Hi all,
Hoping someone has had this requirement before. I need to configure a dialup VPN with LDAP authentication that the Windows native VPN client can connect to (not using Forticlient or similar).
I can connect with XAUTH disabled using a local firewall account in my User Group, but when I enable XAUTH the debugs suggest that the firewall doesn't get any XAUTH data from the client.
FortiOS 5.2.4
Jason
Uhm XAUTH is something else
You need to add your LDAP Server at User&Devices > Authentication > LDAP Server and add your AD Group to the usergroup at User&Devices > User > User Groups
gschmitt wrote:The LDAP server and user group is already added (and the LDAP authentication works for an admin user on the firewall). It's just the dialup VPN that doesn't appear to be able to deal with it. With XAUTH disabled it doesn't appear to even try the LDAP server, and when it's enabled the clients can't connect unless FortiClient is used.Uhm XAUTH is something else
You need to add your LDAP Server at User&Devices > Authentication > LDAP Server and add your AD Group to the usergroup at User&Devices > User > User Groups
Can you try using LDAP Authentication in some other context? Like creating a policy with authentication for that user group to access some ressource and see if the authentication works there?
Did you use cn or sAMAccountName for the LDAP configuration?
Have you tried using domain\username and just the username for the username?
gschmitt wrote:Can you try using LDAP Authentication in some other context? Like creating a policy with authentication for that user group to access some ressource and see if the authentication works there?
Did you use cn or sAMAccountName for the LDAP configuration?
Have you tried using domain\username and just the username for the username?
Thanks for your quick reply.
I've used the LDAP authentication on an admin user locally, and also connected to the VPN using FortiClient (but we can't use FortiClient in production unfortunately).
I used sAMAccountName in the LDAP config
And yes - I've tried both domain\username and just the username alone, both with same result.
Jason
In the settings of the VPN Interface (run ncpa.cpl) in the Security Tab set it to "Allow these protocols" and check EVERYTHING
Does it work that way?
gschmitt wrote:In the settings of the VPN Interface (run ncpa.cpl) in the Security Tab set it to "Allow these protocols" and check EVERYTHING
Does it work that way?
Nope - still same issue (already had those set). The VPN does work if I add a local firewall user to the group and authenticate using that though so I don't think it's a client side issue. The documentation I've seen suggests that remote authentication such as LDAP on a dialup VPN requires XAUTH to be enabled on the VPN, but the Windows native client doesn't seem to support XAUTH.
Hm go into the cli
diag debug reset
diag debug enable
diag debug application fnbamd -1
Try the connection and check the output
gschmitt wrote:Hm go into the cli
diag debug reset
diag debug enable
diag debug application fnbamd -1
Try the connection and check the output
I see nothing in the logs at all when I use the Windows native VPN client, but when I use FortiClient I do.
I ran a debug on the VPN (diagnose debug app ike -1) and got this, I've removed some of the IP octets for security reasons.
AccessFW1-2 # ike 0: comes X.X.129.224:1011->X.X.131.202:500,ifindex=6....
ike 0: IKEv2 exchange=SA_INIT id=94279ec772e3e004/0000000000000000 len=880
ike 0: in 94279EC772E3E0040000000000000000212022080000000000000370220002080200002801010004030000080100000303000008030000020300000802000002000000080400000202000028020100040300000801000003030000080300000C0300000802000005000000080400000202000028030100040300000801000003030000080300000D030000080200000600000008040000020200002C040100040300000C0100000C800E00800300000803000002030000080200000200000008040000020200002C050100040300000C0100000C800E0080030000080300000C030000080200000500000008040000020200002C060100040300000C0100000C800E0080030000080300000D030000080200000600000008040000020200002C070100040300000C0100000C800E00C00300000803000002030000080200000200000008040000020200002C080100040300000C0100000C800E00C0030000080300000C030000080200000500000008040000020200002C090100040300000C0100000C800E00C0030000080300000D030000080200000600000008040000020200002C0A0100040300000C0100000C800E01000300000803000002030000080200000200000008040000020200002C0B0100040300000C0100000C800E0100030000080300000C030000080200000500000008040000020000002C0C0100040300000C0100000C800E0100030000080300000D030000080200000600000008040000022800008800020000CFE5AFD56E632D929954B2B8CD89FDF2711DD743246091F1917F3511E07A59C5664171615CE849B35444CF997A66B450FC0FB1D243E4E9E0286C3693ECA67A94AF3752759BF25FBFCE64F70AFE0E6114DCFE55FC0193861A47778B02A06869FDEB8BEEA4058CC6F07159A1EE44C388579FC99006C5BD62BA698A98960EF3865E290000342B9D2CC17E066284A382DB7A64A72A0D8E575957FF1782F487DBAD8E093DFC32AC2BEF6103BBED216E1B79C8ADE07B6A2900001C0000400405EE47CCD0D5AC6A113122689065C86058B5F57E2B00001C000040051589E89365ECA9F04455E52BE4B1AE453D26DDB32B0000181E2B516905991C7D7C96FCBFB587E461000000092B000014FB1DE3CDF341B7EA16B7E5BE0855F1202B00001426244D38EDDB61B3172A36E3D0CFB8190000001801528BBBC00696121849AB9A1C5B2A5100000002
ike 0:94279ec772e3e004/0000000000000000:160: responder received SA_INIT msg
ike 0:94279ec772e3e004/0000000000000000:160: received notify type NAT_DETECTION_SOURCE_IP
ike 0:94279ec772e3e004/0000000000000000:160: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:94279ec772e3e004/0000000000000000:160: incoming proposal:
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 1:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=3DES_CBC
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 2:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=3DES_CBC
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 3:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=3DES_CBC
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 4:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 5:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 6:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 7:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=AES_CBC (key_len = 192)
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 8:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=AES_CBC (key_len = 192)
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 9:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=AES_CBC (key_len = 192)
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 10:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 11:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: proposal id = 12:
ike 0:94279ec772e3e004/0000000000000000:160: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:160: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:160: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:94279ec772e3e004/0000000000000000:160: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:160: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:160: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:160: no proposal chosen
ike Negotiate SA Error: ike ike [6629]
ike 0: comes X.X.129.224:1011->X.X.131.202:500,ifindex=6....
ike 0: IKEv2 exchange=SA_INIT id=94279ec772e3e004/0000000000000000 len=880
ike 0: in 94279EC772E3E0040000000000000000212022080000000000000370220002080200002801010004030000080100000303000008030000020300000802000002000000080400000202000028020100040300000801000003030000080300000C0300000802000005000000080400000202000028030100040300000801000003030000080300000D030000080200000600000008040000020200002C040100040300000C0100000C800E00800300000803000002030000080200000200000008040000020200002C050100040300000C0100000C800E0080030000080300000C030000080200000500000008040000020200002C060100040300000C0100000C800E0080030000080300000D030000080200000600000008040000020200002C070100040300000C0100000C800E00C00300000803000002030000080200000200000008040000020200002C080100040300000C0100000C800E00C0030000080300000C030000080200000500000008040000020200002C090100040300000C0100000C800E00C0030000080300000D030000080200000600000008040000020200002C0A0100040300000C0100000C800E01000300000803000002030000080200000200000008040000020200002C0B0100040300000C0100000C800E0100030000080300000C030000080200000500000008040000020000002C0C0100040300000C0100000C800E0100030000080300000D030000080200000600000008040000022800008800020000CFE5AFD56E632D929954B2B8CD89FDF2711DD743246091F1917F3511E07A59C5664171615CE849B35444CF997A66B450FC0FB1D243E4E9E0286C3693ECA67A94AF3752759BF25FBFCE64F70AFE0E6114DCFE55FC0193861A47778B02A06869FDEB8BEEA4058CC6F07159A1EE44C388579FC99006C5BD62BA698A98960EF3865E290000342B9D2CC17E066284A382DB7A64A72A0D8E575957FF1782F487DBAD8E093DFC32AC2BEF6103BBED216E1B79C8ADE07B6A2900001C0000400405EE47CCD0D5AC6A113122689065C86058B5F57E2B00001C000040051589E89365ECA9F04455E52BE4B1AE453D26DDB32B0000181E2B516905991C7D7C96FCBFB587E461000000092B000014FB1DE3CDF341B7EA16B7E5BE0855F1202B00001426244D38EDDB61B3172A36E3D0CFB8190000001801528BBBC00696121849AB9A1C5B2A5100000002
ike 0:94279ec772e3e004/0000000000000000:161: responder received SA_INIT msg
ike 0:94279ec772e3e004/0000000000000000:161: received notify type NAT_DETECTION_SOURCE_IP
ike 0:94279ec772e3e004/0000000000000000:161: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:94279ec772e3e004/0000000000000000:161: incoming proposal:
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 1:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=3DES_CBC
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 2:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=3DES_CBC
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 3:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=3DES_CBC
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 4:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 5:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 6:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 7:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=AES_CBC (key_len = 192)
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 8:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=AES_CBC (key_len = 192)
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 9:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=AES_CBC (key_len = 192)
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 10:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 11:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: proposal id = 12:
ike 0:94279ec772e3e004/0000000000000000:161: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:161: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:161: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:94279ec772e3e004/0000000000000000:161: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:161: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:161: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:161: no proposal chosen
ike Negotiate SA Error: ike ike [6629]
ike 0: comes X.X.129.224:1011->X.X.131.202:500,ifindex=6....
ike 0: IKEv2 exchange=SA_INIT id=94279ec772e3e004/0000000000000000 len=880
ike 0: in 94279EC772E3E0040000000000000000212022080000000000000370220002080200002801010004030000080100000303000008030000020300000802000002000000080400000202000028020100040300000801000003030000080300000C0300000802000005000000080400000202000028030100040300000801000003030000080300000D030000080200000600000008040000020200002C040100040300000C0100000C800E00800300000803000002030000080200000200000008040000020200002C050100040300000C0100000C800E0080030000080300000C030000080200000500000008040000020200002C060100040300000C0100000C800E0080030000080300000D030000080200000600000008040000020200002C070100040300000C0100000C800E00C00300000803000002030000080200000200000008040000020200002C080100040300000C0100000C800E00C0030000080300000C030000080200000500000008040000020200002C090100040300000C0100000C800E00C0030000080300000D030000080200000600000008040000020200002C0A0100040300000C0100000C800E01000300000803000002030000080200000200000008040000020200002C0B0100040300000C0100000C800E0100030000080300000C030000080200000500000008040000020000002C0C0100040300000C0100000C800E0100030000080300000D030000080200000600000008040000022800008800020000CFE5AFD56E632D929954B2B8CD89FDF2711DD743246091F1917F3511E07A59C5664171615CE849B35444CF997A66B450FC0FB1D243E4E9E0286C3693ECA67A94AF3752759BF25FBFCE64F70AFE0E6114DCFE55FC0193861A47778B02A06869FDEB8BEEA4058CC6F07159A1EE44C388579FC99006C5BD62BA698A98960EF3865E290000342B9D2CC17E066284A382DB7A64A72A0D8E575957FF1782F487DBAD8E093DFC32AC2BEF6103BBED216E1B79C8ADE07B6A2900001C0000400405EE47CCD0D5AC6A113122689065C86058B5F57E2B00001C000040051589E89365ECA9F04455E52BE4B1AE453D26DDB32B0000181E2B516905991C7D7C96FCBFB587E461000000092B000014FB1DE3CDF341B7EA16B7E5BE0855F1202B00001426244D38EDDB61B3172A36E3D0CFB8190000001801528BBBC00696121849AB9A1C5B2A5100000002
ike 0:94279ec772e3e004/0000000000000000:162: responder received SA_INIT msg
ike 0:94279ec772e3e004/0000000000000000:162: received notify type NAT_DETECTION_SOURCE_IP
ike 0:94279ec772e3e004/0000000000000000:162: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:94279ec772e3e004/0000000000000000:162: incoming proposal:
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 1:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=3DES_CBC
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 2:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=3DES_CBC
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 3:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=3DES_CBC
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 4:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 5:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 6:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 7:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=AES_CBC (key_len = 192)
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 8:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=AES_CBC (key_len = 192)
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 9:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=AES_CBC (key_len = 192)
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 10:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 11:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: proposal id = 12:
ike 0:94279ec772e3e004/0000000000000000:162: protocol = IKEv2:
ike 0:94279ec772e3e004/0000000000000000:162: encapsulation = IKEv2/none
ike 0:94279ec772e3e004/0000000000000000:162: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:94279ec772e3e004/0000000000000000:162: type=INTEGR, val=AUTH_HMAC_SHA2_384_192
ike 0:94279ec772e3e004/0000000000000000:162: type=PRF, val=PRF_HMAC_SHA2_384
ike 0:94279ec772e3e004/0000000000000000:162: type=DH_GROUP, val=MODP1024.
ike 0:94279ec772e3e004/0000000000000000:162: no proposal chosen
ike Negotiate SA Error: ike ike [6629]
ike shrank heap by 57344 bytes
ike shrank heap by 77824 bytes
ike 0: comes X.X.129.224:1011->X.X.131.202:500,ifindex=6....
ike 0: IKEv1 exchange=Identity Protection id=59b0a05683e8df59/0000000000000000 len=408
ike 0: in 59B0A05683E8DF5900000000000000000110020000000000000001980D0000D40000000100000001000000C801010005030000280101000080010007800E0100800200028004001480030001800B0001000C000400007080030000280201000080010007800E0080800200028004001380030001800B0001000C000400007080030000280301000080010007800E0100800200028004000E80030001800B0001000C000400007080030000240401000080010005800200028004000E80030001800B0001000C000400007080000000240501000080010005800200028004000280030001800B0001000C0004000070800D00001801528BBBC00696121849AB9A1C5B2A51000000010D0000181E2B516905991C7D7C96FCBFB587E461000000090D0000144A131C81070358455C5728F20E95452F0D00001490CB80913EBB696E086381B5EC427B1F0D0000144048B7D56EBCE88525E7DE7F00D6C2D30D000014FB1DE3CDF341B7EA16B7E5BE0855F1200D00001426244D38EDDB61B3172A36E3D0CFB81900000014E3A5966A76379FE707228231E5CE8652
ike 0:59b0a05683e8df59/0000000000000000:163: responder: main mode get 1st message...
ike 0:59b0a05683e8df59/0000000000000000:163: VID unknown (20): 01528BBBC00696121849AB9A1C5B2A5100000001
ike 0:59b0a05683e8df59/0000000000000000:163: VID MS NT5 ISAKMPOAKLEY 1E2B516905991C7D7C96FCBFB587E46100000009
ike 0:59b0a05683e8df59/0000000000000000:163: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:59b0a05683e8df59/0000000000000000:163: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:59b0a05683e8df59/0000000000000000:163: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:59b0a05683e8df59/0000000000000000:163: VID unknown (16): FB1DE3CDF341B7EA16B7E5BE0855F120
ike 0:59b0a05683e8df59/0000000000000000:163: VID unknown (16): 26244D38EDDB61B3172A36E3D0CFB819
ike 0:59b0a05683e8df59/0000000000000000:163: VID unknown (16): E3A5966A76379FE707228231E5CE8652
ike 0:59b0a05683e8df59/0000000000000000:163: negotiation result
ike 0:59b0a05683e8df59/0000000000000000:163: proposal id = 1:
ike 0:59b0a05683e8df59/0000000000000000:163: protocol id = ISAKMP:
ike 0:59b0a05683e8df59/0000000000000000:163: trans_id = KEY_IKE.
ike 0:59b0a05683e8df59/0000000000000000:163: encapsulation = IKE/none
ike 0:59b0a05683e8df59/0000000000000000:163: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:59b0a05683e8df59/0000000000000000:163: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:59b0a05683e8df59/0000000000000000:163: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:59b0a05683e8df59/0000000000000000:163: type=OAKLEY_GROUP, val=MODP1024.
ike 0:59b0a05683e8df59/0000000000000000:163: ISAKMP SA lifetime=86400
ike 0:59b0a05683e8df59/0000000000000000:163: SA proposal chosen, matched gateway DialupVPN
ike 0:DialupVPN:163: selected NAT-T version: RFC 3947
ike 0:DialupVPN:163: cookie 59b0a05683e8df59/12f5232afa52cb06
ike 0:DialupVPN:163: out 59B0A05683E8DF5912F5232AFA52CB060110020000000000000000BC0D00003800000001000000010000002C01010001000000240501000080010005800200028004000280030001800B0001000C0004000070800D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE0005029E0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:DialupVPN:163: sent IKE msg (ident_r1send): X.X.131.202:500->X.X.129.224:1011, len=188, id=59b0a05683e8df59/12f5232afa52cb06
ike 0: comes X.X.129.224:1011->X.X.131.202:500,ifindex=6....
ike 0: IKEv1 exchange=Identity Protection id=59b0a05683e8df59/12f5232afa52cb06 len=260
ike 0: in 59B0A05683E8DF5912F5232AFA52CB060410020000000000000001040A000084CD166276D4F2A02E408D9E47DEB62C68DA9221F7BB4F0BC810BDA1416E6DE403C7D965601BD292818ADD291660A4201F9B9AB8E2A5374406A690B78F3786F86A10965B44112A1A598EE5D974FE5B698E4DBF22E0844E95E952EDD26B99AE2D89E8F6BA27259BB4AC30CF100539FFD98495C86E74600993A37DFB5E83162A34C8140000344D41C23C23736F04EEB4EB16798F82BF603B64E4FA973FDB469D2A9A709D42130FCC58D0F8A74EF8F5B6C8DE97413F9F14000018D5AE6C7AFED8F500FC080E4ADF6A118C98CCAB1000000018574A1EC0CA808F7958F2E3904109B735630F056B
ike 0:DialupVPN:163: responder:main mode get 2nd message...
ike 0:DialupVPN:163: NAT detected: PEER
ike 0:DialupVPN:163: out 59B0A05683E8DF5912F5232AFA52CB060410020000000000000000E40A00008416236E8E9C1E470AE40936B44D89435B70598BB4E3E2435177A51350E366F31C4906FEC5F0F0D9DFFB7F653DA5638A19AF93DFB48EBCE2733A819EDCA23A7C1878902945AD3AD8271F7A096D15DCC0C9271B309F06B8FB55BCEAB5E1D75844203351F1F4B812C103C5AC96FDA87601EB6268549828DC8E4554F015033E04D81214000014AC791F02196BB865D6BA758A40082E251400001860F62B23E83E4CA344F8E68D3D94004B228EB4F100000018D5AE6C7AFED8F500FC080E4ADF6A118C98CCAB10
ike 0:DialupVPN:163: sent IKE msg (ident_r2send): X.X.131.202:500->X.X.129.224:1011, len=228, id=59b0a05683e8df59/12f5232afa52cb06
ike 0:DialupVPN:163: ISAKMP SA 59b0a05683e8df59/12f5232afa52cb06 key 24:000ED91B65536503360315D959E54F50589CAAF8E87649FE
ike 0: comes X.X.129.224:64916->X.X.131.202:4500,ifindex=6....
ike 0: IKEv1 exchange=Identity Protection id=59b0a05683e8df59/12f5232afa52cb06 len=68
ike 0: in 59B0A05683E8DF5912F5232AFA52CB060510020100000000000000448BD590BE248B5E73C920C094548C4C1284ED46B8D8322D1223AE06E6EA2FF0BC3454EB77670BE11B
ike 0:DialupVPN:163: responder: main mode get 3rd message...
ike 0:DialupVPN:163: dec 59B0A05683E8DF5912F5232AFA52CB060510020100000000000000440800000C01000000C0A80379000000185C1C33FD3CDAF1FCAE87E7BDA2021CBADF7D67A100000000
ike 0:DialupVPN:163: peer identifier IPV4_ADDR 192.168.3.121
ike 0:DialupVPN:163: PSK authentication succeeded
ike 0:DialupVPN:163: authentication OK
ike 0:DialupVPN:163: enc 59B0A05683E8DF5912F5232AFA52CB060510020100000000000000400800000C01000000D99A83CA00000018AFBD6159890F381CD3BE3DEFCC003F42AD5E4225
ike 0:DialupVPN:163: remote port change 1011 -> 64916
ike 0:DialupVPN:163: out 59B0A05683E8DF5912F5232AFA52CB06051002010000000000000044FDC0529E4AF1BB167DB0DFDE63D6972FE36D9F813E720B1C6CA076F78B7A081FB1938ED7828D5233
ike 0:DialupVPN:163: sent IKE msg (ident_r3send): X.X.131.202:4500->X.X.129.224:64916, len=68, id=59b0a05683e8df59/12f5232afa52cb06
ike 0:DialupVPN: adding new dynamic tunnel for X.X.129.224:64916
ike 0:DialupVPN_0: added new dynamic tunnel for X.X.129.224:64916
ike 0:DialupVPN_0:163: established IKE SA 59b0a05683e8df59/12f5232afa52cb06
ike 0:DialupVPN_0: DPD disabled, not negotiated
ike 0:DialupVPN_0: HA send IKE connection add X.X.131.202->X.X.129.224
ike 0:DialupVPN_0:163: HA send IKE SA add 59b0a05683e8df59/12f5232afa52cb06
ike 0:DialupVPN_0:163: no pending Quick-Mode negotiations
ike 0: comes X.X.129.224:64916->X.X.131.202:4500,ifindex=6....
ike 0: IKEv1 exchange=Quick id=59b0a05683e8df59/12f5232afa52cb06:00000001 len=436
ike 0: in 59B0A05683E8DF5912F5232AFA52CB060810200100000001000001B42408B09415E13068D08B75DE3C0084E25C64DB938E7B2D3E538FF96C87954F70613BA7F48F3DDFCC43F96270CEA633BB64B8B187C34FF881F39EB07F61EA372B4EFA8889717ECAD0B735420FC59EC08369386C4E119DE55F8259F01BFBA9758F21DCB54D3CE7E9D49BAB80B4FD20CA0092222B023217F9906D5A5D50CEB8570101F681FAA4B7BD852C466E95E1A8DF8EE1679F0D8766B2F6959E1021A649C3BE58E140D2717785EA469D858D8DDB95A162AA09E562544546B2CFB2175A7EE41C4701EC72C8E9FF29FF26D1E8E9127FF9C797C770C3C59C8734F716D465D66CB20649356B2FC94214994A1C2D2BDF2563EB9808BFE67E5283898A0483B9187BC5D1A402AECD6D6EBD08C629D6A9D7B13720D9A8A9E05BD6AB74161C936792578A7FA945C501CE5BA8C4CA509617B7DF2DC0DA86BFE1B3AC0CE976E6B22CB245B467F738C07A88B3F293D0398BDED063E1059B1316AD7288CC881822B034FC0E217EDDEC9BB8A4090B0FDAD1478DFDC92B21596F3BDB9F027832BCE0D3FC9C211D5E6991D7C84C72B34A2638DA2277B43A77E8F888CA80ECDC
ike 0:DialupVPN_0:163: peer has not completed Configuration Method
ike 0: comes X.X.129.224:64916->X.X.131.202:4500,ifindex=6....
ike 0: IKEv1 exchange=Quick id=59b0a05683e8df59/12f5232afa52cb06:00000001 len=436
ike 0: in 59B0A05683E8DF5912F5232AFA52CB060810200100000001000001B42408B09415E13068D08B75DE3C0084E25C64DB938E7B2D3E538FF96C87954F70613BA7F48F3DDFCC43F96270CEA633BB64B8B187C34FF881F39EB07F61EA372B4EFA8889717ECAD0B735420FC59EC08369386C4E119DE55F8259F01BFBA9758F21DCB54D3CE7E9D49BAB80B4FD20CA0092222B023217F9906D5A5D50CEB8570101F681FAA4B7BD852C466E95E1A8DF8EE1679F0D8766B2F6959E1021A649C3BE58E140D2717785EA469D858D8DDB95A162AA09E562544546B2CFB2175A7EE41C4701EC72C8E9FF29FF26D1E8E9127FF9C797C770C3C59C8734F716D465D66CB20649356B2FC94214994A1C2D2BDF2563EB9808BFE67E5283898A0483B9187BC5D1A402AECD6D6EBD08C629D6A9D7B13720D9A8A9E05BD6AB74161C936792578A7FA945C501CE5BA8C4CA509617B7DF2DC0DA86BFE1B3AC0CE976E6B22CB245B467F738C07A88B3F293D0398BDED063E1059B1316AD7288CC881822B034FC0E217EDDEC9BB8A4090B0FDAD1478DFDC92B21596F3BDB9F027832BCE0D3FC9C211D5E6991D7C84C72B34A2638DA2277B43A77E8F888CA80ECDC
ike 0:DialupVPN_0:163: peer has not completed Configuration Method
ike 0: comes X.X.129.224:64916->X.X.131.202:4500,ifindex=6....
ike 0: IKEv1 exchange=Quick id=59b0a05683e8df59/12f5232afa52cb06:00000001 len=436
ike 0: in 59B0A05683E8DF5912F5232AFA52CB060810200100000001000001B42408B09415E13068D08B75DE3C0084E25C64DB938E7B2D3E538FF96C87954F70613BA7F48F3DDFCC43F96270CEA633BB64B8B187C34FF881F39EB07F61EA372B4EFA8889717ECAD0B735420FC59EC08369386C4E119DE55F8259F01BFBA9758F21DCB54D3CE7E9D49BAB80B4FD20CA0092222B023217F9906D5A5D50CEB8570101F681FAA4B7BD852C466E95E1A8DF8EE1679F0D8766B2F6959E1021A649C3BE58E140D2717785EA469D858D8DDB95A162AA09E562544546B2CFB2175A7EE41C4701EC72C8E9FF29FF26D1E8E9127FF9C797C770C3C59C8734F716D465D66CB20649356B2FC94214994A1C2D2BDF2563EB9808BFE67E5283898A0483B9187BC5D1A402AECD6D6EBD08C629D6A9D7B13720D9A8A9E05BD6AB74161C936792578A7FA945C501CE5BA8C4CA509617B7DF2DC0DA86BFE1B3AC0CE976E6B22CB245B467F738C07A88B3F293D0398BDED063E1059B1316AD7288CC881822B034FC0E217EDDEC9BB8A4090B0FDAD1478DFDC92B21596F3BDB9F027832BCE0D3FC9C211D5E6991D7C84C72B34A2638DA2277B43A77E8F888CA80ECDC
ike 0:DialupVPN_0:163: peer has not completed Configuration Method
ike 0: comes X.X.129.224:64916->X.X.131.202:4500,ifindex=6....
ike 0: IKEv1 exchange=Quick id=59b0a05683e8df59/12f5232afa52cb06:00000001 len=436
ike 0: in 59B0A05683E8DF5912F5232AFA52CB060810200100000001000001B42408B09415E13068D08B75DE3C0084E25C64DB938E7B2D3E538FF96C87954F70613BA7F48F3DDFCC43F96270CEA633BB64B8B187C34FF881F39EB07F61EA372B4EFA8889717ECAD0B735420FC59EC08369386C4E119DE55F8259F01BFBA9758F21DCB54D3CE7E9D49BAB80B4FD20CA0092222B023217F9906D5A5D50CEB8570101F681FAA4B7BD852C466E95E1A8DF8EE1679F0D8766B2F6959E1021A649C3BE58E140D2717785EA469D858D8DDB95A162AA09E562544546B2CFB2175A7EE41C4701EC72C8E9FF29FF26D1E8E9127FF9C797C770C3C59C8734F716D465D66CB20649356B2FC94214994A1C2D2BDF2563EB9808BFE67E5283898A0483B9187BC5D1A402AECD6D6EBD08C629D6A9D7B13720D9A8A9E05BD6AB74161C936792578A7FA945C501CE5BA8C4CA509617B7DF2DC0DA86BFE1B3AC0CE976E6B22CB245B467F738C07A88B3F293D0398BDED063E1059B1316AD7288CC881822B034FC0E217EDDEC9BB8A4090B0FDAD1478DFDC92B21596F3BDB9F027832BCE0D3FC9C211D5E6991D7C84C72B34A2638DA2277B43A77E8F888CA80ECDC
ike 0:DialupVPN_0:163: peer has not completed Configuration Method
ike shrank heap by 135168 bytes
ike 0: comes X.X.129.224:64916->X.X.131.202:4500,ifindex=6....
ike 0: IKEv1 exchange=Quick id=59b0a05683e8df59/12f5232afa52cb06:00000001 len=436
ike 0: in 59B0A05683E8DF5912F5232AFA52CB060810200100000001000001B42408B09415E13068D08B75DE3C0084E25C64DB938E7B2D3E538FF96C87954F70613BA7F48F3DDFCC43F96270CEA633BB64B8B187C34FF881F39EB07F61EA372B4EFA8889717ECAD0B735420FC59EC08369386C4E119DE55F8259F01BFBA9758F21DCB54D3CE7E9D49BAB80B4FD20CA0092222B023217F9906D5A5D50CEB8570101F681FAA4B7BD852C466E95E1A8DF8EE1679F0D8766B2F6959E1021A649C3BE58E140D2717785EA469D858D8DDB95A162AA09E562544546B2CFB2175A7EE41C4701EC72C8E9FF29FF26D1E8E9127FF9C797C770C3C59C8734F716D465D66CB20649356B2FC94214994A1C2D2BDF2563EB9808BFE67E5283898A0483B9187BC5D1A402AECD6D6EBD08C629D6A9D7B13720D9A8A9E05BD6AB74161C936792578A7FA945C501CE5BA8C4CA509617B7DF2DC0DA86BFE1B3AC0CE976E6B22CB245B467F738C07A88B3F293D0398BDED063E1059B1316AD7288CC881822B034FC0E217EDDEC9BB8A4090B0FDAD1478DFDC92B21596F3BDB9F027832BCE0D3FC9C211D5E6991D7C84C72B34A2638DA2277B43A77E8F888CA80ECDC
ike 0:DialupVPN_0:163: peer has not completed Configuration Method
ike 0: comes X.X.129.224:64916->X.X.131.202:4500,ifindex=6....
ike 0: IKEv1 exchange=Quick id=59b0a05683e8df59/12f5232afa52cb06:00000001 len=436
ike 0: in 59B0A05683E8DF5912F5232AFA52CB060810200100000001000001B42408B09415E13068D08B75DE3C0084E25C64DB938E7B2D3E538FF96C87954F70613BA7F48F3DDFCC43F96270CEA633BB64B8B187C34FF881F39EB07F61EA372B4EFA8889717ECAD0B735420FC59EC08369386C4E119DE55F8259F01BFBA9758F21DCB54D3CE7E9D49BAB80B4FD20CA0092222B023217F9906D5A5D50CEB8570101F681FAA4B7BD852C466E95E1A8DF8EE1679F0D8766B2F6959E1021A649C3BE58E140D2717785EA469D858D8DDB95A162AA09E562544546B2CFB2175A7EE41C4701EC72C8E9FF29FF26D1E8E9127FF9C797C770C3C59C8734F716D465D66CB20649356B2FC94214994A1C2D2BDF2563EB9808BFE67E5283898A0483B9187BC5D1A402AECD6D6EBD08C629D6A9D7B13720D9A8A9E05BD6AB74161C936792578A7FA945C501CE5BA8C4CA509617B7DF2DC0DA86BFE1B3AC0CE976E6B22CB245B467F738C07A88B3F293D0398BDED063E1059B1316AD7288CC881822B034FC0E217EDDEC9BB8A4090B0FDAD1478DFDC92B21596F3BDB9F027832BCE0D3FC9C211D5E6991D7C84C72B34A2638DA2277B43A77E8F888CA80ECDC
ike 0:DialupVPN_0:163: peer has not completed Configuration Method
ike 0: comes X.X.129.224:64916->X.X.131.202:4500,ifindex=6....
ike 0: IKEv1 exchange=Quick id=59b0a05683e8df59/12f5232afa52cb06:00000001 len=436
ike 0: in 59B0A05683E8DF5912F5232AFA52CB060810200100000001000001B42408B09415E13068D08B75DE3C0084E25C64DB938E7B2D3E538FF96C87954F70613BA7F48F3DDFCC43F96270CEA633BB64B8B187C34FF881F39EB07F61EA372B4EFA8889717ECAD0B735420FC59EC08369386C4E119DE55F8259F01BFBA9758F21DCB54D3CE7E9D49BAB80B4FD20CA0092222B023217F9906D5A5D50CEB8570101F681FAA4B7BD852C466E95E1A8DF8EE1679F0D8766B2F6959E1021A649C3BE58E140D2717785EA469D858D8DDB95A162AA09E562544546B2CFB2175A7EE41C4701EC72C8E9FF29FF26D1E8E9127FF9C797C770C3C59C8734F716D465D66CB20649356B2FC94214994A1C2D2BDF2563EB9808BFE67E5283898A0483B9187BC5D1A402AECD6D6EBD08C629D6A9D7B13720D9A8A9E05BD6AB74161C936792578A7FA945C501CE5BA8C4CA509617B7DF2DC0DA86BFE1B3AC0CE976E6B22CB245B467F738C07A88B3F293D0398BDED063E1059B1316AD7288CC881822B034FC0E217EDDEC9BB8A4090B0FDAD1478DFDC92B21596F3BDB9F027832BCE0D3FC9C211D5E6991D7C84C72B34A2638DA2277B43A77E8F888CA80ECDC
ike 0:DialupVPN_0:163: peer has not completed Configuration Method
ike 0: comes X.X.129.224:64916->X.X.131.202:4500,ifindex=6....
ike 0: IKEv1 exchange=Informational id=59b0a05683e8df59/12f5232afa52cb06:a5458b7a len=84
ike 0: in 59B0A05683E8DF5912F5232AFA52CB0608100501A5458B7A00000054351B4644DCB565AF17E9D56FFFFBC6C25A16CA3E9B31084AE51AC1F09C08923835CADB52325960DA9FAC3018ABD59FA6F51FC0A1F6295DB1
ike 0:DialupVPN_0:163: dec 59B0A05683E8DF5912F5232AFA52CB0608100501A5458B7A000000540C0000187EDC9E524223B5F4A3BC0815BDCC7921BE89F07E0000001C000000010110000159B0A05683E8DF5912F5232AFA52CB0600000000
ike 0:DialupVPN_0:163: recv ISAKMP SA delete 59b0a05683e8df59/12f5232afa52cb06
ike 0:DialupVPN_0: deleting
ike 0:DialupVPN_0: flushing
ike 0:DialupVPN_0: sending SNMP tunnel DOWN trap
ike 0:DialupVPN_0: flushed
ike 0:DialupVPN_0:163: HA send IKE SA del 59b0a05683e8df59/12f5232afa52cb06
ike 0:DialupVPN_0: delete dynamic
ike 0:DialupVPN_0: reset NAT-T
ike 0:DialupVPN_0: deleted
ike 0: comes X.X.129.224:1011->X.X.131.202:500,ifindex=6....
ike 0: IKEv1 exchange=Identity Protection id=4505a41d1053780b/0000000000000000 len=408
ike 0: in 4505A41D1053780B00000000000000000110020000000000000001980D0000D40000000100000001000000C801010005030000280101000080010007800E0100800200028004001480030001800B0001000C000400007080030000280201000080010007800E0080800200028004001380030001800B0001000C000400007080030000280301000080010007800E0100800200028004000E80030001800B0001000C000400007080030000240401000080010005800200028004000E80030001800B0001000C000400007080000000240501000080010005800200028004000280030001800B0001000C0004000070800D00001801528BBBC00696121849AB9A1C5B2A51000000010D0000181E2B516905991C7D7C96FCBFB587E461000000090D0000144A131C81070358455C5728F20E95452F0D00001490CB80913EBB696E086381B5EC427B1F0D0000144048B7D56EBCE88525E7DE7F00D6C2D30D000014FB1DE3CDF341B7EA16B7E5BE0855F1200D00001426244D38EDDB61B3172A36E3D0CFB81900000014E3A5966A76379FE707228231E5CE8652
ike 0:4505a41d1053780b/0000000000000000:164: responder: main mode get 1st message...
ike 0:4505a41d1053780b/0000000000000000:164: VID unknown (20): 01528BBBC00696121849AB9A1C5B2A5100000001
ike 0:4505a41d1053780b/0000000000000000:164: VID MS NT5 ISAKMPOAKLEY 1E2B516905991C7D7C96FCBFB587E46100000009
ike 0:4505a41d1053780b/0000000000000000:164: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:4505a41d1053780b/0000000000000000:164: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:4505a41d1053780b/0000000000000000:164: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:4505a41d1053780b/0000000000000000:164: VID unknown (16): FB1DE3CDF341B7EA16B7E5BE0855F120
ike 0:4505a41d1053780b/0000000000000000:164: VID unknown (16): 26244D38EDDB61B3172A36E3D0CFB819
ike 0:4505a41d1053780b/0000000000000000:164: VID unknown (16): E3A5966A76379FE707228231E5CE8652
ike 0:4505a41d1053780b/0000000000000000:164: negotiation result
ike 0:4505a41d1053780b/0000000000000000:164: proposal id = 1:
ike 0:4505a41d1053780b/0000000000000000:164: protocol id = ISAKMP:
ike 0:4505a41d1053780b/0000000000000000:164: trans_id = KEY_IKE.
ike 0:4505a41d1053780b/0000000000000000:164: encapsulation = IKE/none
ike 0:4505a41d1053780b/0000000000000000:164: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:4505a41d1053780b/0000000000000000:164: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:4505a41d1053780b/0000000000000000:164: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:4505a41d1053780b/0000000000000000:164: type=OAKLEY_GROUP, val=MODP1024.
ike 0:4505a41d1053780b/0000000000000000:164: ISAKMP SA lifetime=86400
ike 0:4505a41d1053780b/0000000000000000:164: SA proposal chosen, matched gateway DialupVPN
ike 0:DialupVPN:164: selected NAT-T version: RFC 3947
ike 0:DialupVPN:164: cookie 4505a41d1053780b/56344104650fcb44
ike 0:DialupVPN:164: out 4505A41D1053780B56344104650FCB440110020000000000000000BC0D00003800000001000000010000002C01010001000000240501000080010005800200028004000280030001800B0001000C0004000070800D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE0005029E0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:DialupVPN:164: sent IKE msg (ident_r1send): X.X.131.202:500->X.X.129.224:1011, len=188, id=4505a41d1053780b/56344104650fcb44
ike 0:DialupVPN:164: out 4505A41D1053780B56344104650FCB440110020000000000000000BC0D00003800000001000000010000002C01010001000000240501000080010005800200028004000280030001800B0001000C0004000070800D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE0005029E0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:DialupVPN:164: sent IKE msg (P1_RETRANSMIT): X.X.131.202:500->X.X.129.224:1011, len=188, id=4505a41d1053780b/56344104650fcb44
ike 0:DialupVPN:164: out 4505A41D1053780B56344104650FCB440110020000000000000000BC0D00003800000001000000010000002C01010001000000240501000080010005800200028004000280030001800B0001000C0004000070800D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE0005029E0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:DialupVPN:164: sent IKE msg (P1_RETRANSMIT): X.X.131.202:500->X.X.129.224:1011, len=188, id=4505a41d1053780b/56344104650fcb44
ike 0:DialupVPN:164: negotiation timeout, deleting
ike 0:DialupVPN: connection expiring due to phase1 down
ike 0:DialupVPN: deleting
ike 0:DialupVPN: flushing
ike 0:DialupVPN: sending SNMP tunnel DOWN trap
ike 0:DialupVPN: flushed
ike 0:DialupVPN: reset NAT-T
ike 0:DialupVPN: deleted
gschmitt wrote:Hm go into the cli
diag debug reset
diag debug enable
diag debug application fnbamd -1
Try the connection and check the output
I'm not sure if I've improved anything, now the VPN fails at the first hurdle, I can't seem to work out why the proposals aren't matching.
ike 0: comes X.X.129.224:1011->X.X.131.202:500,ifindex=6....
ike 0: IKEv1 exchange=Identity Protection id=fa93ab2a4a28967b/0000000000000000 len=408
ike 0: in FA93AB2A4A28967B00000000000000000110020000000000000001980D0000D40000000100000001000000C801010005030000280101000080010007800E0100800200028004001480030001800B0001000C000400007080030000280201000080010007800E0080800200028004001380030001800B0001000C000400007080030000280301000080010007800E0100800200028004000E80030001800B0001000C000400007080030000240401000080010005800200028004000E80030001800B0001000C000400007080000000240501000080010005800200028004000280030001800B0001000C0004000070800D00001801528BBBC00696121849AB9A1C5B2A51000000010D0000181E2B516905991C7D7C96FCBFB587E461000000090D0000144A131C81070358455C5728F20E95452F0D00001490CB80913EBB696E086381B5EC427B1F0D0000144048B7D56EBCE88525E7DE7F00D6C2D30D000014FB1DE3CDF341B7EA16B7E5BE0855F1200D00001426244D38EDDB61B3172A36E3D0CFB81900000014E3A5966A76379FE707228231E5CE8652
ike 0:fa93ab2a4a28967b/0000000000000000:237: responder: main mode get 1st message...
ike 0:fa93ab2a4a28967b/0000000000000000:237: VID unknown (20): 01528BBBC00696121849AB9A1C5B2A5100000001
ike 0:fa93ab2a4a28967b/0000000000000000:237: VID MS NT5 ISAKMPOAKLEY 1E2B516905991C7D7C96FCBFB587E46100000009
ike 0:fa93ab2a4a28967b/0000000000000000:237: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:fa93ab2a4a28967b/0000000000000000:237: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:fa93ab2a4a28967b/0000000000000000:237: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:fa93ab2a4a28967b/0000000000000000:237: VID unknown (16): FB1DE3CDF341B7EA16B7E5BE0855F120
ike 0:fa93ab2a4a28967b/0000000000000000:237: VID unknown (16): 26244D38EDDB61B3172A36E3D0CFB819
ike 0:fa93ab2a4a28967b/0000000000000000:237: VID unknown (16): E3A5966A76379FE707228231E5CE8652
ike 0:fa93ab2a4a28967b/0000000000000000:237: incoming proposal:
ike 0:fa93ab2a4a28967b/0000000000000000:237: proposal id = 0:
ike 0:fa93ab2a4a28967b/0000000000000000:237: protocol id = ISAKMP:
ike 0:fa93ab2a4a28967b/0000000000000000:237: trans_id = KEY_IKE.
ike 0:fa93ab2a4a28967b/0000000000000000:237: encapsulation = IKE/none
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_GROUP, val=ECP384.
ike 0:fa93ab2a4a28967b/0000000000000000:237: ISAKMP SA lifetime=28800
ike 0:fa93ab2a4a28967b/0000000000000000:237: proposal id = 0:
ike 0:fa93ab2a4a28967b/0000000000000000:237: protocol id = ISAKMP:
ike 0:fa93ab2a4a28967b/0000000000000000:237: trans_id = KEY_IKE.
ike 0:fa93ab2a4a28967b/0000000000000000:237: encapsulation = IKE/none
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_GROUP, val=ECP256.
ike 0:fa93ab2a4a28967b/0000000000000000:237: ISAKMP SA lifetime=28800
ike 0:fa93ab2a4a28967b/0000000000000000:237: proposal id = 0:
ike 0:fa93ab2a4a28967b/0000000000000000:237: protocol id = ISAKMP:
ike 0:fa93ab2a4a28967b/0000000000000000:237: trans_id = KEY_IKE.
ike 0:fa93ab2a4a28967b/0000000000000000:237: encapsulation = IKE/none
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_GROUP, val=MODP2048.
ike 0:fa93ab2a4a28967b/0000000000000000:237: ISAKMP SA lifetime=28800
ike 0:fa93ab2a4a28967b/0000000000000000:237: proposal id = 0:
ike 0:fa93ab2a4a28967b/0000000000000000:237: protocol id = ISAKMP:
ike 0:fa93ab2a4a28967b/0000000000000000:237: trans_id = KEY_IKE.
ike 0:fa93ab2a4a28967b/0000000000000000:237: encapsulation = IKE/none
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_GROUP, val=MODP2048.
ike 0:fa93ab2a4a28967b/0000000000000000:237: ISAKMP SA lifetime=28800
ike 0:fa93ab2a4a28967b/0000000000000000:237: proposal id = 0:
ike 0:fa93ab2a4a28967b/0000000000000000:237: protocol id = ISAKMP:
ike 0:fa93ab2a4a28967b/0000000000000000:237: trans_id = KEY_IKE.
ike 0:fa93ab2a4a28967b/0000000000000000:237: encapsulation = IKE/none
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fa93ab2a4a28967b/0000000000000000:237: type=OAKLEY_GROUP, val=MODP1024.
ike 0:fa93ab2a4a28967b/0000000000000000:237: ISAKMP SA lifetime=28800
ike 0:fa93ab2a4a28967b/0000000000000000:237: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:fa93ab2a4a28967b/0000000000000000:237: no SA proposal chosen
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.