152E042D8D82C9251847C701350C54E0CADCC42D99CAB4A652B32E3EADE5C14C8ABB7B0A1F89D9A18741FBB25728CD4962BA856BA2853C8D8ED815133C12DDBBE700892988AC738F32D302B2B0B7508EE8B9BB86915AD2F580B18E79669077A96B0778A5BDB43EA186EF0F7A6C744D4FA8EBA5603031A55C1B02421E373F42ACF33A8F80EF9F7AC337034C0593037DDB6AB331629823D466812792117B98A44B636D1DD16C893E547490E0C8B5BD91DDCAC2C4F38D48F9DB56AFE766FD6F8E139FBFE09EF92F0AC03CBD5069C08067D5F2788DD5A7442D24514DE3A1BDDFFA8845CAAD23F8BD276A296D58434FB604F27C1F5F05F59309CBE7DF3B925A592311C52C340ECA172E9016904D8273B6E82531DBCA832509FD7EA4C65BB0A6D9700EF68B0889BBD6A9
ike 0:forti_sofos_vpn:66051: sent IKE msg (AUTH): 10.10.20.2:500->196.206.X.X:500, len=336, id=8bd50917ec0ddd09/35558bd5e04599df:00000001

rarumugam

Staff

- Seems like you switched from IKEv1 to IKEv2 and FortiGate started receiving response from peer

- Now the negotiation fails during the Auth phase.

- FortiGate receives "AUTHENTICATION_FAILED" from peer.

- There could be mismatch in the below parameters,

IKE ID
Preshared Key
Traffic Selectors(i.e. Phase2 proxy-ids)

- By looking at the logs, FortiGate seems to be behind a NAT device and holding a private IP address on its underlay side -10.10.20.2. The chances are high for mismatch in the IKE_ID. In such case either set local-id on FortiGate end or set Peer-id on the remote end.

- However, compare the above mentioned parameters from the both ends and correct it, if there is any mismatch.

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded