Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Markus
Valued Contributor

Created on ‎09-13-2017 12:00 AM

IPSEC VPN Cisco Meraki <-> Fortigate Problem | doesn't work

Hi Specialists

 

I try to create an IPSEC VPN between a Meraki (MX84) and our Fortigate. All that I've found doesn't work, I'm not able to bring the tunnel up and running. Fortigate 1200D on 5.4.5

Meraki MX84 on MX 12.24

 

Fortigate Phase 1 Interface edit "toMeraki"         set interface "wan"         set keylife 28800         set peertype any         set proposal 3des-sha1         set comments "VPN_Meraki"         set dhgrp 2         set nattraversal disable         set remote-gw 1.2.3.4         set psksecret ENC *     next end Phase 2 Interface     edit "Meraki"         set phase1name "toMeraki"         set proposal aes128-sha1         set pfs disable         set replay disable         set keylifeseconds 28800         set src-subnet 1.1.1.0 255.255.255.0         set dst-subnet 2.2.2.0 255.255.255.0     next end

 

The Log says

ike 0:toMeraki:2121: initiator: main mode is sending 1st message... ike 0:toMeraki:2121: cookie b49060f5f0c8e146/0000000000000000 ike 0:toMeraki:2121: out B49060F5F0C8E14600000000000000000110020000000000000000A40D000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:toMeraki:2121: sent IKE msg (ident_i1send): 4.3.2.1:500->1.2.3.4:500, len=164, id=b49060f5f0c8e146/0000000000000000 ike 0: comes 1.2.3.4:500->4.3.2.1:500,ifindex=51.... ike 0: IKEv1 exchange=Identity Protection id=b49060f5f0c8e146/ce1fb15ceb9544bc len=124 ike 0: in B49060F5F0C8E146CE1FB15CEB9544BC01100200000000000000007C0D000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400020D000014AFCAD71368A1F1C96B8696FC77570100000000184048B7D56EBCE88525E7DE7F00D6C2D380000000 ike 0:toMeraki:2121: initiator: main mode get 1st response... ike 0:toMeraki:2121: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:toMeraki:2121: DPD negotiated ike 0:toMeraki:2121: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000 ike 0:toMeraki:2121: negotiation result ike 0:toMeraki:2121: proposal id = 1: ike 0:toMeraki:2121:   protocol id = ISAKMP: ike 0:toMeraki:2121:      trans_id = KEY_IKE. ike 0:toMeraki:2121:      encapsulation = IKE/none ike 0:toMeraki:2121:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:toMeraki:2121:         type=OAKLEY_HASH_ALG, val=SHA. ike 0:toMeraki:2121:         type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:toMeraki:2121:         type=OAKLEY_GROUP, val=MODP1024. ike 0:toMeraki:2121: ISAKMP SA lifetime=28800 ike 0:toMeraki:2121: out B49060F5F0C8E146CE1FB15CEB9544BC0410020000000000000000B40A0000849775BAC42F14004892F8D31F457397DFDD54A25FAC74AC83F067D3E064A06113BE04ECC6DCCA2DAEF2DAA685A30B1A543C75A92A986A8EB4F0C5CC25843F57D318A79F881AF2780704CE96FA3E8F0E118B3842503DD14D1BF1C113378836469BD95F9F50DF4D36E5BDAF4AB3BBDBEAAE344A07513906E0A5AB94FB2D164EF51C00000014340DD28908D68F7B675384F7D9BD241F ike 0:toMeraki:2121: sent IKE msg (ident_i2send): 4.3.2.1:500->1.2.3.4:500, len=180, id=b49060f5f0c8e146/ce1fb15ceb9544bc ike 0: comes 1.2.3.4:500->4.3.2.1:500,ifindex=51.... ike 0: IKEv1 exchange=Identity Protection id=b49060f5f0c8e146/ce1fb15ceb9544bc len=180 ike 0: in B49060F5F0C8E146CE1FB15CEB9544BC0410020000000000000000B40A000084DC0C8F1884C565B47734412F9A7AE6FFE617231619B048C5CA8097D6ADBE47D618ECA2D7BBA953DC593CC195E5E08BB762F3331DFD0445C5950E5595D5DEE3CA7C7159825E2F765CAF7717927E0955C43E50D6A95ADEB82B468DCBB58B42F06A031F3B247682F89CFE99DC284CCB769C0080AA09C46C7AD7F525F5A61B61CB8100000014C50EEDC0BA5A4B418E0525A858C3211B ike 0:toMeraki:2121: initiator: main mode get 2nd response... ike 0:toMeraki:2121: ISAKMP SA b49060f5f0c8e146/ce1fb15ceb9544bc key 24:BEB111AF4D76E89C3207BE9630B503582A9E1F1299F7BDAC ike 0:toMeraki:2121: add INITIAL-CONTACT ike 0:toMeraki:2121: enc B49060F5F0C8E146CE1FB15CEB9544BC05100201000000000000005C0800000C01000000C38DB7540B000018A90A7B7AACA2735594F68C5D908780BA64D488400000001C0000000101106002B49060F5F0C8E146CE1FB15CEB9544BC ike 0:toMeraki:2121: out B49060F5F0C8E146CE1FB15CEB9544BC051002010000000000000064CE051249468BEA513A7F4AB8F9D4BB555080C04C34985888386A120E4C6BD322CC9466979E4689D192A692DDA0F5A545937B2F6F48867E4A19E288390766929427925874E53740FF ike 0:toMeraki:2121: sent IKE msg (ident_i3send): 4.3.2.1:500->1.2.3.4:500, len=100, id=b49060f5f0c8e146/ce1fb15ceb9544bc ike 0:toMeraki:2121: out B49060F5F0C8E146CE1FB15CEB9544BC051002010000000000000064CE051249468BEA513A7F4AB8F9D4BB555080C04C34985888386A120E4C6BD322CC9466979E4689D192A692DDA0F5A545937B2F6F48867E4A19E288390766929427925874E53740FF ike 0:toMeraki:2121: sent IKE msg (P1_RETRANSMIT): 4.3.2.1:500->1.2.3.4:500, len=100, id=b49060f5f0c8e146/ce1fb15ceb9544bc ike 0: comes 1.2.3.4:500->4.3.2.1:500,ifindex=51.... ike 0: IKEv1 exchange=Identity Protection id=afe017678d26ed92/7936d8ed1c7f12fa len=180 ike 0: in AFE017678D26ED927936D8ED1C7F12FA0410020000000000000000B40A000084C6C2055B03B3E4268EE156E51C855E358B52ACD83A07A27AB841B88A2BCC074D206B6E77C19FC530910B694C18D1E9C0793596367251B275D8C10F5BFFCA69D0AA95580F7DE631D1DE0968C87EE2AB6B68DAB01D388CD60A74D60BEB1C5D817B745D7B32CA5D3DE8EDC908B0EF26446EDFD489128038E04EFF7104D1F278ECBB00000014D513AFFD536780F7ED97B3E0C504058E ike 0: malformed responder cookie afe017678d26ed92/7936d8ed1c7f12fa from 1.2.3.4:500->4.3.2.1 51 exchange-type Identity Protection, drop ike 0: comes 1.2.3.4:500->4.3.2.1:500,ifindex=51.... ike 0: IKEv1 exchange=Identity Protection id=b49060f5f0c8e146/ce1fb15ceb9544bc len=180 ike 0: in B49060F5F0C8E146CE1FB15CEB9544BC0410020000000000000000B40A000084DC0C8F1884C565B47734412F9A7AE6FFE617231619B048C5CA8097D6ADBE47D618ECA2D7BBA953DC593CC195E5E08BB762F3331DFD0445C5950E5595D5DEE3CA7C7159825E2F765CAF7717927E0955C43E50D6A95ADEB82B468DCBB58B42F06A031F3B247682F89CFE99DC284CCB769C0080AA09C46C7AD7F525F5A61B61CB8100000014C50EEDC0BA5A4B418E0525A858C3211B ike 0:toMeraki:2121: retransmission, re-send last message ike 0:toMeraki:2121: out B49060F5F0C8E146CE1FB15CEB9544BC051002010000000000000064CE051249468BEA513A7F4AB8F9D4BB555080C04C34985888386A120E4C6BD322CC9466979E4689D192A692DDA0F5A545937B2F6F48867E4A19E288390766929427925874E53740FF ike 0:toMeraki:2121: sent IKE msg (retransmit): 4.3.2.1:500->1.2.3.4:500, len=100, id=b49060f5f0c8e146/ce1fb15ceb9544bc ike 0:toMeraki:2121: out B49060F5F0C8E146CE1FB15CEB9544BC051002010000000000000064CE051249468BEA513A7F4AB8F9D4BB555080C04C34985888386A120E4C6BD322CC9466979E4689D192A692DDA0F5A545937B2F6F48867E4A19E288390766929427925874E53740FF ike 0:toMeraki:2121: sent IKE msg (P1_RETRANSMIT): 4.3.2.1:500->1.2.3.4:500, len=100, id=b49060f5f0c8e146/ce1fb15ceb9544bc ike 0: comes 1.2.3.4:500->4.3.2.1:500,ifindex=51.... ike 0: IKEv1 exchange=Identity Protection id=b49060f5f0c8e146/ce1fb15ceb9544bc len=180 ike 0: in B49060F5F0C8E146CE1FB15CEB9544BC0410020000000000000000B40A000084DC0C8F1884C565B47734412F9A7AE6FFE617231619B048C5CA8097D6ADBE47D618ECA2D7BBA953DC593CC195E5E08BB762F3331DFD0445C5950E5595D5DEE3CA7C7159825E2F765CAF7717927E0955C43E50D6A95ADEB82B468DCBB58B42F06A031F3B247682F89CFE99DC284CCB769C0080AA09C46C7AD7F525F5A61B61CB8100000014C50EEDC0BA5A4B418E0525A858C3211B ike 0:toMeraki:2121: retransmission, re-send last message ike 0:toMeraki:2121: out B49060F5F0C8E146CE1FB15CEB9544BC051002010000000000000064CE051249468BEA513A7F4AB8F9D4BB555080C04C34985888386A120E4C6BD322CC9466979E4689D192A692DDA0F5A545937B2F6F48867E4A19E288390766929427925874E53740FF ike 0:toMeraki:2121: sent IKE msg (retransmit): 4.3.2.1:500->1.2.3.4:500, len=100, id=b49060f5f0c8e146/ce1fb15ceb9544bc ike 0:toMeraki:2121: negotiation timeout, deleting ike 0:toMeraki: connection expiring due to phase1 down ike 0:toMeraki: deleting ike 0:toMeraki: deleted ike 0:toMeraki: schedule auto-negotiate ike 0: comes 1.2.3.4:500->4.3.2.1:500,ifindex=51.... ike 0: IKEv1 exchange=Identity Protection id=b49060f5f0c8e146/ce1fb15ceb9544bc len=180 ike 0: in B49060F5F0C8E146CE1FB15CEB9544BC0410020000000000000000B40A000084DC0C8F1884C565B47734412F9A7AE6FFE617231619B048C5CA8097D6ADBE47D618ECA2D7BBA953DC593CC195E5E08BB762F3331DFD0445C5950E5595D5DEE3CA7C7159825E2F765CAF7717927E0955C43E50D6A95ADEB82B468DCBB58B42F06A031F3B247682F89CFE99DC284CCB769C0080AA09C46C7AD7F525F5A61B61CB8100000014C50EEDC0BA5A4B418E0525A858C3211B [style="background-color: #ffff99;"]ike 0: malformed responder cookie b49060f5f0c8e146/ce1fb15ceb9544bc from 1.2.3.4:500->4.3.2.1 51 exchange-type Identity Protection, drop[/style]

 

[style="background-color: #ffff99;"][style="background-color: #ffffff;"]There are couple of meanings for malformed responder cookies, I was not able to figure out the problem. I've 3 other VPNs to other Fortigates and Juniper Firewalls, working like a charm. [/style][/style]

 

[style="background-color: #ffff99;"][style="background-color: #ffffff;"]Policies are also in place and correct (double checked)[/style][/style]

 

[style="background-color: #ffff99;"][style="background-color: #ffffff;"]On the Meraki site, I could only see[/style][/style]

[style="background-color: #ffff99;"][style="background-color: #ffffff;"]msg: phase1 negotiation failed due to time up. 825326892eb03137:ce300d5acc35c6dc[/style][/style]

[style="background-color: #ffff99;"][style="background-color: #ffffff;"] Any thoughts?[/style] [/style]

 

[style="background-color: #ffff99;"][style="background-color: #ffffff;"]Thank you Guys Best,[/style][/style]

[style="background-color: #ffff99;"][style="background-color: #ffffff;"]Markus[/style][/style]


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
Preview file
59 KB
6914
0 Kudos
0 REPLIES 0
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.