Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
khanhdh
New Contributor

Created on ‎05-20-2013 07:57 AM

Can' t bring up the VPN on FG310B

Hi all, I make the IPSEC VPN between FW Fortigate FG310B and FC5001A, but i ca' t bring up the VPN I try to debug and see the administrative down FW_BE_310B_01 # diagnose vpn ike log-filter dst-addr4 200.4.247.97 FW_BE_310B_01 # diagnose debug application ike -1 FW_BE_310B_01 # di debug enable FW_BE_310B_01 # ike 0:Movistar_P1:Movistar_P2: IPsec SA connect 10 181.176.250.75->200.4.247.97:500, natt_mode=0 ike 0:Movistar_P1: ignoring request to establish IPsec SA, interface is administratively down ike shrank heap by 126976 bytes Enclose is the configure on my firewall FG310B Thanks in advance Khanhdh
24101
0 Kudos
10 REPLIES 10
emnoc
Esteemed Contributor III

Created on ‎05-20-2013 10:21 AM

ignoring request to establish IPsec SA, interface is administratively down
So is that interface up?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
4186
0 Kudos
khanhdh
New Contributor

Created on ‎05-20-2013 10:28 AM

Hi Emnoc, The physical is UP but interface VPN is down Regards
4186
0 Kudos
Anne
New Contributor III

Created on ‎05-20-2013 03:14 PM

Hi khanhdh, We are running a different version and our IPSec works fine. Can you assign address to your tunnel interfaces by going to System > Network > Interface Expand the port your tunnel is created on Select Moviestar_P1 and edit Assign IP and Remote IP All the best!! Anne
4186
0 Kudos
khanhdh
New Contributor

Created on ‎05-20-2013 03:29 PM

Hi Anne, I dont create any Tunnel for VPN, I using the port which connected to Internet Regards
4184
0 Kudos
Anne
New Contributor III

Created on ‎05-20-2013 04:07 PM

what version are you running Which document are you referring to set it up?
4184
0 Kudos
khanhdh
New Contributor

Created on ‎05-20-2013 04:50 PM

Hi Anne, Fortigate 310B v4.0,build0313,110301 (MR2 Patch 4) And i using fortios-handbook-40-mr3 for referrence, i already estableshing successful with others VPN but this VPN site-to-site my partner want to follow these parameters IKE Policy Message Encryption algorithm AES-256 Message integrity algorithm SHA-1 Peer Authentication Method Preshared Key (*) DH-Group Group 2 (1024 Bit) IKE Lifetime 86400 seconds Supports Aggressive Mode NO IPSec Parameters Mechanism for payload encryption ESP ESP Transform AES-256 Data Integrity SHA-1 Security Association (SA) Lifetime 3600 seconds Supports Key Exchange for Subnets 1 Additional Comments : NO PFS
4184
0 Kudos
rwpatterson
Valued Contributor III
In response to khanhdh

Created on ‎05-21-2013 03:57 AM

Do you have a policy written? No policy = No traffic.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
4184
0 Kudos
khanhdh
New Contributor

Created on ‎05-21-2013 07:07 AM

Hi I think first we have to bring up the VPN, then make the policy, Now i make the policy and here is the debug FW_BE_310B_01 # diagnose debug enable FW_BE_310B_01 # ike 0:Movistar_P1:Movistar_P2: IPsec SA connect 10 181.176.250.75->200.4.247.97:500, natt_mode=0 ike 0:Movistar_P1: found phase2 Movistar_P2 ike 0:Movistar_P1: created connection: 0x99cbf70 10 181.176.250.75->200.4.247.97:500. ike 0:Movistar_P1: new connection. ike 0:Movistar_P1: IPsec SA connect 10 181.176.250.75->200.4.247.97:500 negotiating ike 0:Movistar_P1: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation ike 0:Movistar_P1:1467: initiator: main mode is sending 1st message... ike 0:Movistar_P1:1467: cookie 1f476c76952565f3/0000000000000000 ike 0:Movistar_P1:1467: sent IKE msg (ident_i1send): 181.176.250.75:500->200.4.247.97:500, len=108 ike 0: comes 200.4.247.97:500->181.176.250.75:500,ifindex=10.... ike 0: IKEv1 exchange=Identity Protection id=1f476c76952565f3/7c985ce397b48b09 len=108 ike 0: found Movistar_P1 181.176.250.75 10 -> 200.4.247.97:500 ike 0:Movistar_P1:1467: initiator: main mode get 1st response... ike 0:Movistar_P1:1467: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:Movistar_P1:1467: negotiation result ike 0:Movistar_P1:1467: proposal id = 1: ike 0:Movistar_P1:1467: protocol id = ISAKMP: ike 0:Movistar_P1:1467: trans_id = KEY_IKE. ike 0:Movistar_P1:1467: encapsulation = IKE/none ike 0:Movistar_P1:1467: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:Movistar_P1:1467: type=OAKLEY_HASH_ALG, val=SHA. ike 0:Movistar_P1:1467: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:Movistar_P1:1467: type=OAKLEY_GROUP, val=1024. ike 0:Movistar_P1:1467: ISKAMP SA lifetime=86400 ike 0:Movistar_P1:1467: sent IKE msg (ident_i2send): 181.176.250.75:500->200.4.247.97:500, len=180 ike 0: comes 200.4.247.97:500->181.176.250.75:500,ifindex=10.... ike 0: IKEv1 exchange=Identity Protection id=1f476c76952565f3/7c985ce397b48b09 len=180 ike 0: found Movistar_P1 181.176.250.75 10 -> 200.4.247.97:500 ike 0:Movistar_P1:1467: initiator: main mode get 2nd response... ike 0:Movistar_P1:1467: ISAKMP SA 1f476c76952565f3/7c985ce397b48b09 key 32:9D13769AA5425F7373F7D2B5F59B7E081369E39BC112366D887670301A5F0D1E ike 0:Movistar_P1:1467: add initial-contact ike 0:Movistar_P1:1467: sent IKE msg (ident_i3send): 181.176.250.75:500->200.4.247.97:500, len=108 ike 0: comes 200.4.247.97:500->181.176.250.75:500,ifindex=10.... ike 0: IKEv1 exchange=Identity Protection id=1f476c76952565f3/7c985ce397b48b09 len=76 ike 0: found Movistar_P1 181.176.250.75 10 -> 200.4.247.97:500 ike 0:Movistar_P1:1467: initiator: main mode get 3rd response... ike 0:Movistar_P1:1467: PSK authentication succeeded ike 0:Movistar_P1:1467: authentication OK ike 0:Movistar_P1:1467: established IKE SA 1f476c76952565f3/7c985ce397b48b09 ike 0:Movistar_P1:1467: HA send IKE SA 1f476c76952565f3/7c985ce397b48b09 ike 0:Movistar_P1:1467: initiating pending Quick-Mode negotiations ike 0:Movistar_P1:1467: cookie 1f476c76952565f3/7c985ce397b48b09:e48076d2 ike 0:Movistar_P1:1467:Movistar_P2:76715: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:Movistar_P1:1467: sent IKE msg (quick_i1send): 181.176.250.75:500->200.4.247.97:500, len=172 ike 0:Movistar_P1:1467: sent IKE msg (P2_RETRANSMIT): 181.176.250.75:500->200.4.247.97:500, len=172 ike 0:Movistar_P1:1467: sent IKE msg (P2_RETRANSMIT): 181.176.250.75:500->200.4.247.97:500, len=172 ike shrank heap by 126976 bytes ike 0:Movistar_P1:1467: sent IKE msg (P2_RETRANSMIT): 181.176.250.75:500->200.4.247.97:500, len=172 ike 0:Movistar_P1:1467: sent IKE msg (P2_RETRANSMIT): 181.176.250.75:500->200.4.247.97:500, len=172 FW_BE_310B_01 # ike 0:Movistar_P1:1467:Movistar_P2:76715: quick-mode negotiation failed due to retry timeout ike 0:Movistar_P1: deleting ike 0:Movistar_P1: flushing ike 0:Movistar_P1: flushed ike 0:Movistar_P1:1467: HA send IKE SA del 1f476c76952565f3/7c985ce397b48b09 ike 0:Movistar_P1:1467: send ISAKMP delete 1f476c76952565f3/7c985ce397b48b09 ike 0:Movistar_P1:1467: sent IKE msg (ISKAMP SA DELETE-NOTIFY): 181.176.250.75:500->200.4.247.97:500, len=92 ike 0:Movistar_P1: deleted
4186
0 Kudos
rwpatterson
Valued Contributor III
In response to khanhdh

Created on ‎05-21-2013 07:50 AM

Does the far side have the phase 2 selectors set to 0.0.0.0/0 as well?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
4184
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.