| Solution |
In the FortiGate IPSec VPN logs, the Proposal ID can remain the same for all incoming proposals. While troubleshooting with IKE debug the following output can be observed.
2025-02-28 10:28:08.260710 ike 5:d1ae31d584881057/0000000000000000:2086423: incoming proposal:
2025-02-28 10:28:08.260716 ike 5:d1ae31d584881057/0000000000000000:2086423: proposal id = 0:
2025-02-28 10:28:08.260721 ike 5:d1ae31d584881057/0000000000000000:2086423: protocol id = ISAKMP:
2025-02-28 10:28:08.260727 ike 5:d1ae31d584881057/0000000000000000:2086423: trans_id = KEY_IKE.
2025-02-28 10:28:08.260731 ike 5:d1ae31d584881057/0000000000000000:2086423: encapsulation = IKE/none
2025-02-28 10:28:08.260736 ike 5:d1ae31d584881057/0000000000000000:2086423: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
2025-02-28 10:28:08.260742 ike 5:d1ae31d584881057/0000000000000000:2086423: type=OAKLEY_HASH_ALG, val=SHA.
2025-02-28 10:28:08.260747 ike 5:d1ae31d584881057/0000000000000000:2086423: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
2025-02-28 10:28:08.260751 ike 5:d1ae31d584881057/0000000000000000:2086423: type=OAKLEY_GROUP, val=MODP1024.
2025-02-28 10:28:08.260756 ike 5:d1ae31d584881057/0000000000000000:2086423: ISAKMP SA lifetime=86400
2025-02-28 10:28:08.260760 ike 5:d1ae31d584881057/0000000000000000:2086423: proposal id = 0:
2025-02-28 10:28:08.260765 ike 5:d1ae31d584881057/0000000000000000:2086423: protocol id = ISAKMP:
2025-02-28 10:28:08.260769 ike 5:d1ae31d584881057/0000000000000000:2086423: trans_id = KEY_IKE.
2025-02-28 10:28:08.260773 ike 5:d1ae31d584881057/0000000000000000:2086423: encapsulation = IKE/none
2025-02-28 10:28:08.260779 ike 5:d1ae31d584881057/0000000000000000:2086423: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
2025-02-28 10:28:08.260783 ike 5:d1ae31d584881057/0000000000000000:2086423: type=OAKLEY_HASH_ALG, val=SHA.
2025-02-28 10:28:08.260788 ike 5:d1ae31d584881057/0000000000000000:2086423: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
2025-02-28 10:28:08.260793 ike 5:d1ae31d584881057/0000000000000000:2086423: type=OAKLEY_GROUP, val=MODP1536.
2025-02-28 10:28:08.260798 ike 5:d1ae31d584881057/0000000000000000:2086423: ISAKMP SA lifetime=86400
2025-02-28 10:28:08.260804 ike 5:d1ae31d584881057/0000000000000000:2086423: proposal id = 0:
2025-02-28 10:28:08.260808 ike 5:d1ae31d584881057/0000000000000000:2086423: protocol id = ISAKMP:
2025-02-28 10:28:08.260812 ike 5:d1ae31d584881057/0000000000000000:2086423: trans_id = KEY_IKE.
2025-02-28 10:28:08.260816 ike 5:d1ae31d584881057/0000000000000000:2086423: encapsulation = IKE/none
2025-02-28 10:28:08.260821 ike 5:d1ae31d584881057/0000000000000000:2086423: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
2025-02-28 10:28:08.260828 ike 5:d1ae31d584881057/0000000000000000:2086423: type=OAKLEY_HASH_ALG, val=SHA2_256.
2025-02-28 10:28:08.260832 ike 5:d1ae31d584881057/0000000000000000:2086423: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
2025-02-28 10:28:08.260839 ike 5:d1ae31d584881057/0000000000000000:2086423: type=OAKLEY_GROUP, val=MODP1024.
2025-02-28 10:28:08.260843 ike 5:d1ae31d584881057/0000000000000000:2086423: ISAKMP SA lifetime=86400
...
This output is expected and can only be observed for the IKEv1 aggressive or quick mode. This occurs because aggressive mode consolidates multiple transform sets within a single proposal message, rather than sending separate proposals with different IDs.
In the main mode, proposals are individually numbered and evaluated, aggressive mode is designed for faster negotiation. The initiating peer sends multiple encryption, authentication, and key exchange options within a single packet, and the FortiGate selects a compatible set. Since all transform sets are part of the same proposal structure, the Proposal ID does not change.
Related articles:
Technical Tip: How to check the assigned IP address for the IPSec dial up client
Technical Tip: IPsec Tunnel ID expected behavior
|
