Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ihaidar
Staff
Staff

Created on ‎11-20-2024 03:11 AM

Article Id 358593

Technical Tip: The meaning of successful IPsec Phase 1 Negotiation logs with unknown Peer IP addresses

Description This article describes the logs of VPN events when it shows 'success phase1 negotiate from unknown Peer'.
Scope FortiGate.
Solution

In case any malicious or unknown peer is trying to build an IPsec Tunnel with the locally configured Tunnel, the FortiGate may show success status for Phase 1 Negotiation. This does not mean that the tunnel was established since the IPSEC needs an authentication method to be established.

In case the tunnel fails to be established, the FortiGate will show the following logs where it will start with success with 'logdesc="Negotiate IPsec phase 1' then when authentication fails it will show as Failure for the log 'logdesc="Progress IPsec phase 1'.  

At the end of the logs, it shows that the IPsec Phase 1 SA is deleted.


date="2024-10-20" time="22:55:12" id=7427933389090455743 bid=104908754 dvid=1080 itime=1729450512 euid=2 epid=2 dsteuid=2 dstepid=2 logver=704032573 logid="0101037134" type="event" subtype="vpn" level="notice" action="delete_phase1_sa" msg="delete IPsec phase 1 SA" logdesc="IPsec phase 1 SA deleted" user="N/A" remip="151.39.206.116" locip="10.100.1.3" remport=38813 locport=4500 outintf="port1" cookies="3a92dede877cc423/79a3a8edf3063622" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="Tunnel_1" eventtime=1729450511926000497 tz="+0400" useralt="N/A" devid="FGTAXXXXXXXXXXXXX" vd="root" devname="FGT001"


date="2024-10-20" time="22:55:12" id=7427933389090455742 bid=104908754 dvid=1080 itime=1729450512 euid=2 epid=2 dsteuid=2 dstepid=2 logver=704032573 logid="0101037128" type="event" subtype="vpn" level="error" action="negotiate" msg="progress IPsec phase 1" logdesc="Progress IPsec phase 1" user="N/A" status="failure" remip="151.39.206.116" locip="10.100.1.3" remport=38813 locport=4500 outintf="port1" cookies="3a92dede877cc423/79a3a8edf3063622" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="Tunnel_1" dir="inbound" init="remote" exch="SA_INIT" version="IKEv2" role="responder" result="ERROR" eventtime=1729450511925987897 tz="+0400" useralt="N/A" devid="FGTAXXXXXXXXXXXXX" vd="root" devname="FGT001"


date="2024-10-20" time="22:55:12" id=7427933389090455741 bid=104908754 dvid=1080 itime=1729450512 euid=2 epid=2 dsteuid=2 dstepid=2 logver=704032573 logid="0101037120" type="event" subtype="vpn" level="notice" action="negotiate" msg="negotiate IPsec phase 1" logdesc="Negotiate IPsec phase 1" user="N/A" status="success" remip="151.39.206.116" locip="10.100.1.3" remport=38813 locport=4500 outintf="port1" cookies="3a92dede877cc423/79a3a8edf3063622" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="Tunnel_1" result="N/A" peer_notif="N/A" eventtime=1729450511925957197 tz="+0400" useralt="N/A" devid="FGTAXXXXXXXXXXXXX" vd="root" devname="FGT001"


date="2024-10-20" time="22:55:12" id=7427933389090455740 bid=104908754 dvid=1080 itime=1729450512 euid=2 epid=2 dsteuid=2 dstepid=2 logver=704032573 logid="0101037120" type="event" subtype="vpn" level="notice" action="negotiate" msg="negotiate IPsec phase 1" logdesc="Negotiate IPsec phase 1" user="N/A" status="success" remip="151.39.206.116" locip="10.100.1.3" remport=38813 locport=4500 outintf="port1" cookies="3a92dede877cc423/79a3a8edf3063622" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="Tunnel_1" result="N/A" peer_notif="N/A" eventtime=1729450511925949297 tz="+0400" useralt="N/A" devid="FGTAXXXXXXXXXXXXX" vd="root" devname="FGT001"


date="2024-10-20" time="22:55:12" id=7427933389090455739 bid=104908754 dvid=1080 itime=1729450512 euid=2 epid=2 dsteuid=2 dstepid=2 logver=704032573 logid="0101037120" type="event" subtype="vpn" level="notice" action="negotiate" msg="negotiate IPsec phase 1" logdesc="Negotiate IPsec phase 1" user="N/A" status="success" remip="151.39.206.116" locip="10.100.1.3" remport=38813 locport=4500 outintf="port1" cookies="3a92dede877cc423/79a3a8edf3063622" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="Tunnel_1" result="N/A" peer_notif="N/A" eventtime=1729450511925940297 tz="+0400" useralt="N/A" devid="FGTAXXXXXXXXXXXXX" vd="root" devname="FGT001"


date="2024-10-20" time="22:55:12" id=7427933389090455738 bid=104908754 dvid=1080 itime=1729450512 euid=2 epid=2 dsteuid=2 dstepid=2 logver=704032573 logid="0101037120" type="event" subtype="vpn" level="notice" action="negotiate" msg="negotiate IPsec phase 1" logdesc="Negotiate IPsec phase 1" user="N/A" status="success" remip="151.39.206.116" locip="10.100.1.3" remport=38813 locport=4500 outintf="port1" cookies="3a92dede877cc423/79a3a8edf3063622" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="Tunnel_1" result="N/A" peer_notif="N/A" eventtime=1729450511925908397 tz="+0400" useralt="N/A" devid="FGTAXXXXXXXXXXXXX" vd="root" devname="FGT001"
66
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.