Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ZZDVA0B
New Contributor

IPSec Phase1 Error

Hi all,

I'm facing a problem with tunnel IPSEC site-to-site. I receiving the log "INVALID-SPI" and after this Received ESP packet with unknown SPI. Does someone have any idea what it could be?

 

Best Regards

Danilo

7 REPLIES 7
ss198939
New Contributor

are you getting second message ? if its main mode ? phase-1 ?
ZZDVA0B

I have a doubt, because the tunnel towards Remote Gateway is a Dialup user with setting on main mode.

Sorry, but I don't understood what do You mean with "are you getting third message".

 

Thanks in advance

ss198939

sorry I wanted to mention second message take packet capture and see how many messages you are getting. main mode have 6 message for phase 1 for aggressive mode its 4 message if you are not getting second message then there is some mismatch in parameters
ede_pfau
Esteemed Contributor III

Per se, these messages do not suggest that you have a problem. It's just that your FGT is listening for IPsec (AH, ESP) and incoming traffic is not related to any VPN you have created/used.

Unless I'm totally off, and you can clarify the situation you have.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
ZZDVA0B

Hello,

I solved the problem with a simply reboot of the Appliance.

Thanks a lot.

BRs Danilo

sw2090
Honored Contributor

I'd suggest looking into debug log on cli:

 

 diag debug ena

 diag debug application ike -1

 

(diag debug application ike 0 disables it again)

 

while this runs try to establish the vpn.

It is ofthe neccessary to log at logs on both ends to find the problem.

 


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

ad
New Contributor

From Wikipedia;

"The Security Parameter Index (SPI) is an identification tag added to the header while using IPsec for tunneling the IP traffic. This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use."

 

So it looks like either;

1. the tunnel was setup but it has expired on your end, or

2. its a stray packet for something else

 

If #1, then check that the timer and data volume rekeying parameters are the same on both ends of the tunnel

If #2, do the endpoint IPs match?

 

My first guess would be that you have a shorter timer on your IPSec SAs than the remote end has, but usually tunnels fail to setup when parameters dont match. I have no experience with Forti IPSec...