Troubleshoot pre-shared key mismatch

Forum|Forum|6 years ago
September 24, 2019
1 reply
31390 views

Hello.

I tried to debug non-working VPN tunnel and suspect there is PSK mismatch.

Fortigate doc says: "It is possible to identify a PSK mismatch using the following combination of CLI commands:

diag debug app ike filter name "phase1-name"

...

I got an error after this command, "command parse error before 'name'", why ? Are there any ways to do this ?

My Fortigate version is v5.6.4

5.6

Best answer by ede_pfau

Yes.

The incoming proposal is AES128/SHA256 with PFS group 5.

Usually (best practice) you would only configure one proposal on each side. Check NATT and DPD as well.

sw2090

SuperUser

you have to replace phase1-name by the name of your tunnel. However this filter is still broken in 5.6 (and it was before 5.6) and will not work even if you set it. This is very annoying if you have more vpns running.

I work around that by doing diag debug app ike -1. LEt it run for a while and then copy-paste the output into a text editor where I can search it.

qrzAuthor

Visitor III

Hello. Here is output I got, where it must be that PSK mismatch ?

responder: main mode get 1st message... ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: VID draft-ietf-ipsec-nat-t-ike-03 ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: VID draft-ietf-ipsec-nat-t-ike-02 ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: VID draft-ietf-ipsec-nat-t-ike-02\n ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: VID draft-ietf-ipsec-nat-t-ike-01 ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: VID draft-ietf-ipsec-nat-t-ike-00 ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: VID FRAGMENTATION ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: VID FRAGMENTATION ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: VID FORTIGATE 8299031757A36082C6A621DE00000000 ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: incoming proposal: ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: proposal id = 0: ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: protocol id = ISAKMP: ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: trans_id = KEY_IKE. ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: encapsulation = IKE/none ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256 ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: type=OAKLEY_HASH_ALG, val=SHA2_256. ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: type=OAKLEY_GROUP, val=MODP1536. ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: ISAKMP SA lifetime=28800 ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: negotiation failure ike Negotiate ISAKMP SA Error: ike 0:ad2b8a0d6ffa1154/0000000000000000:101588: no SA proposal chosen

sw2090

SuperUser

hm that looks more like non matching proposals in phase1 than a psk mismatch. Could you check that you have at least one pair of proposals identical on both sides?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded