Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tuumke
New Contributor

Amazon cloud VPN errors

Hey guys,

 

I've been looking into this error we keep getting on our VPN tunnel to Amazon cloud, but im not getting any further.

Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR  

 

Any idea where this is comming from?

 

The setup:

phase1-interface

   edit "VPNAMAZON"
        set interface "wan1"
        set nattraversal disable
        set keylife 28800
        set proposal aes128-sha1
        set localid "ourlocalid"
        set comments "Amazon-IKE-vpn"
        set dhgrp 2
        set remote-gw 52.x.x.x
        set psksecret ENC supersecret

phase2-interface

    edit "VPNAMAZON"
        set phase1name "VPNAMAZON"
        set proposal aes128-sha1
        set dhgrp 2
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 10.x.x.x 255.255.254.0
        set dst-subnet 172.x.x.x 255.255.0.0

I tried enabling dpd but that doesn't take. It's not comming up in the config?

Though, in the GUI i do see it.

 

Hope anyone can help out with this.

(edit: to many spaces lol)

8 REPLIES 8
tuumke
New Contributor

No one? :(

anil_nayak_FTNT

Hello

 

Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR

 

-VPN fails in Phase-2 negotiation, FGT is responder -Hence when trying to establish the VPN please collect output for the following commands. As FGT is responder you will see the quick-mode-msg-1 received on FGT with the remote selector parameters using which you can findout the possible cause

 

diag deb reset 

diag vpn ike log-filter clear diag vpn ike log-filter dst-addr4  52.x.x.x diag deb app ike -1 diag deb en

 

to disable debugging # diag deb disable # diag deb reset

 

Regards

Anil

tuumke

anil.nayak wrote:

Hello

 

Message meets Alert condition date=2015-11-27 time=12:39:27 devname=FW10018 devid=FGT90DSERIAL logid=0101037130 type=event subtype=vpn level=error vd="root" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=52.x.x.x locip=213.x.x.x remport=500 locport=500 outintf="wan1" cookies="0caac---------------644" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="VPN-ZIMPA" status=failure init=remote mode=quick dir=inbound stage=1 role=responder result=ERROR

 

-VPN fails in Phase-2 negotiation, FGT is responder -Hence when trying to establish the VPN please collect output for the following commands. As FGT is responder you will see the quick-mode-msg-1 received on FGT with the remote selector parameters using which you can findout the possible cause

 

diag deb reset 

diag vpn ike log-filter clear diag vpn ike log-filter dst-addr4  52.x.x.x diag deb app ike -1 diag deb en

 

to disable debugging # diag deb disable # diag deb reset

 

Regards

Anil

Thanks! Running it now

tuumke
New Contributor

Ofcourse, the errors dont show during the debug.. ffs..

Retrying wednesday (got the day off tomorrow)

tuumke
New Contributor

ike 0:VPNAMAZON:21830:1416004: responder received first quick-mode message ike 0:VPNAMAZON:21830: dec 936876A46095A5E71049096E5A8C58CE081020018B6E95810000012C01000018053F32B926BF42A33D34E2B123913D117A3324400A00003800000001000000010000002C000304017D3ED21500000020000C000080030002800400018001000180020E1080050002800600800400001460568BB33CB1E4E39012319CB4A44B240500008430858E557E0867199B99E5C4D21AE8CEB66F576C8D541A96B9F1B79ABE2C3C9C33FAA29F3A0A2F36135E8D598F0652B32622B6C712C75D52D3D3E3723FA02C6A6E459E219CDA511469480BD2BBAEB9E84C965DFEC566DFEEDC420F6E804766D96B87F0BDC3235C01159D9F927AB6DC2A547AEA506E91D284849BD82F5F59784205000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:VPNAMAZON:21830:1416004: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:VPNAMAZON:21830:VPNAMAZON:1416004: trying ike 0:VPNAMAZON:21830:1416004: specified selectors mismatch ike 0:VPNAMAZON:21830:1416004: peer: type=7/7, local=0:0.0.0.0-255.255.255.255:0, remote=0:0.0.0.0-255.255.255.255:0 ike 0:VPNAMAZON:21830:1416004: mine: type=7/7, local=0:10.x.x.0-10.x.x.255:0, remote=0:172.x.x.0-172.x.x.255:0 ike 0:VPNAMAZON:21830:1416004: no matching phase2 found ike 0:VPNAMAZON:21830:1416004: failed to get responder proposal ike 0:VPNAMAZON:21830: error processing quick-mode message from 52.x.x.4 as responder

 

-edit-

I expect it to be the other side of the VPN not having the right peer proposal.

Have send them the info..

anil_nayak_FTNT

Hello,

ike 0:VPNAMAZON:21830:1416004: specified selectors mismatch ike 0:VPNAMAZON:21830:1416004: peer: type=7/7, local=0:0.0.0.0-255.255.255.255:0, remote=0:0.0.0.0-255.255.255.255:0 ike 0:VPNAMAZON:21830:1416004: mine: type=7/7, local=0:10.x.x.0-10.x.x.255:0, remote=0:172.x.x.0-172.x.x.255:0 ike 0:VPNAMAZON:21830:1416004: no matching phase2 found

On remote end device they can configure the selectors as specific subnet as seen above. Else on the FGT, you can change the quick-mode selector to 0.0.0.0/0 to match the remote end config , the SA will come-up, and control the interface based vpn traffic via the static route with out-interface:VPNAMAZON. This step is possible only if you have configured interface-vpn not in tunnel-vpn

 

tuumke

Thanks buddy for helping me out. I will let you know when the 'other side' has changed settings and if that helped or not :)

tuumke
New Contributor

Seems on Amazon, they cannot change it. So i changed it on my side. Looks stable for now. Thanks.

 

p.s.

Managed to apply the debug on other VPN connection as well ;)