Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

Cannot connect Fortigate to Mikrotik using Ipsec

Hi, I'm trying to connect Mikrotik with Fortigate using Gre over Ipsec but I'm stuck already on Ipsec Phase 1 exchange, maybe could anyone help me? Fortigate config:

config vpn ipsec phase1-interface
    edit "ipsec_p1"
        set interface "port16"
        set ike-version 2
        set local-gw FGT_WAN
        set keylife 3600
        set peertype any
        set net-device disable
        set proposal aes256-sha256
        set dhgrp 21
        set remote-gw MIKROTIK_WAN
        set psksecret password
    next
end
config vpn ipsec phase2-interface
    edit "ipsec_p2"
        set phase1name "ipsec_p1"
        set proposal aes256-sha256
        set dhgrp 21
        set encapsulation transport-mode
        set protocol 47
    next
end

 

Mikrotik config:

/ip ipsec policy group
add name=group1

/ip ipsec profile> print
Flags: * - default
 1 name="FGT" hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d
     proposal-check=obey nat-traversal=yes dpd-interval=disable-dpd

/ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
 0 name="FGT" address=FGT_WAN/32 local-address=MIKROTIK_WAN port=500
       profile=FGT exchange-mode=ike2 send-initial-contact=yes
       
/ip ipsec proposal> print
Flags: X - disabled, * - default
 1 name="FGT" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s
      pfs-group=ecp521
      
 /ip ipsec identity> print
Flags: D - dynamic, X - disabled
      peer=FGT auth-method=pre-shared-key secret="password" generate-policy=no
      
/ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
 1 src-address=MIKROTIK_WAN/32 src-port=any dst-address=FGT_WAN/32 dst-port=any
       protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no
       proposal=FGT ph2-count=0

 

Fortigate debug:

FGT # ike 0: comes MIKROTIK_WAN:500->FORTIGATE_WAN:500,ifindex=22....
ike 0: IKEv2 exchange=SA_INIT id=7db77dde33559db9/0000000000000000 len=300
ike 0: in 7DB77DDE33559DB9000000000000000029202208000000000000012C2900001C000040058127764BBADB7244D1E0779C7B6DB9E7F017782D2800001C000040040C756A50A4894E77195676AE85309213A81D7AEA2200001CAF2203E8EE1329DDF0FCA70E3F6E459E34A50CBEFE0EEA7B2100008C0015000000019347E6A359CE73A61BAC722E10AAD7349FF180904339F3CBC0CDAF
ike 0:7db77dde33559db9/0000000000000000:296: responder received SA_INIT msg
ike 0:7db77dde33559db9/0000000000000000:296: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:7db77dde33559db9/0000000000000000:296: received notify type NAT_DETECTION_SOURCE_IP
ike 0:7db77dde33559db9/0000000000000000:296: incoming proposal:
ike 0:7db77dde33559db9/0000000000000000:296: proposal id = 1:
ike 0:7db77dde33559db9/0000000000000000:296: protocol = IKEv2:
ike 0:7db77dde33559db9/0000000000000000:296: encapsulation = IKEv2/none
ike 0:7db77dde33559db9/0000000000000000:296: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:7db77dde33559db9/0000000000000000:296: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:7db77dde33559db9/0000000000000000:296: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:7db77dde33559db9/0000000000000000:296: type=DH_GROUP, val=ECP521.
ike 0:7db77dde33559db9/0000000000000000:296: no proposal chosen
ike Negotiate SA Error: ike ike [10366]
 

12 REPLIES 12
marchand
New Contributor III

In fortigate you have proposal se to :

set proposal aes256-sha256 and in mikrotik

1 name="FGT" hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d

1 name="FGT" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s       pfs-group=ecp521

 

I don't  think they match .

 

 

Tutek_OLD

yes, you are right, corrected this, but still no luck:

 


 1 name="FGT" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d
     proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

Tutek_OLD

Fortigate has started to offer his proposal:

ike 0:5dba9574f1c87ee3/0000000000000000:1723: responder received SA_INIT msg
ike 0:5dba9574f1c87ee3/0000000000000000:1723: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:5dba9574f1c87ee3/0000000000000000:1723: received notify type NAT_DETECTION_SOURCE_IP
ike 0:5dba9574f1c87ee3/0000000000000000:1723: incoming proposal:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: proposal id = 1:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: protocol = IKEv2:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: encapsulation = IKEv2/none
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=DH_GROUP, val=ECP521.
ike 0:5dba9574f1c87ee3/0000000000000000:1723: my proposal, gw dusz_wan1_p1:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: proposal id = 1:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: protocol = IKEv2:
ike 0:5dba9574f1c87ee3/0000000000000000:1723: encapsulation = IKEv2/none
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:5dba9574f1c87ee3/0000000000000000:1723: type=DH_GROUP, val=ECP521.
ike 0:5dba9574f1c87ee3/0000000000000000:1723: lifetime=3600
ike 0:5dba9574f1c87ee3/0000000000000000:1723: no proposal chosen

emnoc
Esteemed Contributor III

Read the output but it tells you the ley length is not matching 

 

 

e.g

 

type=ENCR, val=AES_CBC (key_len = 128)  vrs 256

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Tutek_OLD

I'm just looking for CLI command regarding phase1 CLI Reference | FortiGate / FortiOS 6.2.7 | Fortinet Documentation Library

and I don't see any settings regarding key lenght?

Tutek_OLD

I have already phase1 connected with Mikrotik, but I can't get Phase2 bring up, it give me selector phase mismatch.

Phase2 should be in transport mode, on FGT I fill selectors like local wan1 ip, and remote wan ip then click OK.

But after a while when enter again to edit the same ipsec interface, these selectors are empty.

 

marchand
New Contributor III

Below you can find a working configuration from one of my mikrotik routers :

 

/ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
 0   R name="forti-HQ" address=8x.xxx.xxx.xx/32 passive=yes profile=forti-HQ exchange-mode=ike2 send-initial-contact=no

/ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
 #      PEER                TUNNEL SRC-ADDRESS                                               DST-ADDRESS                                               PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T X*                            0.0.0.0/0                                                 192.168.100.0/24                                          all
 1   A  forti-HQ            yes    10.80.80.0/24                                             192.168.0.0/24                                            all        encrypt require          1

/ip ipsec profile> print
Flags: * - default
 1   name="forti-HQ" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

/ip ipsec proposal> print
Flags: X - disabled, * - default
  1    name="forti-HQ" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp2048


/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
 0    chain=input action=accept protocol=icmp

 1    chain=input action=accept connection-state=established,related log=no log-prefix=""

 2    chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""

 3    chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""

 4    chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix=""

 5    chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""

 6    chain=input action=accept routing-mark="" protocol=ipsec-esp log=no log-prefix=""

 7    chain=input action=drop log=no log-prefix=""

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
 0    chain=srcnat action=accept src-address=10.80.80.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""

 1    chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

/ip firewall raw> print
Flags: X - disabled, I - invalid, D - dynamic
 0    chain=prerouting action=notrack log=no log-prefix="" src-address=10.80.80.0/24 dst-address=192.168.0.0/24

 1    chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.0.0/24 dst-address=10.80.80.0/24

 

config vpn ipsec phase1-interface
    edit "HQ-mikrotik"
        set interface "port6"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha1
        set comments "VPN: HQ-mikrotik"
        set dhgrp 14
        set nattraversal disable
        set remote-gw 8x.xxx.xxx.xx
        set psksecret ENC tzNfC95pCHyRU1KSMVpwbcxKDcSLkd0GIDHKUs6V7Dd8fSuHatDeSMUSyf1oWi11HuwzIOIMWLN17yAgxs+Lglq4dBmXrtRzakpxX/0jXhXLbkIhV4YZKI61/eUSRlEw7B+tKSQr9xtfUxC7vw8YDkw7W8cABhJwk8BuM5gN/BHAeb5E8Bkd1uq1hZhI7r9I+c7OEQ==
    next
end
config vpn ipsec phase2-interface

edit "HQ-mikrotik"
        set phase1name "HQ-mikrotik"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set dhgrp 14
        set comments "VPN: HQ-mikrotik "
        set src-addr-type name
        set dst-addr-type name
        set src-name "HQ-mikrotik_local"
        set dst-name "HQ-mikrotik_remote"
    next
end



Tutek_OLD

hans marchand for your input I see that you use Ipsec in tunnel model I want to create connection in transport mode, I think I'm almost there, my Phase1 is connected what I have problem with is selector check on both sites, here what show FGT debug:

ike 0:dusz_wan1_ipsec:1877:2363: TSr_0 0:x.x.x.122-x.x.x.122:0
ike 0:dusz_wan1_ipsec:1877:2363: TSi_0 0:x.x.x.82-x.x.x.82:0
ike 0:dusz_wan1_ipsec:1877:dusz_wan1_p2:2363: comparing selectors
ike 0:dusz_wan1_ipsec:1877:dusz_wan1_p2:2363: failed to match peer selectors

 

this is what mikrotik log shows, x.x.x.122 - mikrotk side.

08:58:12 ipsec,debug decrypted 
08:58:12 ipsec payload seen: NOTIFY
08:58:12 ipsec payload seen: SA
08:58:12 ipsec payload seen: NONCE
08:58:12 ipsec payload seen: KE
08:58:12 ipsec payload seen: TS_I
08:58:12 ipsec payload seen: TS_R
08:58:12 ipsec create child: respond
08:58:12 ipsec processing payload: NONCE
08:58:12 ipsec processing payloads: NOTIFY
08:58:12 ipsec notify: USE_TRANSPORT_MODE
08:58:12 ipsec processing payloads: NOTIFY
08:58:12 ipsec notify: USE_TRANSPORT_MODE
08:58:12 ipsec peer wants transport mode
08:58:12 ipsec processing payload: CONFIG (not found)
08:58:12 ipsec processing payload: TS_I
08:58:12 ipsec x.x.x.82
08:58:12 ipsec processing payload: TS_R
08:58:12 ipsec x.x.x.122
08:58:12 ipsec canditate selectors: x.x.x.122 <=> x.x.x.82
08:58:12 ipsec processing payload: SA
08:58:12 ipsec IKE Protocol: ESP
08:58:12 ipsec proposal #1
08:58:12 ipsec enc: aes256-cbc
08:58:12 ipsec auth: sha256
08:58:12 ipsec dh: ecp521
08:58:12 ipsec searching for policy for selector: x.x.x.122 <=> x.x.x.82
08:58:12 ipsec using strict match: x.x.x.122 <=> x.x.x.82
08:58:12 ipsec matched proposal:
08:58:12 ipsec proposal #1
08:58:12 ipsec enc: aes256-cbc
08:58:12 ipsec auth: sha256
08:58:12 ipsec dh: ecp521
08:58:12 ipsec processing payload: KE
08:58:12 ipsec,debug => shared secret (size 0x42)
08:58:12 ipsec,debug 00982704 d2395a6d 128e7f72 d3a55f81 c0f65be1 e51aaceb 53aebb2a c8a7bc4c
08:58:12 ipsec,debug 201854cd 89704025 3d9c4d22 1b0908f0 7db4ce43 4e538ef8 9f3341b6 f62a5d3d
08:58:12 ipsec,debug 0c75
08:58:12 ipsec create child: finish
08:58:12 ipsec adding payload: NONCE
08:58:12 ipsec,debug => (size 0x1c)
08:58:12 ipsec,debug 0000001c 27ab94b1 59fa10e7 aeb76293 a15316b9 e16baa3b 4a5851fc
08:58:12 ipsec adding payload: KE
08:58:12 ipsec,debug => (size 0x8c)
08:58:12 ipsec,debug 0000008c 00150000 01e04a40 3a5c5722 bec98ff3 ed620051 b1cabcf5 12f39437
08:58:12 ipsec,debug f6499311 84d94f6f f08ca50e a79ff165 b494600e 2381240f ac601943 bb6d3b37
08:58:12 ipsec,debug a8a39aa7 4ade3b71 422101f7 3bc04b7b d4e02d87 9368fa79 78f79e36 124c6bec
08:58:12 ipsec,debug 5087022e d3c6921b 38389674 1eed5d83 9e2956c4 33918d5f a6d3f750 e3b6bda0
08:58:12 ipsec,debug 5da7abda bc633818 662e2538
08:58:12 ipsec initiator selector: x.x.x.82
08:58:12 ipsec adding payload: TS_I
08:58:12 ipsec,debug => (size 0x18)
08:58:12 ipsec,debug 00000018 01000000 07000010 0000ffff d9619a52 d9619a52
08:58:12 ipsec responder selector: x.x.x.122
08:58:12 ipsec adding payload: TS_R
08:58:12 ipsec,debug => (size 0x18)
08:58:12 ipsec,debug 00000018 01000000 07000010 0000ffff 5036f67a 5036f67a
08:58:12 ipsec adding payload: SA
08:58:12 ipsec,debug => (size 0x34)
08:58:12 ipsec,debug 00000034 00000030 01030404 085febfb 0300000c 0100000c 800e0100 03000008
08:58:12 ipsec,debug 0300000c 03000008 04000015 00000008 05000000
08:58:12 ipsec adding notify: USE_TRANSPORT_MODE
08:58:12 ipsec,debug => (size 0x8)
08:58:12 ipsec,debug 00000008 00004007
08:58:12 ipsec <- ike2 reply, exchange: CREATE_CHILD_SA:631 x.x.x.82[77]
08:58:12 ipsec,debug ===== sending 448 bytes from x.x.x.122[500] to x.x.x.82[77]
08:58:12 ipsec,debug 1 times of 448 bytes message will be sent to x.x.x.82[77]
08:58:12 ipsec,debug => child keymat (size 0x80)
08:58:12 ipsec,debug c221e926 254fbebe 8f3d0683 159098db 04c2caae 1f354106 1a7f68e6 c4791f9c
08:58:12 ipsec,debug 23af6166 b6971d63 a4b04b66 d640dfa0 4e577ef3 bd99a61f 81bc9401 159010b2
08:58:12 ipsec,debug 879ecbbd ba8011bc 391278bc feb2113a b77c43c6 5ff9236a 0f5285d5 f7b84386
08:58:12 ipsec,debug 33e1ab8a 91f55411 1aaa25bb 0562f141 7cb74b0c bd10830f d514b9e8 6c8de11b
08:58:12 ipsec IPsec-SA established: x.x.x.82[77]->x.x.x.122[500] spi=0x85febfb
08:58:12 ipsec IPsec-SA established: x.x.x.122[500]->x.x.x.82[77] spi=0x59e08b68
08:58:13 ipsec,debug ===== received 80 bytes from x.x.x.82[77] to x.x.x.122[500]
08:58:13 ipsec -> ike2 request, exchange: INFORMATIONAL:632 x.x.x.82[77]
08:58:13 ipsec payload seen: ENC
08:58:13 ipsec processing payload: ENC
08:58:13 ipsec,debug => iv (size 0x10)
08:58:13 ipsec,debug a80fd68d f9b9beda 90d196c3 cf47caa3
08:58:13 ipsec,debug => plain payload (trimmed) (size 0xc)
08:58:13 ipsec,debug 0000000c 0304000b 59e08b68
08:58:13 ipsec,debug decrypted
08:58:13 ipsec payload seen: NOTIFY
08:58:13 ipsec respond: info
08:58:13 ipsec processing payloads: NOTIFY
08:58:13 ipsec notify: INVALID_SPI
08:58:13 ipsec got error: INVALID_SPI
08:58:13 ipsec processing payloads: DELETE (none found)
08:58:13 ipsec,debug sending empty reply
08:58:13 ipsec <- ike2 reply, exchange: INFORMATIONAL:632 x.x.x.82[77]
08:58:13 ipsec,debug ===== sending 112 bytes from x.x.x.122[500] to x.x.x.82[77]
08:58:13 ipsec,debug 1 times of 112 bytes message will be sent to x.x.x.82[77]
08:58:17 ipsec,debug ===== received 352 bytes from x.x.x.82[77] to x.x.x.122[500]
08:58:17 ipsec -> ike2 request, exchange: CREATE_CHILD_SA:633 x.x.x.82[77]
08:58:17 ipsec payload seen: ENC
08:58:17 ipsec processing payload: ENC
08:58:17 ipsec,debug => iv (size 0x10)
08:58:17 ipsec,debug 3e0e103f d18d3ef9 d38bf496 7dccc301
08:58:17 ipsec,debug => plain payload (trimmed) (first 0x100 of 0x110)
08:58:17 ipsec,debug 2100000c 03044007 59e08b69 28000034 00000030 01030404 59e08b69 0300000c
08:58:17 ipsec,debug 0100000c 800e0100 03000008 0300000c 03000008 04000015 00000008 05000000
08:58:17 ipsec,debug 22000014 e068e447 3c476474 fc51158a a8ce3ee2 2c00008c 00150000 000b38f4
08:58:17 ipsec,debug 2cc75a75 fa507bc8 b5706b5b f26b92e7 f73f93f2 c145c779 052ec94c 6abd3984
08:58:17 ipsec,debug 34528986 e7398656 e4d3b335 04b0dcca 1793fd39 61b6bcae 6e320a0e 31180160
08:58:17 ipsec,debug 1ecd41e5 0544121b 77c98801 69464045 5c622d0e b127b26f c5602029 e90c1238
08:58:17 ipsec,debug e25246ae e3351e43 ec31c578 eee678a5 aaedfac0 04b4d873 0227f8d5 8b9b4940
08:58:17 ipsec,debug 2d000018 01000000 07000010 0000ffff d9619a52 d9619a52 00000018 01000000

 

 

marchand
New Contributor III

/ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
 0     name="forti-HQ" address=8x.xxx.xxx.xxx/32 profile=forti-HQ exchange-mode=ike2 send-initial-contact=yes

ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
 #      PEER                 TUNNEL SRC-ADDRESS                                                 DST-ADDRESS                                                 PROTOCOL   ACTION  LEVEL    PH2-COUNT
 
 1   A  forti-HQ             no     8x.xxx.xxx.xx/32                                            8x.xxx.xxx.xx/32                                            all        encrypt require         13
/ip ipsec profile> print
Flags: * - default
 
 1   name="forti-HQ" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

/ip ipsec proposal> print
Flags: X - disabled, * - default
  1    name="forti-HQ" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=modp2048


Fortigate :

(HQ-mikrotik) # show
config vpn ipsec phase2-interface
    edit "HQ-mikrotik"
        set phase1name "HQ-mikrotik"
        set proposal aes128-sha1
        set dhgrp 14
        set replay disable
        set auto-negotiate enable
        set encapsulation transport-mode
        set comments "VPN: HQ-mikrotik"
        set protocol 47
    next
end



Result from log :

ike 2:HQ-mikrotik:557: responder received AUTH msg
ike 2:HQ-mikrotik:557: processing notify type INITIAL_CONTACT
ike 2:HQ-mikrotik:557: processing notify type USE_TRANSPORT_MODE
ike 2:HQ-mikrotik:557: peer identifier IPV4_ADDR 8x.xxx.xxx.xxx
ike 2:HQ-mikrotik:557: auth verify done
ike 2:HQ-mikrotik:557: responder AUTH continuation
ike 2:HQ-mikrotik:557: authentication succeeded
ike 2:HQ-mikrotik:557: responder creating new child
ike 2:HQ-mikrotik:557:14864: peer proposal:
ike 2:HQ-mikrotik:557:14864: TSi_0 0:0.0.0.0-255.255.255.255:0
ike 2:HQ-mikrotik:557:14864: TSr_0 0:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: comparing selectors
ike 2:HQ-mikrotik:557:14864: transport mode, override with 0:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0 -> 0:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: matched by rfc-rule-4
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: phase2 matched by intersection
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: accepted proposal:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: TSi_0 47:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: TSr_0 47:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: autokey
ike 2:HQ-mikrotik:557:14864: using transport mode selectors
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: incoming child SA proposal:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: proposal id = 1:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:   protocol = ESP:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:      encapsulation = TRANSPORT
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:         type=ENCR, val=AES_CBC (key_len = 128)
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:         type=INTEGR, val=SHA
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:         type=ESN, val=NO
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:         PFS is disabled
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: matched proposal id 1
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: proposal id = 1:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:   protocol = ESP:
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:      encapsulation = TRANSPORT
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:         type=ENCR, val=AES_CBC (key_len = 128)
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:         type=INTEGR, val=SHA
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:         type=ESN, val=NO
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864:         PFS is disabled
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: lifetime=43200
ike 2:HQ-mikrotik:557: responder preparing AUTH msg
ike 2:HQ-mikrotik:557: established IKE SA 7946024a5879b7ae/5aa9b1311435ddae
ike 2:HQ-mikrotik:557: processing INITIAL-CONTACT
ike 2:HQ-mikrotik: flushing
ike 2:HQ-mikrotik: flushed
ike 2:HQ-mikrotik:557: processed INITIAL-CONTACT
ike 2:HQ-mikrotik: set oper up
ike 2:HQ-mikrotik: schedule auto-negotiate
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: set sa life soft seconds=42930.
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: set sa life hard seconds=43200.
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: IPsec SA selectors #src=1 #dst=1
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: src 0 7 47:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: dst 0 7 47:8x.xxx.xxx.xxx-8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: add dynamic IPsec SA selectors
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: added dynamic IPsec SA proxyids, new serial 10
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: add IPsec SA: SPIs=e3bb28e5/0bedf80f
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: IPsec SA dec spi e3bb28e5 key 16:9ABA9348266BBC27BB69C9108B0C8F1C auth 20:449BF2521F91EB94398C547CF76D1406C158EA03
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: IPsec SA enc spi 0bedf80f key 16:7B69D9F9777CCBCBFF39638091FA3E79 auth 20:F43575FC84439C3576E4B034B91C7FA52AEA190B
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: transport mode encapsulation is enabled
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: added IPsec SA: SPIs=e3bb28e5/0bedf80f
ike 2:HQ-mikrotik:557:HQ-mikrotik:14864: sending SNMP tunnel UP trap
ike 2:HQ-mikrotik:557: enc 2700000C0100000051C4A91B2900001C020000004910F2E19F03DBC3001C94A2801BE1B0BE8731FB21000008000040072C00002C0000002801030403E3BB28E50300000C0100000C800E0080030000080300000200000008050000002D00001801000000072F00100000FFFF51C4A91E51C4A91E0000001801000000072F00100000FFFF51C4A91B51C4A91B03020103
ike 2:HQ-mikrotik:557: out 7946024A5879B7AE5AA9B1311435DDAE2E20232000000001000000CC240000B0E93D18395280B46742C374EB925E7EE35A43BC0FAAF7DF7968FD47C64174A597E73FB568BC4E42AE33B08B92E63368B1B1E546BE1F745942705B6A938D56AA2011C7EDBFD3AB21472555C9B6334C191FF4869C50D2BFF3C163E7E51571F117CD1CE74D823DEE46D86FB9A277E44C1A308242C0C16D899F5DB26E2729D302BC9CF06944107DEE85D2BF4E8420A37A283A53AA1131F376934CB96442E79CF7F809480838A26ED2A005E7C0550C
ike 2:HQ-mikrotik:557: sent IKE msg (AUTH_RESPONSE): 88x.xxx.xxx.xxx:4500->88x.xxx.xxx.xxx:4500, len=204, id=7946024a5879b7ae/5aa9b1311435ddae:00000001
ike 2:HQ-mikrotik: carrier up
ike 2:HQ-mikrotik:HQ-mikrotik: IPsec SA connect 16 8x.xxx.xxx.xxx->8x.xxx.xxx.xxx:0
ike 2:HQ-mikrotik:HQ-mikrotik: using existing connection
ike 2:HQ-mikrotik:HQ-mikrotik: config found
ike 2:HQ-mikrotik:HQ-mikrotik: tunnel is up, ignoring connect event


Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors