Technical Tip: How to check if Diffie-Hellman(DH) group is the same on both peer units

nithincs · ‎05-08-2020

Description

This article describes that hen the FortiGate is configured to establish IPsec VPN tunnel with remote peer, any mismatch in the IKE parameters will cause an immediate negotiation failure.
Make sure the corresponding phase1 IKE DH group is same as DH group set in FortiGate.

This article describes how to check if the DH group is the same in both peer units.

Scope

FortiGate.

Solution

This example illustrates a failure due to DH group mismatch.

ike 0: comes 10.40.16.57:500->10.40.16.20:500,ifindex=3....
ike 0: IKEv1 exchange=Aggressive id=bc55c602b3aa4243/0000000000000000 len=472
ike 0: in
ike 0::108: peer identifier IPV4_ADDR 10.40.16.57
ike 0:bc55c602b3aa4243/0000000000000000:108: incoming proposal:
ike 0:bc55c602b3aa4243/0000000000000000:108: proposal id = 0:
ike 0:bc55c602b3aa4243/0000000000000000:108:   protocol id = ISAKMP:
ike 0:bc55c602b3aa4243/0000000000000000:108:      trans_id = KEY_IKE.
ike 0:bc55c602b3aa4243/0000000000000000:108:      encapsulation = IKE/none
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=OAKLEY_GROUP, val=MODP1024.
ike 0:bc55c602b3aa4243/0000000000000000:108: ISAKMP SA lifetime=86400
ike 0:bc55c602b3aa4243/0000000000000000:108: my proposal, gw DR_port1_2:
ike 0:bc55c602b3aa4243/0000000000000000:108: proposal id = 1:
ike 0:bc55c602b3aa4243/0000000000000000:108:   protocol id = ISAKMP:
ike 0:bc55c602b3aa4243/0000000000000000:108:      trans_id = KEY_IKE.
ike 0:bc55c602b3aa4243/0000000000000000:108:      encapsulation = IKE/none
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:bc55c602b3aa4243/0000000000000000:108: ISAKMP SA lifetime=86400
ike 0:bc55c602b3aa4243/0000000000000000:108: proposal id = 1:
ike 0:bc55c602b3aa4243/0000000000000000:108:   protocol id = ISAKMP:
ike 0:bc55c602b3aa4243/0000000000000000:108:      trans_id = KEY_IKE.
ike 0:bc55c602b3aa4243/0000000000000000:108:      encapsulation = IKE/none
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:bc55c602b3aa4243/0000000000000000:108:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:bc55c602b3aa4243/0000000000000000:108: ISAKMP SA lifetime=86400
ike 0:bc55c602b3aa4243/0000000000000000:108: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:bc55c602b3aa4243/0000000000000000:108: no SA proposal chosen

Ensure the corresponding configured Phase1 IKE DH group is matched on both sides.

From RFC3526, RFC5903, and RFC7296 follows a mapping of supported DH Group to their respective OAKLEY_GROUP value.

DH Group 1: 768-bit MODP Group
DH Group 2: 1024-bit MODP Group
DH Group 5: 1536-bit MODP Group
DH Group 14: 2048-bit MODP Group
DH Group 15: 3072-bit MODP Group
DH Group 16: 4096-bit MODP Group
DH Group 17: 6144-bit MODP Group
DH Group 18: 8192-bit MODP Group
DH Group 19: 256-bit random ECP Group
DH Group 20: 384-bit random ECP Group
DH Group 21: 521-bit random ECP Group

In the above example, the remote peer Phase1 IKE Diffie-Hellman group is 2 and in the local firewall, it is 5 and 14.

Changing the Phase1 IKE Diffie-Hellman group to 2 in the local firewall will result in successful phase1 negotiation.

ike 0:DR_port1_2:196: initiator: aggressive mode get 1st response...
ike 0:DR_port1_2:196: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:DR_port1_2:196: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:DR_port1_2:196: DPD negotiated
ike 0:DR_port1_2:196: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:DR_port1_2:196: peer is FortiGate/FortiOS (v0 b0)
ike 0:DR_port1_2:196: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:DR_port1_2:196: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:DR_port1_2:196: peer identifier IPV4_ADDR 10.40.16.57
ike 0:DR_port1_2:196: negotiation result
ike 0:DR_port1_2:196: proposal id = 1:
ike 0:DR_port1_2:196:   protocol id = ISAKMP:
ike 0:DR_port1_2:196:      trans_id = KEY_IKE.
ike 0:DR_port1_2:196:      encapsulation = IKE/none
ike 0:DR_port1_2:196:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:DR_port1_2:196:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:DR_port1_2:196:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:DR_port1_2:196:         type=OAKLEY_GROUP, val=MODP1024.
ike 0:DR_port1_2:196: ISAKMP SA lifetime=86400
ike 0:DR_port1_2:196: received NAT-D payload type 20
ike 0:DR_port1_2:196: received NAT-D payload type 20
ike 0:DR_port1_2:196: selected NAT-T version: RFC 3947
ike 0:DR_port1_2:196: NAT not detected
ike 0:DR_port1_2:196: ISAKMP SA 3ffc2deda4ce3955/8d11eb06e27ffb35 key 16:D25A5D375448BDEE3423AA121B56980E
ike 0:DR_port1_2:196: PSK authentication succeeded
ike 0:DR_port1_2:196: authentication OK
ike 0:DR_port1_2:196: add INITIAL-CONTACT

Use the commands below to configure it:

config vpn ipsec phase1-interface
edit "tunnel-name"
set dhgrp <DH number>
end

config vpn ipsec phase2-interface
edit "tunnel-name"
set dhgrp <DH number>
end

OR

config vpn ipsec phase1
edit "tunnel-name"
set dhgrp <DH number>
end

config vpn ipsec phase2
edit "tunnel-name"
set dhgrp <DH number>
end