IPSEC Tunnel between Fortigate and TP-Link MR 600

Question

Hi,I'm trying do do IPSEC between my Fortigate and a TP-Link MR 600 (4G router).My Fortigate is traversing NAT.The configuration seems fine on both ends but the phase 1 don't go up.Here are the log messages (public IPs have been anonymised), I do not know what to look for :Spoiler (Highlight to read)ike 0:test-4g: schedule auto-negotiateike 0:test-4g:12625051: initiator: main mode is sending 1st message...ike 0:test-4g:12625051: cookie 53b3a340214e0b8a/0000000000000000ike 0:test-4g:12625051: out 53B3A340214E0B8A00000000000000000110020000000000000001200D00003800000001000000010000002C010100010000002401010000800B0001800C0E1080010007800E01008003000180020001800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000ike 0:test-4g:12625051: sent IKE msg (ident_i1send): X.X.X.X:500->X.X.X.X:500, len=288, id=53b3a340214e0b8a/0000000000000000ike 0: comes X.X.X.X:500->X.X.X.X:500,ifindex=351....ike 0: IKEv1 exchange=Identity Protection id=53b3a340214e0b8a/469f4ffb9008ead7 len=160ike 0: in 53B3A340214E0B8A469F4FFB9008EAD70110020000000000000000A00D00003800000001000000010000002C01010001000000240101000080010007800E0100800200018004000580030001800B0001800C0E100D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452Fike 0:test-4g:12625051: initiator: main mode get 1st response...ike 0:test-4g:12625051: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712ike 0:test-4g:12625051: VID DPD AFCAD71368A1F1C96B8696FC77570100ike 0:test-4g:12625051: DPD negotiatedike 0:test-4g:12625051: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000ike 0:test-4g:12625051: VID RFC 3947 4A131C81070358455C5728F20E95452Fike 0:test-4g:12625051: selected NAT-T version: RFC 3947ike 0:test-4g:12625051: negotiation resultike 0:test-4g:12625051: proposal id = 1:ike 0:test-4g:12625051: protocol id = ISAKMP:ike 0:test-4g:12625051: trans_id = KEY_IKE.ike 0:test-4g:12625051: encapsulation = IKE/noneike 0:test-4g:12625051: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256ike 0:test-4g:12625051: type=OAKLEY_HASH_ALG, val=MD5.ike 0:test-4g:12625051: type=AUTH_METHOD, val=PRESHARED_KEY.ike 0:test-4g:12625051: type=OAKLEY_GROUP, val=MODP1536.ike 0:test-4g:12625051: ISAKMP SA lifetime=3600ike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD704100200000000000000011C0A0000C43E07BA29DAC1D85733595493CE03CE66741DC5CA56B5AD4051A7EEB16AC66BE2CE7B7CD92C4E1103F4FE5264342F06D455EF24CAAFBD04C65400AF933ABB1A7F33E980552F89C085DF937114A0FFCAE7A31A1F264A7AEDCEE4229D8516B743B8F3294D21490392483F8BC1435BD37E84E9643A81B63D526BD5A93A3AAD52911B8DFDCAAFEF207F174585761B6C10917ECB91E5D9D926CBBBA7C58CD8B6090ED5BBF01A808DB56B9D8A38657B490677E3C62F73BE1E05CF3C95D9FA6F49E9E48D1400001493D416F64EE16E6741AA3C977B08171D14000014438B058F4A819D574311D88CACFF4A86000000140E8B492978026BFDDCF931924B643F20ike 0:test-4g:12625051: sent IKE msg (ident_i2send): X.X.X.X:500->X.X.X.X:500, len=284, id=53b3a340214e0b8a/469f4ffb9008ead7ike 0: comes X.X.X.X:500->X.X.X.X:500,ifindex=351....ike 0: IKEv1 exchange=Identity Protection id=53b3a340214e0b8a/469f4ffb9008ead7 len=300ike 0: in 53B3A340214E0B8A469F4FFB9008EAD704100200000000000000012C0A0000C4DE97744EFD5BC9AD1216549819EEEDE2023674821B4144FDF70E8B798D9BC2A0B939CA8AB0B6DEC9D073D2DD4F6C39793B8A615BD80A514B3C7E5977058BA270A054E625B4BC9F346DE7AE8ED5A9003C4C722CA88CE7F5B423A5CB283708DE82B4605609F1EF74672DC85038F7D05AA48E54BC287DC361872BCD510EF51447D2D6CD681A0A01109E6ABAB0B91FE0DC54FCFDD6EC548EF95E833A6177D6E3D1EA11652503251351935FE47CA0CF08730B7821E4F81DE5BC691ED6480CF99A034A1400002401468CCDAAD02CC13F0632BA5F46C01B4AC7329C238CF31B671BBF8113E487EC1400001445EEFF8D15C4CE4E11EA816269CD0AA800000014438B058F4A819D574311D88CACFF4A86ike 0:test-4g:12625051: initiator: main mode get 2nd response...ike 0:test-4g:12625051: received NAT-D payload type 20ike 0:test-4g:12625051: received NAT-D payload type 20ike 0:test-4g:12625051: NAT detected: MEike 0:test-4g:12625051: NAT-T float port 4500ike 0:test-4g:12625051: ISAKMP SA 53b3a340214e0b8a/469f4ffb9008ead7 key 32:3791683A25E8CBBE68F7897BFCB2D8D2EE0AFF5C477155B14F43CDD1459E9389ike 0:test-4g:12625051: add INITIAL-CONTACTike 0:test-4g:12625051: enc 53B3A340214E0B8A469F4FFB9008EAD70510020100000000000000580800000C010000000A0A67190B000014F33BBB6DD35A229E689EE7892C7F4BA20000001C000000010110600253B3A340214E0B8A469F4FFB9008EAD7ike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FDike 0:test-4g:12625051: sent IKE msg (ident_i3send): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7ike 0: comes X.X.X.X:4500->X.X.X.X:4500,ifindex=351....ike 0: IKEv1 exchange=Informational id=53b3a340214e0b8a/469f4ffb9008ead7:30dbcd0a len=92ike 0: in 53B3A340214E0B8A469F4FFB9008EAD70810050130DBCD0A0000005C0C4C10607A36BA5C75B7A0FBA7E76C6718D5F094670F90FA58F0EF5D5D9206B63DEA1558999E53A13E5E1B61D047BAB63423D57E2AAD2F51A78F18F51BE00F62ike 0:test-4g:12625051: dec 53B3A340214E0B8A469F4FFB9008EAD70810050130DBCD0A0000005C0B000014D0AFEB1284628867BDA3911F323A199A0000001C000000010110001853B3A340214E0B8A469F4FFB9008EAD700000000000000000000000000000000ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:500 negotiatingike 0:test-4g:12625051:test-4g:369935774: ISAKMP SA still negotiating, queuing quick-mode requestike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FDike 0:test-4g:12625051: sent IKE msg (P1_RETRANSMIT): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g: request is on the queueike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FDike 0:test-4g:12625051: sent IKE msg (P1_RETRANSMIT): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g: request is on the queueike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g: request is on the queueike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FDike 0:test-4g:12625051: sent IKE msg (P1_RETRANSMIT): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g: request is on the queueike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g: request is on the queueike 0:test-4g:12625051: negotiation timeout, deletingike 0:test-4g: connection expiring due to phase1 downike 0:test-4g: deletingike 0:test-4g: deletedike 0:test-4g: schedule auto-negotiateike 0:test-4g:12625051: initiator: main mode is sending 1st message...ike 0:test-4g:12625051: cookie 53b3a340214e0b8a/0000000000000000ike 0:test-4g:12625051: out 53B3A340214E0B8A00000000000000000110020000000000000001200D00003800000001000000010000002C010100010000002401010000800B0001800C0E1080010007800E01008003000180020001800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000ike 0:test-4g:12625051: sent IKE msg (ident_i1send): X.X.X.X:500->X.X.X.X:500, len=288, id=53b3a340214e0b8a/0000000000000000ike 0: comes X.X.X.X:500->X.X.X.X:500,ifindex=351....ike 0: IKEv1 exchange=Identity Protection id=53b3a340214e0b8a/469f4ffb9008ead7 len=160ike 0: in 53B3A340214E0B8A469F4FFB9008EAD70110020000000000000000A00D00003800000001000000010000002C01010001000000240101000080010007800E0100800200018004000580030001800B0001800C0E100D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452Fike 0:test-4g:12625051: initiator: main mode get 1st response...ike 0:test-4g:12625051: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712ike 0:test-4g:12625051: VID DPD AFCAD71368A1F1C96B8696FC77570100ike 0:test-4g:12625051: DPD negotiatedike 0:test-4g:12625051: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000ike 0:test-4g:12625051: VID RFC 3947 4A131C81070358455C5728F20E95452Fike 0:test-4g:12625051: selected NAT-T version: RFC 3947ike 0:test-4g:12625051: negotiation resultike 0:test-4g:12625051: proposal id = 1:ike 0:test-4g:12625051: protocol id = ISAKMP:ike 0:test-4g:12625051: trans_id = KEY_IKE.ike 0:test-4g:12625051: encapsulation = IKE/noneike 0:test-4g:12625051: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256ike 0:test-4g:12625051: type=OAKLEY_HASH_ALG, val=MD5.ike 0:test-4g:12625051: type=AUTH_METHOD, val=PRESHARED_KEY.ike 0:test-4g:12625051: type=OAKLEY_GROUP, val=MODP1536.ike 0:test-4g:12625051: ISAKMP SA lifetime=3600ike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD704100200000000000000011C0A0000C43E07BA29DAC1D85733595493CE03CE66741DC5CA56B5AD4051A7EEB16AC66BE2CE7B7CD92C4E1103F4FE5264342F06D455EF24CAAFBD04C65400AF933ABB1A7F33E980552F89C085DF937114A0FFCAE7A31A1F264A7AEDCEE4229D8516B743B8F3294D21490392483F8BC1435BD37E84E9643A81B63D526BD5A93A3AAD52911B8DFDCAAFEF207F174585761B6C10917ECB91E5D9D926CBBBA7C58CD8B6090ED5BBF01A808DB56B9D8A38657B490677E3C62F73BE1E05CF3C95D9FA6F49E9E48D1400001493D416F64EE16E6741AA3C977B08171D14000014438B058F4A819D574311D88CACFF4A86000000140E8B492978026BFDDCF931924B643F20ike 0:test-4g:12625051: sent IKE msg (ident_i2send): X.X.X.X:500->X.X.X.X:500, len=284, id=53b3a340214e0b8a/469f4ffb9008ead7ike 0: comes X.X.X.X:500->X.X.X.X:500,ifindex=351....ike 0: IKEv1 exchange=Identity Protection id=53b3a340214e0b8a/469f4ffb9008ead7 len=300ike 0: in 53B3A340214E0B8A469F4FFB9008EAD704100200000000000000012C0A0000C4DE97744EFD5BC9AD1216549819EEEDE2023674821B4144FDF70E8B798D9BC2A0B939CA8AB0B6DEC9D073D2DD4F6C39793B8A615BD80A514B3C7E5977058BA270A054E625B4BC9F346DE7AE8ED5A9003C4C722CA88CE7F5B423A5CB283708DE82B4605609F1EF74672DC85038F7D05AA48E54BC287DC361872BCD510EF51447D2D6CD681A0A01109E6ABAB0B91FE0DC54FCFDD6EC548EF95E833A6177D6E3D1EA11652503251351935FE47CA0CF08730B7821E4F81DE5BC691ED6480CF99A034A1400002401468CCDAAD02CC13F0632BA5F46C01B4AC7329C238CF31B671BBF8113E487EC1400001445EEFF8D15C4CE4E11EA816269CD0AA800000014438B058F4A819D574311D88CACFF4A86ike 0:test-4g:12625051: initiator: main mode get 2nd response...ike 0:test-4g:12625051: received NAT-D payload type 20ike 0:test-4g:12625051: received NAT-D payload type 20ike 0:test-4g:12625051: NAT detected: MEike 0:test-4g:12625051: NAT-T float port 4500ike 0:test-4g:12625051: ISAKMP SA 53b3a340214e0b8a/469f4ffb9008ead7 key 32:3791683A25E8CBBE68F7897BFCB2D8D2EE0AFF5C477155B14F43CDD1459E9389ike 0:test-4g:12625051: add INITIAL-CONTACTike 0:test-4g:12625051: enc 53B3A340214E0B8A469F4FFB9008EAD70510020100000000000000580800000C010000000A0A67190B000014F33BBB6DD35A229E689EE7892C7F4BA20000001C000000010110600253B3A340214E0B8A469F4FFB9008EAD7ike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FDike 0:test-4g:12625051: sent IKE msg (ident_i3send): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7ike 0: comes X.X.X.X:4500->X.X.X.X:4500,ifindex=351....ike 0: IKEv1 exchange=Informational id=53b3a340214e0b8a/469f4ffb9008ead7:30dbcd0a len=92ike 0: in 53B3A340214E0B8A469F4FFB9008EAD70810050130DBCD0A0000005C0C4C10607A36BA5C75B7A0FBA7E76C6718D5F094670F90FA58F0EF5D5D9206B63DEA1558999E53A13E5E1B61D047BAB63423D57E2AAD2F51A78F18F51BE00F62ike 0:test-4g:12625051: dec 53B3A340214E0B8A469F4FFB9008EAD70810050130DBCD0A0000005C0B000014D0AFEB1284628867BDA3911F323A199A0000001C000000010110001853B3A340214E0B8A469F4FFB9008EAD700000000000000000000000000000000ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:500 negotiatingike 0:test-4g:12625051:test-4g:369935774: ISAKMP SA still negotiating, queuing quick-mode requestike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FDike 0:test-4g:12625051: sent IKE msg (P1_RETRANSMIT): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g: request is on the queueike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FDike 0:test-4g:12625051: sent IKE msg (P1_RETRANSMIT): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g: request is on the queueike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g: request is on the queueike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FDike 0:test-4g:12625051: sent IKE msg (P1_RETRANSMIT): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g: request is on the queueike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0ike 0:test-4g:test-4g: using existing connectionike 0:test-4g:test-4g: config foundike 0:test-4g: request is on the queueike 0:test-4g:12625051: negotiation timeout, deletingike 0:test-4g: connection expiring due to phase1 downike 0:test-4g: deletingike 0:test-4g: deleted

sw2090 · Answer

accoarding to your log: it starts phase1 and it does negotiate proposals,DPD and NAT-T and due to NAT-T it then starts using Port 4500 (correct). However it does not get any more responses then to finish phase1 negotiation. It does retransmit the last message several times but gets no answer from your tplink and finally gives up saying "negotiation timeout".

Is there something between FGT and the TP-Link which the traffic has to pass? Then you will have to forwart 500/udp and 4500/udp to the tplink to solve that.

Also you could check the logs on the tplink to see if or why it doesn't repsond to your FGT anymore.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded