Forti/MicroTik IPSe issue

ThePro · ‎03-21-2019

Im trying to setup an IPSec VPN between an Forti (my side) and an MicroTik.

You are seeing 192.168.1.101 (thats the local IP for the Forti) because theres a DMZ from the ISP modem/router to the Forti. I have other VPNs with other Fortigates and Ciscos on this same Forti/Site and they are running just fine.

Apparently Im getting an erro during Phase1

FGT60D4614056671 # ike 0: comes RemoteWAN:4500->192.168.1.101:4500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=dfcbc71ae93abd03/921b208b19fce6f6:b2869163 len=92 ike 0: in DFCBC71AE93ABD03921B208B19FCE6F608100501B28691630000005C21223EE0F891039A0F05F727F401C1E7562F6B701B6700BB7A581E9EAFA79A69A299A019B10400E4FF53F676A18803D409E8BF125B4589FAE89C2ADCC2599A44 ike 0:LG_P1:3031: dec DFCBC71AE93ABD03921B208B19FCE6F608100501B28691630000005C0B000018D1D590C65365399AE98C99F6D4130565C340867A000000200000000101108D28DFCBC71AE93ABD03921B208B19FCE6F6000002ECA25775A13F21D707 ike 0:LG_P1:3031: notify msg received: R-U-THERE ike 0:LG_P1:3031: enc DFCBC71AE93ABD03921B208B19FCE6F608100501F5E900EB000000540B0000181124FFAD14BD497CF18608F3E0D0A9BA58C576A3000000200000000101108D29DFCBC71AE93ABD03921B208B19FCE6F6000002EC ike 0:LG_P1:3031: out DFCBC71AE93ABD03921B208B19FCE6F608100501F5E900EB0000005C34BCC8599FF60AF53EF990590719C7EFDCC3554F9BB45935234C28CF459F1FD3B9750F2D914B3BD9D4E1A188722160D6D434C115E9A3B3020FB5B5A4491F0273 ike 0:LG_P1:3031: sent IKE msg (R-U-THERE-ACK): 192.168.1.101:4500->RemoteWAN:4500, len=92, id=dfcbc71ae93abd03/921b208b19fce6f6:f5e900eb ike 0:LG_P1:LG_P2: IPsec SA connect 5 192.168.1.101->RemoteWAN:4500 ike 0:LG_P1:LG_P2: using existing connection ike 0:LG_P1:LG_P2: config found ike 0:LG_P1:LG_P2: IPsec SA connect 5 192.168.1.101->RemoteWAN:4500 negotiating ike 0:LG_P1:3031: cookie dfcbc71ae93abd03/921b208b19fce6f6:a9585ce1 ike 0:LG_P1:3031:LG_P2:342878: natt flags 0x1f, encmode 1->3 ike 0:LG_P1:3031:LG_P2:342878: initiator selectors 0 0:10.0.50.0/255.255.255.0:0:0->0:192.168.3.0/255.255.255.0:0:0 ike 0:LG_P1:3031: enc DFCBC71AE93ABD03921B208B19FCE6F608102001A9585CE10000016401000018802C1FBA11799662337307C3BC3CD80A36B480720A00003800000001000000010000002C010304014C618BE20000002001030000800100010002000400015180800400038005000280030005040000147F0B0D7879CE8318454E4874831C5673050000C410D6364BE6C78BC1BFF984E91D168513175D6787D1F2A9158FD4F08CE56E038226AAF816ABE458F2D99891080CC4C536DA41C6AD61302367487C1EE299FB956F5F3A3259CB907B1FA9659077B18F59E57D1062FEEC09284792A3C4872F7EC2590EFB32E7065B7978C4F6F433029615CBF06240BEBC0FCF4AFF560C57C1EBF32AB6F89C2F3D6BB07C705ADBF9F38E782E70F40D097256F2EE3B6A41C61D7637BFFEC3B8994400AC0EBEA99E5806100C610B320EFE943C161D3EAEEA2812F024C005000010040000000A003200FFFFFF000000001004000000C0A80300FFFFFF00 ike 0:LG_P1:3031: out DFCBC71AE93ABD03921B208B19FCE6F608102001A9585CE10000016C7D8B625A0B0BB7A83A0C2E8361AD0D71413C80607F850DDEF44FB017AFB363ADA02244A3B102A72C5CA52E0D9E4A27E0409B67C34746B5673D67B875A8928629AF59C132D53A599956964F867B8AE719858283D2384D96421195823298FB8B026051C6649B17A44721496567542A1CB5B13D3983EC5E45C99DFDE720C82F59CA6ED0E0C0DE065F4D614DE42808B12E6383D687D0F52260D2FB3C0794B6EF8E09309690D0D7FD6703B9D1F1C3E33C7865F646EF03387CC83B4B23CA87006357CBCE05DF91F158BEF235511052DF37C92E43674EEB0AC0E23F22E1B6AA9B3C2F05BFFB89DF40CCB3DC955A8A6F6DD1B3AD01A1F813C0C01392430566362E864107771A42B5B72F6DFE1AEBBE527F3DE9866F82CFA1049EFE7B60A8D3AA139D769299E5F154792DAF8473FE69CF2040AC5EB00163399888A0CBAA36119A6EB72E1056B78B9BE3599AD9B9CB15C25B53B670 ike 0:LG_P1:3031: sent IKE msg (quick_i1send): 192.168.1.101:4500->RemoteWAN:4500, len=364, id=dfcbc71ae93abd03/921b208b19fce6f6:a9585ce1 ike 0: comes RemoteWAN:4500->192.168.1.101:4500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=dfcbc71ae93abd03/921b208b19fce6f6:ad5452ab len=68 ike 0: in DFCBC71AE93ABD03921B208B19FCE6F608100501AD5452AB00000044B75E987CC44C843CD702AD7347EF23694346B9F0E3EC604067B600469D950D1C9BF2F35E5CCE75EA ike 0:LG_P1:3031: dec DFCBC71AE93ABD03921B208B19FCE6F608100501AD5452AB000000440B000018A00DD789818D208E9F3FE830EC80447CD0061DBC0000000C000000010100000EA9955603 ike 0:LG_P1:3031: notify msg received: NO-PROPOSAL-CHOSEN ike 0:LG_P1:3031:: no matching IPsec SPI ike 0:LG_P1:3031:LG_P2:342878: delete phase2 SPI e28b614c

ede_pfau · ‎03-21-2019

no, phase2 is not negotiated successfully. Check the local/remote subnets (quick mode selectors), and then the encryption settings. I'd choose only one set, like SHA256/AES256.

Ede

"Kernel panic: Aiee, killing interrupt handler!"