Skip to main content
beaven67
beaven67
New Member
August 23, 2011
Question

mode-cfg ?

  • August 23, 2011
  • 5 replies
  • 6980 views
I' ve got a really weird issue between a Fortinet 110C running 4.0MR3 P1 and a 60B running 4.0MR3 P1 When i create a route based site to site vpn. I get this weird mode-cfg issue and dont know why. I' ve never seen this issue before. debug output: ike 0:STERNVPN:5: mode-cfg received APPLICATION_VERSION ' Fortigate-60B v4.00.8,build0328b328,110718' ike 0:STERNVPN:5: mode-cfg missing INTERNAL_IP4_SUBNET ike 0:STERNVPN:5: send ISAKMP delete e50e4880c4b1d0b1/8281594def4bd5df ike 0:STERNVPN:5: enc E50E4880C4B1D0B18281594DEF4BD5DF08100501FF48A9E7000000500C0000187753EBEEF6D7070481A5CDCEC71D4C3128B810A90000001C0000000101100001E50E4880C4B1D0B18281594DEF4BD5DF ike 0:STERNVPN:5: out E50E4880C4B1D0B18281594DEF4BD5DF08100501FF48A9E700000054141C1D27F6454284FEF65DEFB9F7F

    5 replies

    emnoc
    emnoc
    New Member
    August 23, 2011
    ike 0:STERNVPN:5: mode-cfg received
    This typically used by remote vpn clients for configuration request assistance. Your FGT60 for whatever reason is requesting configuration information for a site-site. This should not be required. You can disable by setting the mode-cfg disable under that vpn instance or just ignore it.
    beaven67
    beaven67Author
    New Member
    August 23, 2011
    I know that its not used for site to site vpns but dont understand why its happening. I' ve deleted and recreated the vpn 4 times with the same problem. However if i create a policy based vpn i have no problems! Go figure!
    emnoc
    emnoc
    New Member
    August 23, 2011
    why it' s it' s happening is in the release notes, it' s a new feature of the already defined ipsec rfc stand for support of mode cfg. Read the release notes http://docs.fortinet.com/fgt/techdocs/fortigate-cli.pdf config vpn ipsec phase1-interface edit <gateway_name> set dhgrp New option 14 to select DH Group 14. set ike-version New field. Selects IKEv1 or IKEv2. set mode-cfg New field. Enables IKE Configuration Method. The following new fields are available when mode-cfg is enabled: add-route, assign-ip, assign-ip-from, assign-ip-type, banner, domain, end-ip, mode-cfgip-version, ipv4-dns-server1, ipv6-dns-server1, ipv4-dns-server2, ipv6-dns-server2, ipv4-dnsserver3, ipv6-dns-server3, ipv4-end-ip, ipv6-endip, ipv4-netmask, ipv4-split-include, ipv4-startip, ipv6-start-ip, ipv4-wins-server1, ipv4-wins-server2, ipv6-prefix, start-ip, unitysupport set proposal New option sha256 for SHA256 digest. Either disable it or ignore it. No need to recreate the vpn ipsec interface 4 times.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    August 25, 2011
    Beware that sha-256, sha-384 and sha-512 are NOT handled in hardware (most models) and therefore the complete vpn connection is handled in SOFTWARE! So be aware of performance issues. (I suspect that CP7 will handle the higher SHA versions, but I havan' t had such a model yet) Cheers, Eric
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    August 25, 2011
    Maybe someone should mention that mode-cfg is enabled per default in 4.3 which has already been identified as being a bug. So you have to disable this option after upgrading if you don' t happen to use mode config for your VPNs. Rare example where upgrading breaks a valid config.
    Terms & ConditionsAccessibility statement