Hello friends,
I have very strange problem with creating of IPsec tunnel VPN between Mikrotik and FortiGate 100D. I get still error log on my Mikrotik with information: 192.168.1.111 failed to pre-process ph2 packet. 192.198.1.111 is wan interface of FortiGate. I have checked everything 100times, so Authentication, encryption and also DH are the same on both sides. I can also see Fortinet as established under Active Peer on Mikrotik, but in Policies tab i can see problem: no phase2. Fortinet is showing tunnel as inactive.
I am very confused. I have also found a very similar topic on last line:
viewtopic.php?t=107680
But i don't understand where t change this mode....and problem is Mikrotik or Fortinet?
Can you give me some advice please?
Thank you very much for any advice.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't know the debug commands on Mikrotik side, but at least you can run IKE debugging explained in below KB to see what the 100D is seeing/saying:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSEC-Tunnel-debugging-IKE/ta-p/1900...
Toshi
Thanks for zour advice :)
This is output from Fortigate:
Phase 1 shows estabilshed, but phase two has some problem:
-notify msg recieved: NO-PROPOSAL CHOSEN
-no matching IPsec SPI
ike 0:Tunnel-mkt:2: send IKEv1 DPD probe, seqno 56
ike 0:Tunnel-mkt:2: enc BB1CB51579F0C7A2040551337556406808100501039978E8000000500B0000141592FDEF9860E9A3A532C3078077756E000000200000000101108D28BB1CB51579F0C7A2040551337556406800000038
ike 0:Tunnel-mkt:2: out BB1CB51579F0C7A2040551337556406808100501039978E80000005C30F8FB19C433CC8F6FF338FCBBF295E0E039A7DC75BFFE044E926A13448729618B004E118D3D3A5F6849AA6D820C7A1D060F36B0E4DC1EA62B11A49CC0D86E5E
ike 0:Tunnel-mkt:2: sent IKE msg (R-U-THERE): 192.168.1.111:500->192.168.1.198:500, len=92, id=bb1cb51579f0c7a2/0405513375564068:039978e8
ike 0: comes 192.168.1.198:500->192.168.1.111:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=bb1cb51579f0c7a2/0405513375564068:a11d729a len=92
ike 0: in BB1CB51579F0C7A2040551337556406808100501A11D729A0000005CF99A37C75442D6D4C48216FD9F7C97110BCCA2AF69A1C2A1553268C4814D1E3E1AAEDA450D9A953218C878E4B2032DB959E7298F8B7765A6B03764455E2ADB97
ike 0:Tunnel-mkt:2: dec BB1CB51579F0C7A2040551337556406808100501A11D729A0000005C0B0000140356AD338ACB125B4E649BBE66E1F11A000000200000000101108D29BB1CB51579F0C7A204055133755640680000003839AB96B8B0237D215FA43C0B
ike 0:Tunnel-mkt:2: notify msg received: R-U-THERE-ACK
ike 0:Tunnel-mkt:Tunnel-mkt: IPsec SA connect 5 192.168.1.111->192.168.1.198:0
ike 0:Tunnel-mkt:Tunnel-mkt: using existing connection
ike 0:Tunnel-mkt:Tunnel-mkt: config found
ike 0:Tunnel-mkt:Tunnel-mkt: IPsec SA connect 5 192.168.1.111->192.168.1.198:500 negotiating
ike 0:Tunnel-mkt:2: cookie bb1cb51579f0c7a2/0405513375564068:88f717d8
ike 0:Tunnel-mkt:2:Tunnel-mkt:290: initiator selectors 0 0:192.168.11.0/255.255.255.0:0:0->0:10.10.1.0/255.255.255.0:0:0
ike 0:Tunnel-mkt:2: enc BB1CB51579F0C7A204055133755640680810200188F717D800000160010000148A6E7285565E7CCD3BB1B4CDE2F804E00A00003800000001000000010000002C01030401454600A900000020010C00008001000180020E108004000180060080800500018003000504000014B118807207FBD6D19ADE0702189F913D050000C4591D27B8F94C85582F562A543B81D6E7BDF3CCF07A746D9AEB13F2CBC4105F826649D162FCB67F7312670C1FBC3B6EFA6284C92695D3DF0B9A714581D41664DA1254232D3E9281B7FEC5CCA3F1517672D86BA29696D623F9D4D91424729578E6C0A6DEBF8ED20C2549043CEA71FE189A43E8971A55C0A626A19BD758A5B55A9104C4BF05F6C0762321A91811CC1BC407FD892444D6BACB2825C33F3A7FBA29D678E0D52B88F2591A15EECE145E035130DA5FDEBA99329020B05833EFCC7AE5F30500001004000000C0A80B00FFFFFF0000000010040000000A0A0100FFFFFF00
ike 0:Tunnel-mkt:2: out BB1CB51579F0C7A204055133755640680810200188F717D80000016C8F55D5E1F0ECB327B7BDDFD173E46FE3052FA1259EF424E0B53883AE8941A6A912B008BC163F1C2C2473AACCC385B4B64A968206DE67A753766F19080574E1127612C959DC71494D4EADED6E47D04C8C860810971AD3A40B017B1DCF19E8357F35B2C8B83495188C57FF27E9FB8C8AB59A4DAF9C13C8CEF6614F78E9253CD903654385147B7F3A47698F8BB0F1CF46E33ED2FE2AFFE333BB7FF8BB36270123B6304DBB9D3AE21B06B02083B3A5D4915A892607F6AACC07096788088AC9B037F3937074D215B1ADFD58BB6D7A9860C4BAA4B7F9366CFE2CE9A7A5C28768275E32753A0D30180F40C20FE746949E2828FB17805539A8C750F83970BD43AFB4A27302575B65FC756FE51AB60D06421A96CDE79040CFEE628038F7A333372970E86E09C8F00BF535A4034332D21F18099FEBE5646767548A81F2B2F7E2EC7C4F54C375A9AB9856C812FBBAAB302C75BA5F5A
ike 0:Tunnel-mkt:2: sent IKE msg (quick_i1send): 192.168.1.111:500->192.168.1.198:500, len=364, id=bb1cb51579f0c7a2/0405513375564068:88f717d8
ike 0: comes 192.168.1.198:500->192.168.1.111:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=bb1cb51579f0c7a2/0405513375564068:d01498c4 len=76
ike 0: in BB1CB51579F0C7A2040551337556406808100501D01498C40000004C4958B5183E87B8AA4608C186B18FEACCA6D659CC8319D564B13A46F3F8B2336C64D519C39662D57F5113665D770C659D
ike 0:Tunnel-mkt:2: dec BB1CB51579F0C7A2040551337556406808100501D01498C40000004C0B000014CB61B33517852CA0898B32C959B50B1B0000000C000000010100000ED08DA956FD99234B75474E7C8EEC4E0F
ike 0:Tunnel-mkt:2: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:Tunnel-mkt:2:: no matching IPsec SPI
ike 0:Tunnel-mkt:2:Tunnel-mkt:290: delete phase2 SPI a9004645
ike 0:Tunnel-mkt:Tunnel-mkt: IPsec SA connect 5 192.168.1.111->192.168.1.198:0
ike 0:Tunnel-mkt:Tunnel-mkt: using existing connection
ike 0:Tunnel-mkt:Tunnel-mkt: config found
ike 0:Tunnel-mkt:Tunnel-mkt: IPsec SA connect 5 192.168.1.111->192.168.1.198:500 negotiating
ike 0:Tunnel-mkt:2: cookie bb1cb51579f0c7a2/0405513375564068:574338e6
ike 0:Tunnel-mkt:2:Tunnel-mkt:291: initiator selectors 0 0:192.168.11.0/255.255.255.0:0:0->0:10.10.1.0/255.255.255.0:0:0
ike 0:Tunnel-mkt:2: enc BB1CB51579F0C7A2040551337556406808102001574338E600000160010000146293DD290507E1E4465D72F904F1C1630A00003800000001000000010000002C01030401454600AA00000020010C00008001000180020E1080040001800600808005000180030005040000140A6E2BE5E34E615853F28DB63D5FEC43050000C46AA493C468425B1CC23893975F620BD7E72940CAE074ABF014CCA462BCCE3B2808C9C2A31E9C3BC8BB4DE33D6E2CD1348CED7CFB5E14ECBBC44A312B386232363DA5E56908ABE10D12E6AE77E8026A73A201A8B6699EA7191B30389ED33A005EF9338AF7880FAF5A7496A11684D9AD722F8B97DCB7BAEF0A240D685253F8E0C339A72809818C11FF30EF8F1A5B836CA3C68BD78EDD2AB0BAA4AC134C72E50A8A086E94C3C84387EC97B452B9DBE0B276E597BEC90CB05B064414F7C9A866DB510500001004000000C0A80B00FFFFFF0000000010040000000A0A0100FFFFFF00
ike 0:Tunnel-mkt:2: out BB1CB51579F0C7A2040551337556406808102001574338E60000016C32A3466800212AC72C094072A3FE03D02647CEAEDD7E526310DF815B7C843AEEAB86B83BA40119BF5FFB818E765F9C1D58EDBD97F626C6BB82427DED5F4C3440877DF15C9DB648EA68F445F0473600B5320FA8582B3F09DEB159624AEEECAB627F36F0CF125F1063606C09BDBF74C6B6A210DB380FCFBA5C8545DE3CA1DA04F11ACBE29B356FF80450DCEDEA827CD4498642D008FA1325BBC417101BCA671CC7FAB5021FF850D6078520FD96328166DA2300E4A066D577DCF6735342522C71058170AF0F0A90F7501874F16F1B0389D1F4DDA27B4942F1642A125270B32109DA7E7B7DF709AB47032893007402BCC5A82C06F887291CC717E0D7611C0308B58E05723CA4A7F4D53450B8836E640F7498F323B86442F4E1259AE013CAF39C98934D189D8C0F5F901AF516562C75A82B5A9E1FD54FDB71F01C675C304F4ED4D64A0238A938DCA05E0F784E437BB396BC12
ike 0:Tunnel-mkt:2: sent IKE msg (quick_i1send): 192.168.1.111:500->192.168.1.198:500, len=364, id=bb1cb51579f0c7a2/0405513375564068:574338e6
ike 0: comes 192.168.1.198:500->192.168.1.111:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=bb1cb51579f0c7a2/0405513375564068:e8ad859e len=76
ike 0: in BB1CB51579F0C7A2040551337556406808100501E8AD859E0000004C5FAF8B7C7410FDF5B67FE93460C6852D4B04C25860948013607180B5C6BAB1ED98A7C5C06E1DAF4258C87A446ED8D094
ike 0:Tunnel-mkt:2: dec BB1CB51579F0C7A2040551337556406808100501E8AD859E0000004C0B0000143401BF012C09B30D82BC7AB09A1843820000000C000000010100000E0597C1E7F57312C8ACEE3196BB45180F
ike 0:Tunnel-mkt:2: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:Tunnel-mkt:2:: no matching IPsec SPI
ike 0:Tunnel-mkt:2:Tunnel-mkt:291: delete phase2 SPI aa004645
What this is showing is:
1. this FGT sent phase2 msg with a selector 192.168.11.0/255.255.255.0->10.10.1.0/255.255.255.0 to the other end.
2. Then it got a "notify msg" from the other end with "NO-PROPOSAL-CHOSEN/no matching IPsec SPI".
So first thing to check is if Mikrotik end has the selector combination:192.168.11.0/255.255.255.0 and 10.10.1.0/255.255.255.0 with src/dst reversed.
The FGT side is src:192.168.11.0/24, dst:10.10.1.0/24.
If that part is matching, I think Mikrotik side should at least respond with the matching selector set with a proposal for other parameters.
Then if you keep pining from 10.10.1.0/24 side(Mikrotik side) toward 192.168.11.0/24 while running the ike debug on the FGT, you should be able to see what kind of proposal Mikrotik is sending to the FGT in the debug output.
Toshi
Estou fortigate 60-F com 10 tunnel com outros firewall ogasec, e com Mikrotic apresenta esse erro.
no debug sniffer e pacote vai e volta mas erro esta igual tunnel fase não fechar permance.
Alguma dica o soluçao ??
I managed to work it!
I have one IKE and 2x IPSEC subnets.
First IPSEC Subnet was connecting without any problems. Remember to add dstnat in Firewall and on Fortigate firewall.
Second IPSEC subnet was getting no phase2, and in logs NO_PROPOSAL_CHOSEN. I checked and tested milion different auth, add second Proposal with the same settings as 1st IPSEC and.... i changed PFS group to ecp256 from mod1024 and... ESTABILISHED :))
I have no idea why first one is working, but changing 2nd IPSEC proposal hit the point.
In policy set Level: unique, Tunnel: yes.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.