Fortinet Community

tuumke · ‎12-02-2015

Hey guys,

I've been looking into this error we keep getting on our VPN tunnel to Amazon cloud, but im not getting any further.

Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR

Any idea where this is comming from?

The setup:

phase1-interface

   edit "VPNAMAZON"
        set interface "wan1"
        set nattraversal disable
        set keylife 28800
        set proposal aes128-sha1
        set localid "ourlocalid"
        set comments "Amazon-IKE-vpn"
        set dhgrp 2
        set remote-gw 52.x.x.x
        set psksecret ENC supersecret

phase2-interface

    edit "VPNAMAZON"
        set phase1name "VPNAMAZON"
        set proposal aes128-sha1
        set dhgrp 2
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 10.x.x.x 255.255.254.0
        set dst-subnet 172.x.x.x 255.255.0.0

I tried enabling dpd but that doesn't take. It's not comming up in the config?

Though, in the GUI i do see it.

Hope anyone can help out with this.

(edit: to many spaces lol)

tuumke · ‎12-04-2015

No one? :(

anil_nayak_FTNT · ‎12-04-2015

Hello

Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR

-VPN fails in Phase-2 negotiation, FGT is responder -Hence when trying to establish the VPN please collect output for the following commands. As FGT is responder you will see the quick-mode-msg-1 received on FGT with the remote selector parameters using which you can findout the possible cause

diag deb reset

diag vpn ike log-filter clear diag vpn ike log-filter dst-addr4 52.x.x.x diag deb app ike -1 diag deb en

to disable debugging # diag deb disable # diag deb reset

Regards

Anil

tuumke · ‎12-06-2015

anil.nayak wrote:
Hello

Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR

-VPN fails in Phase-2 negotiation, FGT is responder -Hence when trying to establish the VPN please collect output for the following commands. As FGT is responder you will see the quick-mode-msg-1 received on FGT with the remote selector parameters using which you can findout the possible cause

diag deb reset
diag vpn ike log-filter clear diag vpn ike log-filter dst-addr4 52.x.x.x diag deb app ike -1 diag deb en

to disable debugging # diag deb disable # diag deb reset

Regards
Anil

Thanks! Running it now

tuumke · ‎12-07-2015

Ofcourse, the errors dont show during the debug.. ffs..

Retrying wednesday (got the day off tomorrow)

tuumke · ‎12-09-2015

ike 0:VPNAMAZON:21830:1416004: responder received first quick-mode message ike 0:VPNAMAZON:21830: dec 936876A46095A5E71049096E5A8C58CE081020018B6E95810000012C01000018053F32B926BF42A33D34E2B123913D117A3324400A00003800000001000000010000002C000304017D3ED21500000020000C000080030002800400018001000180020E1080050002800600800400001460568BB33CB1E4E39012319CB4A44B240500008430858E557E0867199B99E5C4D21AE8CEB66F576C8D541A96B9F1B79ABE2C3C9C33FAA29F3A0A2F36135E8D598F0652B32622B6C712C75D52D3D3E3723FA02C6A6E459E219CDA511469480BD2BBAEB9E84C965DFEC566DFEEDC420F6E804766D96B87F0BDC3235C01159D9F927AB6DC2A547AEA506E91D284849BD82F5F59784205000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:VPNAMAZON:21830:1416004: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:VPNAMAZON:21830:VPNAMAZON:1416004: trying ike 0:VPNAMAZON:21830:1416004: specified selectors mismatch ike 0:VPNAMAZON:21830:1416004: peer: type=7/7, local=0:0.0.0.0-255.255.255.255:0, remote=0:0.0.0.0-255.255.255.255:0 ike 0:VPNAMAZON:21830:1416004: mine: type=7/7, local=0:10.x.x.0-10.x.x.255:0, remote=0:172.x.x.0-172.x.x.255:0 ike 0:VPNAMAZON:21830:1416004: no matching phase2 found ike 0:VPNAMAZON:21830:1416004: failed to get responder proposal ike 0:VPNAMAZON:21830: error processing quick-mode message from 52.x.x.4 as responder

-edit-

I expect it to be the other side of the VPN not having the right peer proposal.

Have send them the info..

anil_nayak_FTNT · ‎12-09-2015

Hello,

ike 0:VPNAMAZON:21830:1416004: specified selectors mismatch ike 0:VPNAMAZON:21830:1416004: peer: type=7/7, local=0:0.0.0.0-255.255.255.255:0, remote=0:0.0.0.0-255.255.255.255:0 ike 0:VPNAMAZON:21830:1416004: mine: type=7/7, local=0:10.x.x.0-10.x.x.255:0, remote=0:172.x.x.0-172.x.x.255:0 ike 0:VPNAMAZON:21830:1416004: no matching phase2 found

On remote end device they can configure the selectors as specific subnet as seen above. Else on the FGT, you can change the quick-mode selector to 0.0.0.0/0 to match the remote end config , the SA will come-up, and control the interface based vpn traffic via the static route with out-interface:VPNAMAZON. This step is possible only if you have configured interface-vpn not in tunnel-vpn

tuumke · ‎12-09-2015

Thanks buddy for helping me out. I will let you know when the 'other side' has changed settings and if that helped or not :)

tuumke · ‎12-17-2015

Seems on Amazon, they cannot change it. So i changed it on my side. Looks stable for now. Thanks.

p.s.

Managed to apply the debug on other VPN connection as well ;)

Fortinet Community

Amazon cloud VPN errors

News & Articles

Security Research

Company

Contact Us