Problem with IPSec VPN

Forum|Forum|13 years ago
September 14, 2012
3 replies
3517 views

Hi all, sometimes one of our VPN does not bring up. When this happens, this is what we get: ike 0:VPN_NAME_:VPN_NAME__ph2-10: IPsec SA connect 8 OUR_IP->REMOTE_IP:500, natt_mode=0 ike 0:VPN_NAME_: using existing connection, dpd_fail=0 ike 0:VPN_NAME_: found phase2 VPN_NAME__ph2-10 ike 0:VPN_NAME_: IPsec SA connect 8 OUR_IP->REMOTE_IP:500 negotiating ike 0:VPN_NAME_:8: cookie 61b4455598b04bea/fbdab48ecd5111c5:fddcfd97 ike 0:VPN_NAME_:8:VPN_NAME__ph2-10:3617: initiator selectors 0 0:10.200.1.0/255.255.255.0:0:0->0:172.24.7.0/255.255.255.0:0:0 ike 0:VPN_NAME_:8: sent IKE msg (quick_i1send): OUR_IP:500->REMOTE_IP:500, len=172 ike 0:VPN_NAME_:8: sent IKE msg (P2_RETRANSMIT): OUR_IP:500->REMOTE_IP:500, len=172 ike 0:VPN_NAME_:VPN_NAME__ph2-10: IPsec SA connect 8 OUR_IP->REMOTE_IP:500, natt_mode=0 ike 0:VPN_NAME_: using existing connection, dpd_fail=0 ike 0:VPN_NAME_: found phase2 VPN_NAME__ph2-10 ike 0:VPN_NAME_:8: sent IKE msg (P2_RETRANSMIT): OUR_IP:500->REMOTE_IP:500, len=172 ike 0:VPN_NAME_:VPN_NAME__ph2-10: IPsec SA connect 8 OUR_IP->REMOTE_IP:500, natt_mode=0 ike 0:VPN_NAME_: using existing connection, dpd_fail=0 ike 0:VPN_NAME_: found phase2 VPN_NAME__ph2-10 ike 0:VPN_NAME_:8: sent IKE msg (P2_RETRANSMIT): OUR_IP:500->REMOTE_IP:500, len=172 ike 0:VPN_NAME_:8: sent IKE msg (P2_RETRANSMIT): OUR_IP:500->REMOTE_IP:500, len=172 ike 0:VPN_NAME_:8:VPN_NAME__ph2-10:3617: quick-mode negotiation failed due to retry timeout On the other side there is a Cisco appliance. Could you help we with the debugging? Thanks

Scott_York

New Member

This is a Phase 2 mismatch, most likely due to multiple subnets on either side of the encryption domain. For a fortigate to cisco IPSEC VPN, you will need to have multiple phase 2 policies if there are multiple subnets on either end. For example, if your site has 2 - /24 networks and the other side also has 2 - /24 networks, you will need 4 Phase 2 polices. Sucks, but it' s the only way around it and if someone disagrees with me, please show me the light, cause this is the biggest PITA with these things.

emnoc

New Member

Agreed Also if the network are contiguous you can get by with one. Also ensure you match of the Phase2 proposal and if your listing more than 2 proposals, eliminate one and specify the proposal that you really want. e.g 3des-md5 aes128-sha = bad Specify either 3des-md5 or aes128 but not both, I found this approach rules out the devices negotiation of the phase1/2 proposals. The cisco/fgt should use the 1st match, but some times it doesn' t work that way for me.

ede_pfau

SuperUser

Isn' t it that you can use an address group on the FGT, containing multiple IP address ranges/subnets? And that this feature just doesn' t work against a Cisco VPN? But should work FGT-to-FGT?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded