Hi, I'm trying to connect Mikrotik with Fortigate using Gre over Ipsec but I'm stuck already on Ipsec Phase 1 exchange, maybe could anyone help me? Fortigate config:
config vpn ipsec phase1-interface
edit "ipsec_p1"
set interface "port16"
set ike-version 2
set local-gw FGT_WAN
set keylife 3600
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 21
set remote-gw MIKROTIK_WAN
set psksecret password
next
end
config vpn ipsec phase2-interface
edit "ipsec_p2"
set phase1name "ipsec_p1"
set proposal aes256-sha256
set dhgrp 21
set encapsulation transport-mode
set protocol 47
next
end
Mikrotik config:
/ip ipsec policy group
add name=group1
/ip ipsec profile> print
Flags: * - default
1 name="FGT" hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d
proposal-check=obey nat-traversal=yes dpd-interval=disable-dpd
/ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
0 name="FGT" address=FGT_WAN/32 local-address=MIKROTIK_WAN port=500
profile=FGT exchange-mode=ike2 send-initial-contact=yes
/ip ipsec proposal> print
Flags: X - disabled, * - default
1 name="FGT" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s
pfs-group=ecp521
/ip ipsec identity> print
Flags: D - dynamic, X - disabled
peer=FGT auth-method=pre-shared-key secret="password" generate-policy=no
/ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
1 src-address=MIKROTIK_WAN/32 src-port=any dst-address=FGT_WAN/32 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no
proposal=FGT ph2-count=0
Fortigate debug:
FGT # ike 0: comes MIKROTIK_WAN:500->FORTIGATE_WAN:500,ifindex=22....
ike 0: IKEv2 exchange=SA_INIT id=7db77dde33559db9/0000000000000000 len=300
ike 0: in 7DB77DDE33559DB9000000000000000029202208000000000000012C2900001C000040058127764BBADB7244D1E0779C7B6DB9E7F017782D2800001C000040040C756A50A4894E77195676AE85309213A81D7AEA2200001CAF2203E8EE1329DDF0FCA70E3F6E459E34A50CBEFE0EEA7B2100008C0015000000019347E6A359CE73A61BAC722E10AAD7349FF180904339F3CBC0CDAF
ike 0:7db77dde33559db9/0000000000000000:296: responder received SA_INIT msg
ike 0:7db77dde33559db9/0000000000000000:296: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:7db77dde33559db9/0000000000000000:296: received notify type NAT_DETECTION_SOURCE_IP
ike 0:7db77dde33559db9/0000000000000000:296: incoming proposal:
ike 0:7db77dde33559db9/0000000000000000:296: proposal id = 1:
ike 0:7db77dde33559db9/0000000000000000:296: protocol = IKEv2:
ike 0:7db77dde33559db9/0000000000000000:296: encapsulation = IKEv2/none
ike 0:7db77dde33559db9/0000000000000000:296: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:7db77dde33559db9/0000000000000000:296: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:7db77dde33559db9/0000000000000000:296: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:7db77dde33559db9/0000000000000000:296: type=DH_GROUP, val=ECP521.
ike 0:7db77dde33559db9/0000000000000000:296: no proposal chosen
ike Negotiate SA Error: ike ike [10366]
In fortigate you have proposal se to :
set proposal aes256-sha256 and in mikrotik 1 name="FGT" hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d1 name="FGT" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s pfs-group=ecp521 I don't think they match .
yes, you are right, corrected this, but still no luck:
1 name="FGT" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d
proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
Fortigate has started to offer his proposal:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: responder received SA_INIT msg
ike 0:5dba9574f1c87ee3/0000000000000000:1723: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:5dba9574f1c87ee3/0000000000000000:1723: received notify type NAT_DETECTION_SOURCE_IP
ike 0:5dba9574f1c87ee3/0000000000000000:1723: incoming proposal:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: proposal id = 1:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: protocol = IKEv2:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: encapsulation = IKEv2/none
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=DH_GROUP, val=ECP521.
ike 0:5dba9574f1c87ee3/0000000000000000:1723: my proposal, gw dusz_wan1_p1:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: proposal id = 1:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: protocol = IKEv2:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: encapsulation = IKEv2/none
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=DH_GROUP, val=ECP521.
ike 0:5dba9574f1c87ee3/0000000000000000:1723: lifetime=3600
ike 0:5dba9574f1c87ee3/0000000000000000:1723: no proposal chosen
Read the output but it tells you the ley length is not matching
e.g
type=ENCR, val=AES_CBC (key_len = 128) vrs 256
Ken Felix
PCNSE
NSE
StrongSwan
I'm just looking for CLI command regarding phase1 CLI Reference | FortiGate / FortiOS 6.2.7 | Fortinet Documentation Library
and I don't see any settings regarding key lenght?
I have already phase1 connected with Mikrotik, but I can't get Phase2 bring up, it give me selector phase mismatch.
Phase2 should be in transport mode, on FGT I fill selectors like local wan1 ip, and remote wan ip then click OK.
But after a while when enter again to edit the same ipsec interface, these selectors are empty.
Below you can find a working configuration from one of my mikrotik routers :
/ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
0 R name="forti-HQ" address=8x.xxx.xxx.xx/32 passive=yes profile=forti-HQ exchange-mode=ike2 send-initial-contact=no
/ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T X* 0.0.0.0/0 192.168.100.0/24 all
1 A forti-HQ yes 10.80.80.0/24 192.168.0.0/24 all encrypt require 1
/ip ipsec profile> print
Flags: * - default
1 name="forti-HQ" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
/ip ipsec proposal> print
Flags: X - disabled, * - default
1 name="forti-HQ" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp2048
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=icmp
1 chain=input action=accept connection-state=established,related log=no log-prefix=""
2 chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""
3 chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""
4 chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix=""
5 chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""
6 chain=input action=accept routing-mark="" protocol=ipsec-esp log=no log-prefix=""
7 chain=input action=drop log=no log-prefix=""
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=10.80.80.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
/ip firewall raw> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=notrack log=no log-prefix="" src-address=10.80.80.0/24 dst-address=192.168.0.0/24
1 chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.0.0/24 dst-address=10.80.80.0/24
config vpn ipsec phase1-interface
edit "HQ-mikrotik"
set interface "port6"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha1
set comments "VPN: HQ-mikrotik"
set dhgrp 14
set nattraversal disable
set remote-gw 8x.xxx.xxx.xx
set psksecret ENC tzNfC95pCHyRU1KSMVpwbcxKDcSLkd0GIDHKUs6V7Dd8fSuHatDeSMUSyf1oWi11HuwzIOIMWLN17yAgxs+Lglq4dBmXrtRzakpxX/0jXhXLbkIhV4YZKI61/eUSRlEw7B+tKSQr9xtfUxC7vw8YDkw7W8cABhJwk8BuM5gN/BHAeb5E8Bkd1uq1hZhI7r9I+c7OEQ==
next
end
config vpn ipsec phase2-interface
edit "HQ-mikrotik"
set phase1name "HQ-mikrotik"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set dhgrp 14
set comments "VPN: HQ-mikrotik "
set src-addr-type name
set dst-addr-type name
set src-name "HQ-mikrotik_local"
set dst-name "HQ-mikrotik_remote"
next
end
hans marchand for your input I see that you use Ipsec in tunnel model I want to create connection in transport mode, I think I'm almost there, my Phase1 is connected what I have problem with is selector check on both sites, here what show FGT debug:
ike 0:dusz_wan1_ipsec:1877:2363: TSr_0 0:x.x.x.122-x.x.x.122:0
ike 0:dusz_wan1_ipsec:1877:2363: TSi_0 0:x.x.x.82-x.x.x.82:0
ike 0:dusz_wan1_ipsec:1877:dusz_wan1_p2:2363: comparing selectors
ike 0:dusz_wan1_ipsec:1877:dusz_wan1_p2:2363: failed to match peer selectors
this is what mikrotik log shows, x.x.x.122 - mikrotk side.
08:58:12 ipsec,debug decrypted
08:58:12 ipsec payload seen: NOTIFY
08:58:12 ipsec payload seen: SA
08:58:12 ipsec payload seen: NONCE
08:58:12 ipsec payload seen: KE
08:58:12 ipsec payload seen: TS_I
08:58:12 ipsec payload seen: TS_R
08:58:12 ipsec create child: respond
08:58:12 ipsec processing payload: NONCE
08:58:12 ipsec processing payloads: NOTIFY
08:58:12 ipsec notify: USE_TRANSPORT_MODE
08:58:12 ipsec processing payloads: NOTIFY
08:58:12 ipsec notify: USE_TRANSPORT_MODE
08:58:12 ipsec peer wants transport mode
08:58:12 ipsec processing payload: CONFIG (not found)
08:58:12 ipsec processing payload: TS_I
08:58:12 ipsec x.x.x.82
08:58:12 ipsec processing payload: TS_R
08:58:12 ipsec x.x.x.122
08:58:12 ipsec canditate selectors: x.x.x.122 <=> x.x.x.82
08:58:12 ipsec processing payload: SA
08:58:12 ipsec IKE Protocol: ESP
08:58:12 ipsec proposal #1
08:58:12 ipsec enc: aes256-cbc
08:58:12 ipsec auth: sha256
08:58:12 ipsec dh: ecp521
08:58:12 ipsec searching for policy for selector: x.x.x.122 <=> x.x.x.82
08:58:12 ipsec using strict match: x.x.x.122 <=> x.x.x.82
08:58:12 ipsec matched proposal:
08:58:12 ipsec proposal #1
08:58:12 ipsec enc: aes256-cbc
08:58:12 ipsec auth: sha256
08:58:12 ipsec dh: ecp521
08:58:12 ipsec processing payload: KE
08:58:12 ipsec,debug => shared secret (size 0x42)
08:58:12 ipsec,debug 00982704 d2395a6d 128e7f72 d3a55f81 c0f65be1 e51aaceb 53aebb2a c8a7bc4c
08:58:12 ipsec,debug 201854cd 89704025 3d9c4d22 1b0908f0 7db4ce43 4e538ef8 9f3341b6 f62a5d3d
08:58:12 ipsec,debug 0c75
08:58:12 ipsec create child: finish
08:58:12 ipsec adding payload: NONCE
08:58:12 ipsec,debug => (size 0x1c)
08:58:12 ipsec,debug 0000001c 27ab94b1 59fa10e7 aeb76293 a15316b9 e16baa3b 4a5851fc
08:58:12 ipsec adding payload: KE
08:58:12 ipsec,debug => (size 0x8c)
08:58:12 ipsec,debug 0000008c 00150000 01e04a40 3a5c5722 bec98ff3 ed620051 b1cabcf5 12f39437
08:58:12 ipsec,debug f6499311 84d94f6f f08ca50e a79ff165 b494600e 2381240f ac601943 bb6d3b37
08:58:12 ipsec,debug a8a39aa7 4ade3b71 422101f7 3bc04b7b d4e02d87 9368fa79 78f79e36 124c6bec
08:58:12 ipsec,debug 5087022e d3c6921b 38389674 1eed5d83 9e2956c4 33918d5f a6d3f750 e3b6bda0
08:58:12 ipsec,debug 5da7abda bc633818 662e2538
08:58:12 ipsec initiator selector: x.x.x.82
08:58:12 ipsec adding payload: TS_I
08:58:12 ipsec,debug => (size 0x18)
08:58:12 ipsec,debug 00000018 01000000 07000010 0000ffff d9619a52 d9619a52
08:58:12 ipsec responder selector: x.x.x.122
08:58:12 ipsec adding payload: TS_R
08:58:12 ipsec,debug => (size 0x18)
08:58:12 ipsec,debug 00000018 01000000 07000010 0000ffff 5036f67a 5036f67a
08:58:12 ipsec adding payload: SA
08:58:12 ipsec,debug => (size 0x34)
08:58:12 ipsec,debug 00000034 00000030 01030404 085febfb 0300000c 0100000c 800e0100 03000008
08:58:12 ipsec,debug 0300000c 03000008 04000015 00000008 05000000
08:58:12 ipsec adding notify: USE_TRANSPORT_MODE
08:58:12 ipsec,debug => (size 0x8)
08:58:12 ipsec,debug 00000008 00004007
08:58:12 ipsec <- ike2 reply, exchange: CREATE_CHILD_SA:631 x.x.x.82[77]
08:58:12 ipsec,debug ===== sending 448 bytes from x.x.x.122[500] to x.x.x.82[77]
08:58:12 ipsec,debug 1 times of 448 bytes message will be sent to x.x.x.82[77]
08:58:12 ipsec,debug => child keymat (size 0x80)
08:58:12 ipsec,debug c221e926 254fbebe 8f3d0683 159098db 04c2caae 1f354106 1a7f68e6 c4791f9c
08:58:12 ipsec,debug 23af6166 b6971d63 a4b04b66 d640dfa0 4e577ef3 bd99a61f 81bc9401 159010b2
08:58:12 ipsec,debug 879ecbbd ba8011bc 391278bc feb2113a b77c43c6 5ff9236a 0f5285d5 f7b84386
08:58:12 ipsec,debug 33e1ab8a 91f55411 1aaa25bb 0562f141 7cb74b0c bd10830f d514b9e8 6c8de11b
08:58:12 ipsec IPsec-SA established: x.x.x.82[77]->x.x.x.122[500] spi=0x85febfb
08:58:12 ipsec IPsec-SA established: x.x.x.122[500]->x.x.x.82[77] spi=0x59e08b68
08:58:13 ipsec,debug ===== received 80 bytes from x.x.x.82[77] to x.x.x.122[500]
08:58:13 ipsec -> ike2 request, exchange: INFORMATIONAL:632 x.x.x.82[77]
08:58:13 ipsec payload seen: ENC
08:58:13 ipsec processing payload: ENC
08:58:13 ipsec,debug => iv (size 0x10)
08:58:13 ipsec,debug a80fd68d f9b9beda 90d196c3 cf47caa3
08:58:13 ipsec,debug => plain payload (trimmed) (size 0xc)
08:58:13 ipsec,debug 0000000c 0304000b 59e08b68
08:58:13 ipsec,debug decrypted
08:58:13 ipsec payload seen: NOTIFY
08:58:13 ipsec respond: info
08:58:13 ipsec processing payloads: NOTIFY
08:58:13 ipsec notify: INVALID_SPI
08:58:13 ipsec got error: INVALID_SPI
08:58:13 ipsec processing payloads: DELETE (none found)
08:58:13 ipsec,debug sending empty reply
08:58:13 ipsec <- ike2 reply, exchange: INFORMATIONAL:632 x.x.x.82[77]
08:58:13 ipsec,debug ===== sending 112 bytes from x.x.x.122[500] to x.x.x.82[77]
08:58:13 ipsec,debug 1 times of 112 bytes message will be sent to x.x.x.82[77]
08:58:17 ipsec,debug ===== received 352 bytes from x.x.x.82[77] to x.x.x.122[500]
08:58:17 ipsec -> ike2 request, exchange: CREATE_CHILD_SA:633 x.x.x.82[77]
08:58:17 ipsec payload seen: ENC
08:58:17 ipsec processing payload: ENC
08:58:17 ipsec,debug => iv (size 0x10)
08:58:17 ipsec,debug 3e0e103f d18d3ef9 d38bf496 7dccc301
08:58:17 ipsec,debug => plain payload (trimmed) (first 0x100 of 0x110)
08:58:17 ipsec,debug 2100000c 03044007 59e08b69 28000034 00000030 01030404 59e08b69 0300000c
08:58:17 ipsec,debug 0100000c 800e0100 03000008 0300000c 03000008 04000015 00000008 05000000
08:58:17 ipsec,debug 22000014 e068e447 3c476474 fc51158a a8ce3ee2 2c00008c 00150000 000b38f4
08:58:17 ipsec,debug 2cc75a75 fa507bc8 b5706b5b f26b92e7 f73f93f2 c145c779 052ec94c 6abd3984
08:58:17 ipsec,debug 34528986 e7398656 e4d3b335 04b0dcca 1793fd39 61b6bcae 6e320a0e 31180160
08:58:17 ipsec,debug 1ecd41e5 0544121b 77c98801 69464045 5c622d0e b127b26f c5602029 e90c1238
08:58:17 ipsec,debug e25246ae e3351e43 ec31c578 eee678a5 aaedfac0 04b4d873 0227f8d5 8b9b4940
08:58:17 ipsec,debug 2d000018 01000000 07000010 0000ffff d9619a52 d9619a52 00000018 01000000
/ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
0 name="forti-HQ" address=8x.xxx.xxx.xxx/32 profile=forti-HQ exchange-mode=ike2 send-initial-contact=yes
ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
1 A forti-HQ no 8x.xxx.xxx.xx/32 8x.xxx.xxx.xx/32 all encrypt require 13
/ip ipsec profile> print
Flags: * - default
1 name="forti-HQ" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
/ip ipsec proposal> print
Flags: X - disabled, * - default
1 name="forti-HQ" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp2048
Fortigate :
(HQ-mikrotik) # show
config vpn ipsec phase2-interface
edit "HQ-mikrotik"
set phase1name "HQ-mikrotik"
set proposal aes128-sha1
set dhgrp 14
set replay disable
set auto-negotiate enable
set encapsulation transport-mode
set comments "VPN: HQ-mikrotik"
set protocol 47
next
end
Result from log :
ike 2:HQ-mikrotik:557: responder received AUTH msg
ike 2:HQ-mikrotik:557: processing notify type INITIAL_CONTACT
ike 2:HQ-mikrotik:557: processing notify type USE_TRANSPORT_MODE
ike 2:HQ-mikrotik:557: peer identifier IPV4_ADDR 8x.xxx.xxx.xxx
ike 2:HQ-mikrotik:557: auth verify done
ike 2:HQ-mikrotik:557: responder AUTH continuation
ike 2:HQ-mikrotik:557: authentication succeeded
ike 2:HQ-mikrotik:557: responder creating new child
ike 2:HQ-mikrotik:557:14864: peer proposal:
ike 2:HQ-mikrotik:557:14864: TSi_0 0:0.0.0.0-255.255.255.255:0
ike 2:HQ-mikrotik:557:14864: TSr_0 0:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: comparing selectors
ike 2:HQ-mikrotik:557:14864: transport mode, override with 0:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0 -> 0:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: matched by rfc-rule-4
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: phase2 matched by intersection
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: accepted proposal:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: TSi_0 47:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: TSr_0 47:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: autokey
ike 2:HQ-mikrotik:557:14864: using transport mode selectors
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: incoming child SA proposal:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: proposal id = 1:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: protocol = ESP:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: encapsulation = TRANSPORT
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: type=ENCR, val=AES_CBC (key_len = 128)
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: type=INTEGR, val=SHA
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: type=ESN, val=NO
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: PFS is disabled
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: matched proposal id 1
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: proposal id = 1:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: protocol = ESP:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: encapsulation = TRANSPORT
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: type=ENCR, val=AES_CBC (key_len = 128)
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: type=INTEGR, val=SHA
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: type=ESN, val=NO
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: PFS is disabled
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: lifetime=43200
ike 2:HQ-mikrotik:557: responder preparing AUTH msg
ike 2:HQ-mikrotik:557: established IKE SA 7946024a5879b7ae/5aa9b1311435ddae
ike 2:HQ-mikrotik:557: processing INITIAL-CONTACT
ike 2:HQ-mikrotik: flushing
ike 2:HQ-mikrotik: flushed
ike 2:HQ-mikrotik:557: processed INITIAL-CONTACT
ike 2:HQ-mikrotik: set oper up
ike 2:HQ-mikrotik: schedule auto-negotiate
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: set sa life soft seconds=42930.
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: set sa life hard seconds=43200.
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: IPsec SA selectors #src=1 #dst=1
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: src 0 7 47:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: dst 0 7 47:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: add dynamic IPsec SA selectors
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: added dynamic IPsec SA proxyids, new serial 10
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: add IPsec SA: SPIs=e3bb28e5/0bedf80f
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: IPsec SA dec spi e3bb28e5 key 16:9ABA9348266BBC27BB69C9108B0C8F1C auth 20:449BF2521F91EB94398C547CF76D1406C158EA03
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: IPsec SA enc spi 0bedf80f key 16:7B69D9F9777CCBCBFF39638091FA3E79 auth 20:F43575FC84439C3576E4B034B91C7FA52AEA190B
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: transport mode encapsulation is enabled
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: added IPsec SA: SPIs=e3bb28e5/0bedf80f
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: sending SNMP tunnel UP trap
ike 2:HQ-mikrotik:557: enc 2700000C0100000051C4A91B2900001C020000004910F2E19F03DBC3001C94A2801BE1B0BE8731FB21000008000040072C00002C0000002801030403E3BB28E50300000C0100000C800E0080030000080300000200000008050000002D00001801000000072F00100000FFFF51C4A91E51C4A91E0000001801000000072F00100000FFFF51C4A91B51C4A91B03020103
ike 2:HQ-mikrotik:557: out 7946024A5879B7AE5AA9B1311435DDAE2E20232000000001000000CC240000B0E93D18395280B46742C374EB925E7EE35A43BC0FAAF7DF7968FD47C64174A597E73FB568BC4E42AE33B08B92E63368B1B1E546BE1F745942705B6A938D56AA2011C7EDBFD3AB21472555C9B6334C191FF4869C50D2BFF3C163E7E51571F117CD1CE74D823DEE46D86FB9A277E44C1A308242C0C16D899F5DB26E2729D302BC9CF06944107DEE85D2BF4E8420A37A283A53AA1131F376934CB96442E79CF7F809480838A26ED2A005E7C0550C
ike 2:HQ-mikrotik:557: sent IKE msg (AUTH_RESPONSE): 88x.xxx.xxx.xxx:4500->88x.xxx.xxx.xxx:4500, len=204, id=7946024a5879b7ae/5aa9b1311435ddae:00000001
ike 2:HQ-mikrotik: carrier up
ike 2:HQ-mikrotik:HQ-mikrotik: IPsec SA connect 16 8x.xxx.xxx.xxx->8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:HQ-mikrotik: using existing connection
ike 2:HQ-mikrotik:HQ-mikrotik: config found
ike 2:HQ-mikrotik:HQ-mikrotik: tunnel is up, ignoring connect event
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.