Skip to main content
Dexter
Dexter
New Member
July 23, 2019
Question

VPN Connection Problem: Connection expiring due to phase 1 down

  • July 23, 2019
  • 4 replies
  • 17327 views

Details:

Fortigate 30e 6.2.0 on Customer side Netfilter IPTables on my side

esp  = 3des-sha1-modp2048

 ike  = 3des-sha1-modp2048.

 

What i think is that the customer has not set the following settings properly:

ike 0:T-company a:567:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.

ike 0:T-company a:567:         type=OAKLEY_HASH_ALG, val=SHA.

ike 0:T-company a:567:         type=AUTH_METHOD, val=PRESHARED_KEY.

ike 0:T-company a:567:         type=OAKLEY_GROUP, val=MODP2048.

 

But i am not sure as i have never worked with fortigate. Please give your valuable insight how this issue can be solved. Following are the logs that the customer has sent to me:

ike 0:T-company a:567: initiator: main mode is sending 1st message... ike 0:T-company a:567: cookie d2b0d87f1c623370/0000000000000000 ike 0:T-company a:567: out D2B0D87F1C62337000000000000000000110020000000000000001200D00003800000001000000010000002C010100010000002401010000800B0001000C0004000151808001000580030001800200028004000E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:T-company a:567: sent IKE msg (ident_i1send): 194.3.202.206:500->203.109.52.220:500, len=288, id=d2b0d87f1c623370/0000000000000000 ike 0: comes 203.109.52.220:500->194.3.202.206:500,ifindex=8.... ike 0: IKEv1 exchange=Identity Protection id=d2b0d87f1c623370/26543da622fa417c len=156 ike 0: in D2B0D87F1C62337026543DA622FA417C01100200000000000000009C0D00003800000001000000010000002C010100010000002401010000800B0001000C0004000151808001000580030001800200028004000E0D000014882FE56D6FD20DBC2251613B2EBE5BEB0D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC77570100000000144A131C81070358455C5728F20E95452F ike 0:T-company a:567: initiator: main mode get 1st response... ike 0:T-company a:567: VID unknown (16): 882FE56D6FD20DBC2251613B2EBE5BEB ike 0:T-company a:567: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:T-company a:567: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:T-company a:567: DPD negotiated ike 0:T-company a:567: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:T-company a:567: selected NAT-T version: RFC 3947 ike 0:T-company a:567: negotiation result ike 0:T-company a:567: proposal id = 1: ike 0:T-company a:567: protocol id = ISAKMP: ike 0:T-company a:567: trans_id = KEY_IKE. ike 0:T-company a:567: encapsulation = IKE/none ike 0:T-company a:567: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:T-company a:567: type=OAKLEY_HASH_ALG, val=SHA. ike 0:T-company a:567: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:T-company a:567: type=OAKLEY_GROUP, val=MODP2048. ike 0:T-company a:567: ISAKMP SA lifetime=86400 ike 0:T-company a:567: out D2B0D87F1C62337026543DA622FA417C0410020000000000000001640A0001044B5D3FD314A66FC11A1CB416BB50EA16A7528B539C531888E596A5CE945285F9D59AB6AA48DFDB7853704F68306F2A13860C96581B9FBA4BB261713502FE2925EFD0BAAFADADC5D87DB1A1A8A8BF17F4A0CFDEF10BEAE53A30D26714B1D216ECDAA641832F79477B470BB65AF0F3DD82F051CBDA06128CF690CAD11CD76337FC41037ED5B3FAB79D392BA45DB7D4E87E481CBEF95C3C2ED067F14C61B2013E410379226536644EC58970C932C5A30F0D576CAE4E7A7887B47189B1B81E8757A6A351E4CE942E73262F72A85C1F21C103C6D6937CB283B8C5A0AF1DF1DF0F0F3AD9D454F60929FDE92FF8774A1372F0E09A27E94FB68394AC86B1FF8A255098D2140000145B2B4588DDD1785CF470A589D3E9E1F7140000182EAF1EFCF58EE615D60BC09583A68695B7850A16000000184A02D2DE880752C447BC6D7A46EDB227AAF7BE2D ike 0:T-company a:567: sent IKE msg (ident_i2send): 194.3.202.206:500->203.109.52.220:500, len=356, id=d2b0d87f1c623370/26543da622fa417c ike 0: comes 203.109.52.220:500->194.3.202.206:500,ifindex=8.... ike 0: IKEv1 exchange=Identity Protection id=d2b0d87f1c623370/26543da622fa417c len=356 ike 0: in D2B0D87F1C62337026543DA622FA417C0410020000000000000001640A000104D7099B1534E6DA1666BFB05616A3D482290AD91B109C8FC0B7CD9D0EFC72CEA436CEF0A0C83FD175D351D62DFE03F0C4032BAA11254A222C5005BB05A2B30CC3E2CE027B36113D4D9777D7CE34FE0A5B0D49CBBB8A46D64A8FFA38FFAF5A3AFB2AFA4A823C3D96C03724328E255D6CEC87BD5A11E11865098135B894C56EC3DF1AFB1676299ABD341C1E5C886E4B20A94B73F6E01A5ED581518274BB267AFC75E046640159AEE0BE1B02A913007D805E05D0F784A283434F171604CAD60CC36F24EDE3C9DC7BDBD65D02046CD259E39F085B04974F3AB5F5A8E12B790A9417C8708D788CDAACF3AFB2D5CB55A719C5BC1C89B12456365F22163AA4F10E06F57214000014745B8DF04C97722F9B4C02F8632BC7A1140000184A02D2DE880752C447BC6D7A46EDB227AAF7BE2D000000182EAF1EFCF58EE615D60BC09583A68695B7850A16 ike 0:T-company a:567: initiator: main mode get 2nd response... ike 0:T-company a:567: received NAT-D payload type 20 ike 0:T-company a:567: received NAT-D payload type 20 ike 0:T-company a:567: NAT not detected ike 0:T-company a:567: ISAKMP SA d2b0d87f1c623370/26543da622fa417c key 24:1C46EF2FC5186D9F32C47D5D2FF37DF97791F11D54671E53 ike 0:T-company a:567: add INITIAL-CONTACT ike 0:T-company a:567: enc D2B0D87F1C62337026543DA622FA417C05100201000000000000005C0800000C01000000C208CECA0B0000183D5A988B39962FB4E63F60E9BBCF9A89F8AD8A870000001C0000000101106002D2B0D87F1C62337026543DA622FA417C ike 0:T-company a:567: out D2B0D87F1C62337026543DA622FA417C051002010000000000000064F93828D24A8F81C3128396A1C1825B3C32B0E53D16B55F7C8BD2FA1180D7B5F3549DBDECED0FFC66E6774EFC3EACFD9DE6F24103C91EB7812605A6CC17358968E80E9F84E6C93BE2 ike 0:T-company a:567: sent IKE msg (ident_i3send): 194.3.202.206:500->203.109.52.220:500, len=100, id=d2b0d87f1c623370/26543da622fa417c ike 0: comes 203.109.52.220:500->194.3.202.206:500,ifindex=8.... ike 0: IKEv1 exchange=Informational id=d2b0d87f1c623370/26543da622fa417c:e80f658a len=68 ike 0: in D2B0D87F1C62337026543DA622FA417C08100501E80F658A00000044591F52942EE592FD749119F46566133D7A73091D4948EDD49D622D9CF14FE5683EB7871491CC0418 ike 0:T-company a:567: dec D2B0D87F1C62337026543DA622FA417C08100501E80F658A000000441B0BE7DA438EE9B794BFA0D6594CFC4012F528C5B8AF539FA437895DCBAF9BBE840DA365ADE7BA1B ike 0:T-company a:567: out D2B0D87F1C62337026543DA622FA417C051002010000000000000064F93828D24A8F81C3128396A1C1825B3C32B0E53D16B55F7C8BD2FA1180D7B5F3549DBDECED0FFC66E6774EFC3EACFD9DE6F24103C91EB7812605A6CC17358968E80E9F84E6C93BE2 ike 0:T-company a:567: sent IKE msg (P1_RETRANSMIT): 194.3.202.206:500->203.109.52.220:500, len=100, id=d2b0d87f1c623370/26543da622fa417c ike 0: comes 203.109.52.220:500->194.3.202.206:500,ifindex=8.... ike 0: IKEv1 exchange=Informational id=d2b0d87f1c623370/26543da622fa417c:aadc08ad len=68 ike 0: in D2B0D87F1C62337026543DA622FA417C08100501AADC08AD00000044D50F4C0C7FD6CBEF2A019C5FE0AD2E1C6D4AF7597BA4A26FACF762C6FAD028BCF5672912BD8C4E4B ike 0:T-company a:567: dec D2B0D87F1C62337026543DA622FA417C08100501AADC08AD00000044C62E368458F685E50434497B7699995983E4ABC3070811256E47190C67D9EC3E44CE70CC8D477A64 ike 0:T-company a:567: out D2B0D87F1C62337026543DA622FA417C051002010000000000000064F93828D24A8F81C3128396A1C1825B3C32B0E53D16B55F7C8BD2FA1180D7B5F3549DBDECED0FFC66E6774EFC3EACFD9DE6F24103C91EB7812605A6CC17358968E80E9F84E6C93BE2 ike 0:T-company a:567: sent IKE msg (P1_RETRANSMIT): 194.3.202.206:500->203.109.52.220:500, len=100, id=d2b0d87f1c623370/26543da622fa417c ike 0: comes 203.109.52.220:500->194.3.202.206:500,ifindex=8.... ike 0: IKEv1 exchange=Informational id=d2b0d87f1c623370/26543da622fa417c:f20cc138 len=68 ike 0: in D2B0D87F1C62337026543DA622FA417C08100501F20CC1380000004431D88C7B770A60B7BADA9521E78C05C73DEE1A9E3E7813F7713893EB571F31E0C2AD331EBD3F1C9C ike 0:T-company a:567: dec D2B0D87F1C62337026543DA622FA417C08100501F20CC1380000004431C18185C1477C41B380F7A542DF16EB751012929E26DA1495F043C9770C2D6D3B5F2BB9E476F6FA ike 0: comes 203.109.52.220:500->194.3.202.206:500,ifindex=8.... ike 0: IKEv1 exchange=Identity Protection id=d2b0d87f1c623370/26543da622fa417c len=356 ike 0: in D2B0D87F1C62337026543DA622FA417C0410020000000000000001640A000104D7099B1534E6DA1666BFB05616A3D482290AD91B109C8FC0B7CD9D0EFC72CEA436CEF0A0C83FD175D351D62DFE03F0C4032BAA11254A222C5005BB05A2B30CC3E2CE027B36113D4D9777D7CE34FE0A5B0D49CBBB8A46D64A8FFA38FFAF5A3AFB2AFA4A823C3D96C03724328E255D6CEC87BD5A11E11865098135B894C56EC3DF1AFB1676299ABD341C1E5C886E4B20A94B73F6E01A5ED581518274BB267AFC75E046640159AEE0BE1B02A913007D805E05D0F784A283434F171604CAD60CC36F24EDE3C9DC7BDBD65D02046CD259E39F085B04974F3AB5F5A8E12B790A9417C8708D788CDAACF3AFB2D5CB55A719C5BC1C89B12456365F22163AA4F10E06F57214000014745B8DF04C97722F9B4C02F8632BC7A1140000184A02D2DE880752C447BC6D7A46EDB227AAF7BE2D000000182EAF1EFCF58EE615D60BC09583A68695B7850A16 ike 0:T-company a:567: retransmission, re-send last message ike 0:T-company a:567: out D2B0D87F1C62337026543DA622FA417C051002010000000000000064F93828D24A8F81C3128396A1C1825B3C32B0E53D16B55F7C8BD2FA1180D7B5F3549DBDECED0FFC66E6774EFC3EACFD9DE6F24103C91EB7812605A6CC17358968E80E9F84E6C93BE2 ike 0:T-company a:567: sent IKE msg (retransmit): 194.3.202.206:500->203.109.52.220:500, len=100, id=d2b0d87f1c623370/26543da622fa417c ike 0: comes 203.109.52.220:500->194.3.202.206:500,ifindex=8.... ike 0: IKEv1 exchange=Informational id=d2b0d87f1c623370/26543da622fa417c:71f7a551 len=68 ike 0: in D2B0D87F1C62337026543DA622FA417C0810050171F7A55100000044F5A2E4ECF59A48B813D0579D4B7E72C04BE228BB0564DC46F578FB216D86B65B8C2C9449B1C349FD ike 0:T-company a:567: dec D2B0D87F1C62337026543DA622FA417C0810050171F7A55100000044F3F1A599A043AFD1C4E447CBF0701C6BE812D34FC0C2B4CC70AD2975204CE6F748BD2C20D051773E ike 0:T-company a:567: out D2B0D87F1C62337026543DA622FA417C051002010000000000000064F93828D24A8F81C3128396A1C1825B3C32B0E53D16B55F7C8BD2FA1180D7B5F3549DBDECED0FFC66E6774EFC3EACFD9DE6F24103C91EB7812605A6CC17358968E80E9F84E6C93BE2 ike 0:T-company a:567: sent IKE msg (P1_RETRANSMIT): 194.3.202.206:500->203.109.52.220:500, len=100, id=d2b0d87f1c623370/26543da622fa417c ike 0: comes 203.109.52.220:500->194.3.202.206:500,ifindex=8.... ike 0: IKEv1 exchange=Informational id=d2b0d87f1c623370/26543da622fa417c:943c385a len=68 ike 0: in D2B0D87F1C62337026543DA622FA417C08100501943C385A000000443000A378C9DD39193E12A1F3D8AFC61DE288CBA103BB4F289A33C2FE2907531F7B54966DB84799EC ike 0:T-company a:567: dec D2B0D87F1C62337026543DA622FA417C08100501943C385A00000044F2D2EAC9CFA57F841D7365C057AC78CF4A43A740E433E23515B9E925C5B159AD8E623B26D301FC10 ike 0:T-company a:567: negotiation timeout, deleting ike 0:T-company a: connection expiring due to phase1 down ike 0:T-company a: deleting ike 0:T-company a: deleted ike 0:T-company a: schedule auto-negotiate

    4 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 23, 2019

    Could you please post the phase1 and phase2 config? from 'conf vpn ipsec phase1-interface' etc.

     

    Who designed a contemporary VPN tunnel to use DES and SHA1?? Ts, ts...

    Dexter
    DexterAuthor
    New Member
    July 23, 2019

    I have to ask the customer about the settings, as soon as he shares, i will post it here. My settings are in ipsec.conf are:

    type = tunnel left = x.x.x.x leftsubnet = 172.16.5.167/32 leftsourceip = 172.16.5.167 right = x.x.x.x rightsubnet = 172.30.14.0/24 esp = 3des-sha1-modp2048 ike = 3des-sha1-modp2048 ikelifetime = 86400s keylife = 28800s authby = secret dpdaction = restart auto = start According to the customer, he has the same settings as well. About DES...these are the parameters given by lient, we have recommended the later versions to be used. Thank you for the quick response :)

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 23, 2019

    I'd focus on DPD...not all vendors implement it in a compatible way. You don't really need it during testing (but of course later). You might disable it to see if that makes any difference. There should be log entries if DPD kicks in.

     

    Regarding the FGT config, scramble all IPs (but in a consistent way) and delete the PSK, even if ENCoded. With that your customer should be happy.

    Dexter
    DexterAuthor
    New Member
    July 23, 2019

    002 "tunnel-a" #1163856: initiating Main Mode 102 "tunnel-a" #1163856: STATE_MAIN_I1: initiate 010 "tunnel-a" #1163856: STATE_MAIN_I1: retransmission; will wait 20s for response 010 "tunnel-a" #1163856: STATE_MAIN_I1: retransmission; will wait 40s for response 031 "tunnel-a" #1163856: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message 000 "tunnel-a" #1163856: starting keying attempt 2 of at most 5, but releasing whack. After changing DPD state,  i get the same response as well. Response after ipsec up command. For FGT changes, i will ask the client to look into the changes you mentioned. From the logs in 1st post of thread, is there any information you found related to the issue?

    Dexter
    DexterAuthor
    New Member
    July 24, 2019

    Phase 1 Settings

    Dexter
    DexterAuthor
    New Member
    July 24, 2019

    Phase 2 settings This is the status of Tunnel:

    000 "tunnel": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 #1248441: "tunnel" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 12s 000 #1248475: "tunnel" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 2s

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 24, 2019

    Two peculiarities:

    - do you really want to reach only ONE host on the other side? in phase2, the netmask is /32

    - no PFS in phase2?

    Dexter
    DexterAuthor
    New Member
    July 24, 2019

    yes we only need to reach 1 host. no PFS also.

    Terms & ConditionsAccessibility statement