|
In this scenario, a Site-to-Site VPN was configured with the following phase1 parameters:
config vpn ipsec phase1-interface
edit "VPNtoHQ"
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set remote-gw 192.168.254.100
set psksecret ENC /Va2TfR2mi8+VzLRPdcGo2H4ABixT
oKNJ3QFvx7z3kv/2XgDjCjxRJIQkGRRPDpwKpd3N2HVOG7c6bV3obL1gSsa/d
next
end
The messages 'could not send IKE Packet' and 'error 22:Invalid argument' are observed when running the following debug commands:
diagnose vpn ike log filter rem-addr4 192.168.254.100
diagnose debug application ike -1
diagnose debug enable
ike V=root:0:VPNtoHQ:VPNtoHQ: created connection: 0x55a1e37350 3 172.25.183.180->192.168.254.100:500.
ike V=root:0:VPNtoHQ:VPNtoHQ: chosen to populate IKE_SA traffic-selectors
ike V=root:0:VPNtoHQ: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike V=root:0:VPNtoHQ:8524: generate DH public value request queued
ike V=root:0:VPNtoHQ:8524: create NAT-D hash local 172.25.183.180/500 remote 192.168.254.100/500
ike 0:VPNtoHQ:8524: out 4A38670E61A78A5200000
000000000002120220800000000000002A02200011802
000034010100050300000C0100000C800E0
0800300000802000005030000080300000C0300000804
000005000000080400000E02000034020100050300000
C0100000C800E0100030000080200000503
0000080300000C0300000804000005000000080400000
E0200002C030100040300000C01000014800E00800300
00080200000503000008040000050000000
80400000E0200002C040100040300000C01000014800E
010003000008020000060300000804000005000000080
400000E0200002805010004030000080100
001C03000008020000050300000804000005000000080
400000E0000002C060100040300000C0100001C800E01
00030000080200000503000008040000050
00000080400000E28000108000E0000E2115C2AD4F76A
5F67BAFEF43370E3BF3B0966D08910FC986FB09FCAFC3
1335FE564874A84C777270BCDB665ED3118
ike V=root:0:VPNtoHQ:8524: could not send IKE Packet(SA_INIT):172.25.183.180:500->192.168.254.100:500, len=672, vrf=0: error 22:Invalid argument
ike 0:VPNtoHQ:8524: out 4A38670E61A78A52000000
00000000002120220800000000000002A0220001180200
0034010100050300000C0100000C800E0
0800300000802000005030000080300000C03000008040
00005000000080400000E02000034020100050300000C0
100000C800E0100030000080200000503
0000080300000C0300000804000005000000080400000E
0200002C030100040300000C01000014800E0080030000
080200000503000008040000050000000
80400000E0200002C040100040300000C01000014800E0
1000300000802000006030000080400000500000008040
0000E0200002805010004030000080100
001C030000080200000503000008040000050000000804
00000E0000002C060100040300000C0100001C800E0100
030000080200000503000008040000050
00000080400000E28000108000E0000E2115C2AD4F76A
5F67BAFEF43370E3BF3B0966D08910FC986FB09FCAFC3
1335FE564874A84C777270BCDB665ED3118
ike V=root:0:VPNtoHQ:8524: could not send IKE Packet(RETRANSMIT_SA_INIT):172.25.183.180:500->192.168.254.100:500, len=672, vrf=0: error 22:Invalid argument
This error occurs when there is a blackhole route to the IP address of the remote-gw configured in phase-1.
A blackhole route is a static route that silently discards traffic without notifying the source (unlike a reject route, which sends back an ICMP message). In FortiOS, blackhole routes are commonly used for:
-
Preventing routing loops.
-
Triggering route failover behavior.
-
Ensuring that unmatched traffic does not go anywhere.
But when misconfigured or too general, a blackhole route can interfere with VPN traffic, especially Phase 1 IKE negotiations.
get router info routing-table details 192.168.254.10
Routing table for VRF=0
Routing entry for 192.168.254.100/32
Known via "static", distance 10, metric 0, best
* directly connected, Null <----- A black hole route exists to the IP address of the VPN peer.
show router static
config router static
...
edit 5
set dst 192.168.254.100 255.255.255.255
set blackhole enable
set vrf 0
next
end
Removing the blackhole route fixes the issue.
config router static
delete 5
end
Related articles:
|
