Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nihas
New Contributor

IPSec Client VPN issue!

Hi , One of my IPsec VPN for clients is not getting connected, below are the dia deb application ike -1 out put last few lines. 2014-08-13 22:19:17 ike 0:CompanyDU:636: negotiation timeout, deleting 2014-08-13 22:19:17 ike 0:CompanyDU: connection expiring due to phase1 down 2014-08-13 22:19:17 ike 0:CompanyDU: deleting 2014-08-13 22:19:17 ike 0:CompanyDU: flushing 2014-08-13 22:19:17 ike 0:CompanyDU: sending SNMP tunnel DOWN trap 2014-08-13 22:19:17 ike 0:CompanyDU: flushed 2014-08-13 22:19:17 ike 0:CompanyDU: deleted What could be the issue?
Nihas [\b]
Nihas [\b]
5 REPLIES 5
Istvan_Takacs_FTNT

Clearly phase1 can' t be negotiated with the remote. Can you e.g ping the remote end? # diagnose sniffer packet <ipsec interface> " udp and dst port 500" can display any communication issue between the initiator and responder.
45LAN
New Contributor

Hi, have you enabled NAT Traversal in Ph.1 from FGT for clients with dynamic IPs ?
ede_pfau
SuperUser
SuperUser

The interesting parts of the debug are missing. There is a mismatch between phase1 parameters on both sides, which could be the PSK, peer ID, or any other. • Check all phase1 parameters for identity before proceeding. • Use one proposal only (preferably AES128/SHA1). • Temporarely use a SIMPLE PSK.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Nihas
New Contributor

Hi All, Thanks for the comments. I didn' t change any of the defualt values. And now I am able to connect , but after few minutes it' s getting down. Yes , I have crosschecked NAT Traversal( it' s enabled) DPD ( Enabled in both ends) SA Life Time is same in both ends PFS is enabled. Seems like something wrong with DPD. Can you please check the full log and shed some lights. --------------------------------------------- al is: peer:0:192.168.150.1-192.168.150.1:0, me:0:0.0.0.0-255.255.255.255:0 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trying 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: matched phase2 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: dynamic client 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: my proposal: 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: proposal id = 1: 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: protocol id = IPSEC_ESP: 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: PFS DH group = 14 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 128) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 256) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_3DES 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 128) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA2_256 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 256) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA2_256 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_3DES 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA2_256 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: proposal id = 2: 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: protocol id = IPSEC_ESP: 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: PFS DH group = 5 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 128) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 256) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_3DES 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 128) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA2_256 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 256) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA2_256 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_3DES 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA2_256 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: incoming proposal: 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: proposal id = 1: 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: protocol id = IPSEC_ESP: 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: PFS DH group = 5 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 128) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 128) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 256) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 256) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: negotiation result 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: proposal id = 1: 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: protocol id = IPSEC_ESP: 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: PFS DH group = 5 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: trans_id = ESP_AES (key_len = 128) 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: encapsulation = ENCAPSULATION_MODE_TUNNEL 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: type = AUTH_ALG, val=SHA1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: set pfs=MODP1536 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: using tunnel mode. 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: replay protection enabled 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: SA life soft seconds=43187. 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: SA life hard seconds=43200. 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: IPsec SA selectors #src=1 #dst=1 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: src 0 7 0:0.0.0.0-255.255.255.255:0 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: dst 0 7 0:192.168.150.1-192.168.150.1:0 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: add dynamic IPsec SA selectors 2014-08-25 18:52:24 ike 0:CompanyDU_0:113515: add route 192.168.150.1/255.255.255.255 oif CompanyDU_0(177) metric 15 priority 0 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: tunnel 1 of VDOM limit 0/0 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: add IPsec SA: SPIs=7c15bc3a/e2b39788 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: IPsec SA dec spi 7c15bc3a key 16:698B5F11334AFA199AD00BCCA7C186B2 auth 20:A39F72A8E05C3AE2294A90B1992F2809FB8A9825 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: IPsec SA enc spi e2b39788 key 16:099A60BE4B9ACD588492604E6ED08AC1 auth 20:653A515809C314F2224DCADEB1F17F22D3A53BAB 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: added IPsec SA: SPIs=7c15bc3a/e2b39788 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: sending SNMP tunnel UP trap 2014-08-25 18:52:24 ike 0:CompanyDU_0:769: enc 6EED2E2FDA4351385383B13E7B6EE48308102001F2D640100100000001007DF8A9FE0101 2014-08-25 18:52:24 ike 0:CompanyDU_0:769: out C5C338449C60D75E17E9C4485C374DFB0B66BDF56D7F47A8503F93 2014-08-25 18:52:24 ike 0:CompanyDU_0:769: dec 3000008E79CEFDBA48BEEDAA9F0EAF20B 2014-08-25 18:52:24 ike 0:CompanyDU_0:769: notify msg received: R-U-THERE 2014-08-25 18:52:24 ike 0:CompanyDU_0:769: enc 6EED2E2FDA4351385383B13E7B6EE4830 2014-08-25 18:52:24 ike 0:CompanyDU_0:769: out 6EED2E2FDA43513 2014-08-25 18:52:24 ike 0:CompanyDU_0:769: sent IKE msg (R-U-THERE-ACK): 202.202.202.201:500->223.180.103.69:500, len=108, id=6eed2e2fda435138/5383b13e7b6ee483:2e73dea0 2014-08-25 18:52:24 ike 0: comes 223.180.103.69:500->202.202.202.201:500,ifindex=7.... 2014-08-25 18:52:24 ike 0: IKEv1 exchange=Quick id=6eed2e2fda435138/5383b13e7b6ee483:f2d6445d len=812 2014-08-25 18:52:24 ike 0: in 6EED2E2FDA4351385383BF117D28E5C22BFF6D 2014-08-25 18:52:24 ike 0:CompanyDU_0:769: sent IKE msg (quick_r2send): 202.202.202.201:500->223.180.103.69:500, len=92, id=6eed2e2fda435138/5383b13e7b6ee483:f2d6445d 2014-08-25 18:52:24 ike 0:CompanyDU_0:CompanyDU:113515: send SA_DONE SPI 0xe2b39788 2014-08-25 18:52:24 ike 0: comes 223.180.103.69:500->202.202.202.201:500,ifindex=7.... 2014-08-25 18:52:24 ike 0: IKEv1 exchange=Quick id=6eed2e2fda435138/5383b13e7b6ee483:f2d6445d len=76 2014-08-25 18:52:24 ike 0: in 6EED2E2FDA4351385383B13E7B6EE48308102001F2D6445D0000004C03D2C287306147 2014-08-25 18:52:24 ike 0:CompanyDU_0:769:CompanyDU:113515: retransmission, re-send last message 2014-08-25 18:52:24 ike 0:CompanyDU_0:769: out 6EED2E2FDA4351385 2014-08-25 18:52:24 ike 0:CompanyDU_0:769: sent IKE msg (retransmit): 202.202.202.201:500->223.180.103.69:500, len=92, id=6eed2e2fda435138/5383b13e7b6ee483:f2d6445d 2014-08-25 18:52:29 ike 0: comes 223.180.103.69:500->202.202.202.201:500,ifindex=7.... 2014-08-25 18:52:29 ike 0: IKEv1 exchange=Informational id=6eed2e2fda435138/5383b13e7b6ee483:9222a2ab len=108 2014-08-25 18:52:29 ike 0: in 6EED2E2FDA4351385383B13E7B6EE4830 2014-08-25 18:52:29 ike 0:CompanyDU_0:769: dec 6EED2E2FDA4351385383B13E7B6EE4830024BC156EC96F858BC587AAADFC1535 2014-08-25 18:52:29 ike 0:CompanyDU_0:769: notify msg received: R-U-THERE 2014-08-25 18:52:29 ike 0:CompanyDU_0:769: enc 6EED2E2FDA4351385383B13E7B6EE483081 2014-08-25 18:52:29 ike 0:CompanyDU_0:769: out 6EED2E2FDA4351385383B13E7B6EE48 2014-08-25 18:52:29 ike 0:CompanyDU_0:769: sent IKE msg (R-U-THERE-ACK): 202.202.202.201:500->223.180.103.69:500, len=108, id=6eed2e2fda435138/5383b13e7b6ee483:13631997 2014-08-25 18:52:34 ike 0: comes 223.180.103.69:500->202.202.202.201:500,ifindex=7.... 2014-08-25 18:52:39 ike 0: comes 223.180.103.69:500->202.202.202.201:500,ifindex=7.... 2014-08-25 18:52:45 ike 0: comes 223.180.103.69:500->202.202.202.201:500,ifindex=7.... 2014-08-25 18:52:48 ike config change 2014-08-25 18:52:50 ike 0: comes 223.180.103.69:500->202.202.202.201:500,ifindex=7.... 2014-08-25 18:52:51 ike config update start 2014-08-25 18:52:51 ike 0:CompanyDU: address 169.254.1.1 -> 169.254.1.1 2014-08-25 18:52:51 ike 0: policy 17 action is DENY, ignoring 2014-08-25 18:52:51 ike 0: policy 36 action is DENY, ignoring 2014-08-25 18:52:51 ike 0: policy 25 disabled, ignoring 2014-08-25 18:52:51 ike 0:lan: add addr 10.128.80.0-10.128.80.255 2014-08-25 18:52:54 ike 0:CompanyDU_0: link is idle 7 202.202.202.201->223.180.103.69:0 dpd=1 seqno=2 2014-08-25 18:52:54 ike 0:CompanyDU_0:769: send IKEv1 DPD probe, seqno 2 2014-08-25 18:52:54 ike 0:CompanyDU_0:769: enc 6EED2E2FDA4351385383B13E7B6EE 2014-08-25 18:52:54 ike 0:CompanyDU_0:769: out 6EED2E2FDA4351385383B13E7B6E 2014-08-25 18:52:54 ike 0:CompanyDU_0:769: sent IKE msg (R-U-THERE): 202.202.202.201:500->223.180.103.69:500, len=108, id=6eed2e2fda435138/5383b13e7b6ee483:d6f3529e 2014-08-25 18:52:59 ike 0:CompanyDU_0: link is idle 7 202.202.202.201->223.180.103.69:0 dpd=1 seqno=2 2014-08-25 18:52:59 ike 0:CompanyDU_0:769: send IKEv1 DPD probe, seqno 2 2014-08-25 18:52:59 ike 0:CompanyDU_0:769: enc 6EED2E2FDA435138538 2014-08-25 18:52:59 ike 0:CompanyDU_0:769: out 6EED2E2FDA4351385383B13 2014-08-25 18:52:59 ike 0:CompanyDU_0:769: sent IKE msg (R-U-THERE): 202.202.202.201:500->223.180.103.69:500, len=108, id=6eed2e2fda435138/5383b13e7b6ee483:a85b33e3 2014-08-25 18:53:04 ike 0:CompanyDU_0: link is idle 7 202.202.202.201->223.180.103.69:0 dpd=1 seqno=2 2014-08-25 18:53:04 ike 0:CompanyDU_0:769: send IKEv1 DPD probe, seqno 2 2014-08-25 18:53:04 ike 0:CompanyDU_0:769: enc 6EED2E2FDA4351385383B13E7B6E 2014-08-25 18:53:04 ike 0:CompanyDU_0:769: out 6EED2E2FDA4351385383B13E7B6EE48308 2014-08-25 18:53:04 ike 0:CompanyDU_0:769: sent IKE msg (R-U-THERE): 202.202.202.201:500->223.180.103.69:500, len=108, id=6eed2e2fda435138/5383b13e7b6ee483:ea073dc1 2014-08-25 18:53:06 ike 0: comes 220.227.26.70:500->111.93.245.234:500,ifindex=6.... 2014-08-25 18:53:06 ike 0: IKEv1 exchange=Informational id=1e63dc4f44489337/8fe9719d4b627533:d5bb48e1 len=92 2014-08-25 18:53:06 ike 0: in 1E63DC4F444893378FE9719D422C21C93686368F8391B1C300D55FEB22 2014-08-25 18:53:09 ike 0:CompanyDU_0: link fail 7 202.202.202.201->223.180.103.69:0 dpd=1 2014-08-25 18:53:09 ike 0:CompanyDU_0: link down 7 202.202.202.201->223.180.103.69:500 2014-08-25 18:53:09 ike 0:CompanyDU_0: deleting 2014-08-25 18:53:09 ike 0:CompanyDU_0: flushing 2014-08-25 18:53:09 ike 0:CompanyDU_0:769: send IPsec SA delete, spi 7c15bc3a 2014-08-25 18:53:09 ike 0:CompanyDU_0:769: enc 6EED2E2FDA4351385383B13E7B6EE48308100501C 2014-08-25 18:53:09 ike 0:CompanyDU_0:769: out 6EED2E2FDA4351385383B1 2014-08-25 18:53:09 ike 0:CompanyDU_0:769: sent IKE msg (IPsec SA_DELETE-NOTIFY): 202.202.202.201:500->223.180.103.69:500, len=92, id=6eed2e2fda435138/5383b13e7b6ee483:c6af5864 2014-08-25 18:53:09 ike 0:CompanyDU_0:CompanyDU: sending SNMP tunnel DOWN trap 2014-08-25 18:53:09 ike 0:CompanyDU_0:113515: del route 192.168.150.1/255.255.255.255 oif CompanyDU_0(177) metric 15 priority 0 2014-08-25 18:53:09 ike 0:CompanyDU_0: flushed 2014-08-25 18:53:09 ike 0:CompanyDU_0:769: send ISAKMP delete 6eed2e2fda435138/5383b13e7b6ee483 2014-08-25 18:53:09 ike 0:CompanyDU_0:769: enc 6EED2E2FDA4351385383B13E7B6EE48308100 2014-08-25 18:53:09 ike 0:CompanyDU_0:769: out 6EED2E2FDA4351385383B13E7B6EE48308100501 2014-08-25 18:53:09 ike 0:CompanyDU_0:769: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 202.202.202.201:500->223.180.103.69:500, len=108, id=6eed2e2fda435138/5383b13e7b6ee483:69c43072 2014-08-25 18:53:09 ike 0:CompanyDU_0: mode-cfg release 192.168.150.1/255.255.255.0 2014-08-25 18:53:09 ike 0:CompanyDU_0: delete dynamic 2014-08-25 18:53:09 ike 0:CompanyDU_0: deleted
Nihas [\b]
Nihas [\b]
Nihas
New Contributor

The issue seems to be with the client network connection. I have tested it with a good network and it was stable . thanks for the help :)
Nihas [\b]
Nihas [\b]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors