Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asostizzo_FTNT
Staff
Staff

Created on ‎10-05-2015 02:23 PM Edited on ‎06-06-2022 01:26 PM By Anonymous

Article Id 191576

Technical Note: 'Negotiation failure' is seen in IPsec VPN debugs with mismatching 'OAKLEY_GROUP' values

Description

When using Aggressive Mode for establishing a VPN connection, any mismatch in the IKE parameters will cause an immediate negotiation failure. This example illustrates a failure due to the "OAKLEY_GROUP" parameters which is also known as MODP Diffie-Hellman group:
ike 0:224b50f8ebe84df6/0000000000000000:33007: incoming proposal:
ike 0:224b50f8ebe84df6/0000000000000000:33007: proposal id = 0:
ike 0:224b50f8ebe84df6/0000000000000000:33007:   protocol id = ISAKMP:
ike 0:224b50f8ebe84df6/0000000000000000:33007:      trans_id = KEY_IKE.
ike 0:224b50f8ebe84df6/0000000000000000:33007:      encapsulation = IKE/none
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_GROUP, val=1536.
ike 0:224b50f8ebe84df6/0000000000000000:33007: ISAKMP SA lifetime=28800

ike 0:224b50f8ebe84df6/0000000000000000:33007: my proposal, gw RemoteGWname:
ike 0:224b50f8ebe84df6/0000000000000000:33007: proposal id = 1:
ike 0:224b50f8ebe84df6/0000000000000000:33007:   protocol id = ISAKMP:
ike 0:224b50f8ebe84df6/0000000000000000:33007:      trans_id = KEY_IKE.
ike 0:224b50f8ebe84df6/0000000000000000:33007:      encapsulation = IKE/none
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:224b50f8ebe84df6/0000000000000000:33007:         type=OAKLEY_GROUP, val=2048.
ike 0:224b50f8ebe84df6/0000000000000000:33007: ISAKMP SA lifetime=28800
ike 0:224b50f8ebe84df6/0000000000000000:33007: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:224b50f8ebe84df6/0000000000000000:33007: no SA proposal chosen


Solution

Ensure the corresponding configured Phase1 IKE Diffie-Hellman group is matched on both sides. From RFC3526, RFC5903, and RFC7296 follows a mapping of supported Diffie-Hellman Group to their respective OAKLEY_GROUP value:

DH Group 1: 768-bit MODP Group
DH Group 2: 1024-bit MODP Group
DH Group 5: 1536-bit MODP Group
DH Group 14: 2048-bit MODP Group
DH Group 15: 3072-bit MODP Group
DH Group 16: 4096-bit MODP Group
DH Group 17: 6144-bit MODP Group
DH Group 18: 8192-bit MODP Group
DH Group 19: 256-bit random ECP Group
DH Group 20: 384-bit random ECP Group
DH Group 21: 521-bit random ECP Group

 

 

 

46562
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.