Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jpsunnyvale
New Contributor

Fortigate IKEv2 Error with ignoring IKEv2 request, interface is administratively down

set type dynamic set interface "port1" set ike-version 2 set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha384 aes128gcm-prfsha256 set dpd on-idle set dhgrp 20 19 14 set reauth enable set idle-timeout enable set psksecret ENC 1VQ0j0YX34DWAmM8U2OnsibIcaGXjAsuaJfZEE4tZ/YPh1cayPwyql3b47Ro01xQVPs60wZHn4l/f8/mQZnsHidUbGPp7Q61gWN8FP91Q1sbAKuZoCxbFn13+rJAnSS7kkT7OnaB3iYWqf6pU4SZIJjYa2HxRkZglfGuq8TnoetM8g+qc/kFKlHwCTow4m+ZRrsy+A== set dpd-retryinterval 60

 

My Setup is this.

 

But whenever I tried to bring up tunnel against fortigate (FortiOS v6.0.9)

 

I see following error.

 

ike 0: IKEv2 exchange=SA_INIT id=d740acea5f4716a4/0000000000000000 len=264 ike 0: in D740ACEA5F4716A400000000000000002120220800000000000001082200002800000024010100030300000C01000014800E00800300000802000005000000080400001328000048001300002D34B59462315518C39B3D2575F5D5C5B85D6DAF45377F071FB8A63DE28394165866E7935EDB8EFE2FA3E0D274D034CD9915ED716B4B2F3744D6EFA02AC0EC2D290000241FD60B2308A8EE036155EACA8498C1EA7DF63749BE32BF98DC0E1F315E4BCE562900001C00004004C408DDCDF31AF7BF61AF35C89E73BBEC5D2425FB2900001C0000400592FE081C8710B828D14274E50BEBE7FBCB8E868E290000080000402E290000100000402F00020003000400050000000800004016 ike 0:d740acea5f4716a4/0000000000000000:4901: responder received SA_INIT msg ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type NAT_DETECTION_SOURCE_IP ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type NAT_DETECTION_DESTINATION_IP ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type FRAGMENTATION_SUPPORTED ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type SIGNATURE_HASH_ALGORITHMS ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type 16406 ike 0:d740acea5f4716a4/0000000000000000:4901: ignoring unauthenticated notify payload (16406) ike 0:d740acea5f4716a4/0000000000000000:4901: incoming proposal: ike 0:d740acea5f4716a4/0000000000000000:4901: proposal id = 1: ike 0:d740acea5f4716a4/0000000000000000:4901: protocol = IKEv2: ike 0:d740acea5f4716a4/0000000000000000:4901: encapsulation = IKEv2/none ike 0:d740acea5f4716a4/0000000000000000:4901: type=ENCR, val=AES_GCM_16 (key_len = 128) ike 0:d740acea5f4716a4/0000000000000000:4901: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:d740acea5f4716a4/0000000000000000:4901: type=DH_GROUP, val=ECP256. ike 0:IKEv2: ignoring IKEv2 request, interface is administratively down ike 0:d740acea5f4716a4/0000000000000000:4901: negotiation failure ike Negotiate SA Error: ike ike [10142]

 

With same set of cipher suite and setting, 

IKEv1 is working fine, but IKEv2 doesn't work.

 

Looks like it doesn't like the proposal or something, but from the log it is not clear.

 

Anybody have same issue?

16 REPLIES 16
emnoc
Esteemed Contributor III

Never seen that, but I would 1st start. trimming the proposal

 

This is strange, to say the least

 

"set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha384 aes128gcm-prfsha256"

 

What are you using on the far end and why so many proposals?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi
Esteemed Contributor III

I don't think it's the proposal it's getting. Have you seen in the IKE debug the FGT is sending SA_INIT? It's directional, so both sides should be trying at the same time.

This might happen if a set of proper policies (inbound and outbound) are not applied.

emnoc
Esteemed Contributor III

OP, did you get any where or at least a tcpdump to inspect the IKEv2 datagrams?

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jpsunnyvale

To answer your questions.

FGT doesn't respond back to initiator with failure reason. It generates phase 1 error locally and that is it.

 

I have IKEv1 configuration on the same subnet on same port, that is working fine with the given proposal.

 

Only IKEv2 complains it.

 

emnoc
Esteemed Contributor III

Trim the proposal set  and then try

 

  set proposal aes128-sha256 

 

I would not mix GCM with non GCM proposals fwiw

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jpsunnyvale

I limit the cipher suite to only 1. AES256-SHA256 DH group 14.

Same issue.

set proposal aes256-sha256 set add-route enable set localid '' set localid-type auto set negotiate-timeout 30 set fragmentation enable set dpd on-idle set forticlient-enforcement disable set comments '' set dhgrp 14

FGTAWS0001344337 # ike 0: comes 66.151.147.212:56493->10.0.0.5:500,ifindex=3.... ike 0: IKEv2 exchange=SA_INIT id=3dd5256b2225383d/0000000000000000 len=464 ike 0: in 3DD5256B2225383D00000000000000002120220800000000000001D0220000300000002C010100040300000C0100000C800E0100030000080300000C0300000802000005000000080400000E28000108000E0000FC64D2D524D92D642A5F89880CB9D80204CD1B1477AE7426DCCFA618A63D974AB702536214F80260BC1F29DD58CA4683890255BC7EED4AA92AECD33D5751306C70691B0AD502C7CB05E9CCAEC518A675CC1FC4C69E26EFD946D67176AFD4D13E439A8A1C57CB37FCBAD77E430D18AF6F666C72D81524CF27719A5A66E80A90F22701C56FAD710EAF9DECC16953A4CC1331B15D801CC72F39A959CFB46985F595A8DAF4887A8EA476CC33E87183CB891D1667FE21185CD02DB24861B7A10BE6B1632AC81210130CBC4A91E808C54B80C0413D3DE22EFA45A511FE74D13AE0C172E0977A028DA3C7D8EF63426F3DE85867EAFDA221016437C8C9F4F27B949AD7A62900002435416EB15BA96542817568A2E44C234044672D0B2F9407CC3BFB98FBA4B913F12900001C00004004B661D44CBED95D9C4257A0B76D03EE3B81E658C42900001C000040056C5A9F8C07C218ED6AC33843486FBF2E607DFE09290000080000402E290000100000402F00020003000400050000000800004016 ike 0:3dd5256b2225383d/0000000000000000:226: responder received SA_INIT msg ike 0:3dd5256b2225383d/0000000000000000:226: received notify type NAT_DETECTION_SOURCE_IP ike 0:3dd5256b2225383d/0000000000000000:226: received notify type NAT_DETECTION_DESTINATION_IP ike 0:3dd5256b2225383d/0000000000000000:226: received notify type FRAGMENTATION_SUPPORTED ike 0:3dd5256b2225383d/0000000000000000:226: received notify type SIGNATURE_HASH_ALGORITHMS ike 0:3dd5256b2225383d/0000000000000000:226: received notify type 16406 ike 0:3dd5256b2225383d/0000000000000000:226: ignoring unauthenticated notify payload (16406) ike 0:3dd5256b2225383d/0000000000000000:226: incoming proposal: ike 0:3dd5256b2225383d/0000000000000000:226: proposal id = 1: ike 0:3dd5256b2225383d/0000000000000000:226: protocol = IKEv2: ike 0:3dd5256b2225383d/0000000000000000:226: encapsulation = IKEv2/none ike 0:3dd5256b2225383d/0000000000000000:226: type=ENCR, val=AES_CBC (key_len = 256) ike 0:3dd5256b2225383d/0000000000000000:226: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:3dd5256b2225383d/0000000000000000:226: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:3dd5256b2225383d/0000000000000000:226: type=DH_GROUP, val=MODP2048. ike 0: cache rebuild start ike 0:Illumio IKEv2: cached as dynamic ike 0: cache rebuild done ike 0:Illumio IKEv2: ignoring IKEv2 request, interface is administratively down ike 0:3dd5256b2225383d/0000000000000000:226: negotiation failure ike Negotiate SA Error: ike ike [10138]

emnoc
Esteemed Contributor III

So ikev1 works ikev2 does not. this is strange. Have you double and triple check proposal between the two device? I just ran thru a exhausting ipsec vpn diagnostic and we had a mismatch in the proposals and the fortigate was ignoring the alternative proposals.

 

Also double check the policy is enabled( i have a hunch it is ) but figure I would throw that out also.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jpsunnyvale

Yes. It is enabled.

 

With same setup, if I change the peer ike version to 1, it works.

emnoc
Esteemed Contributor III

Open a ticket with support. is the other side a fortigate also ? And your confirmed it's IKEv2 enabled ?

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors