Hi,
We switched ISP setup (twtelecom - Level3 converged internet/phone) and our IPSec VPN worked for about 12 hours and now no longer works at all. The VPN initially (after ISP switch over) did not come up, we deleted/re-added and rebooted our 100D and 60D; the tunnel came up for about 12 hours. After the 12 hours (key timeouts we assume), the tunnel no longer comes up; even after deleting/re-adding/rebooting.
Diag deb app ike -1 shows that the Phase1 negotiation is accepted, but the final interchanges are timing out (in red in the debug log).
We tried different encryption schemes, and different Diffie-Hellman groups (14, 5) to see if it made any difference - nothing changed.
Any suggestions on where to look or configurations to try next would be helpful.
We checked both sides, Phase1's are identical.
We tried to set fragmentation enable The only reason to set fragmentation enable is that we were told that the Level3 interface has an MTU of 1300 not the normal 1500. With or without attempting to set fragmentation enable the results are exactly the same. The command we used
on the 100d
config vpn ipsec phase1-interface
edit "M2FS2S"
set fragmentation enable
next
end
on the 60d
config vpn ipsec phase1-interface
edit "F2MS2S"
set fragmentation enable
next
end
The configs are as follows
config vpn ipsec phase1-interface
edit "M2FS2S"
set type static
set interface "VLAN 1000"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal enable
set keylife 86400
set authmethod psk
set mode aggressive
set peertype any
set mode-cfg disable
set proposal aes128-sha1
set localid "admin"
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd disable
set forticlient-enforcement disable
set npu-offload enable
set dhgrp 14
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set remote-gw SANITIZED
set monitor ''
set add-gw-route disable
set psksecret ENC SANITIZED
set keepalive 50
set auto-negotiate enable
next
end
config vpn ipsec phase1-interface
edit "FL2MKS2S"
set type static
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal enable
set keylife 86400
set authmethod psk
set mode aggressive
set peertype any
set mode-cfg disable
set proposal aes128-sha1
set localid "admin"
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd disable
set forticlient-enforcement disable
set npu-offload enable
set dhgrp 14
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set remote-gw SANITIZED
set monitor ''
set add-gw-route disable
set psksecret ENC SANITIZED
set keepalive 50
set auto-negotiate enable
next
end
The diag debug app ike -1 logs...
ike 0: IKEv1 exchange=Aggressive id=f9add5f4dab4647a/0000000000000000 len=585
ike 0: in F9ADD5F4DAB4647B00000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104625B9ABBA6185FF7BC6C31992AFCD6FF9C2EBDAB66B805772E70E37D36E0525490E3AF27A901D22FD3611B4B70AB7BBFAC65868FB3D5714C587A034AB7A5730B07F2CF611BC9AFF0C359FE11F2D981A66342F50019FFD5AB5A33736B4825666135F2E4CE931DB755B7C4FC1B7AD55B3F3D58B6B9E4E8790D655F81CA86069C27A0814D6A90687AFFABFA3E3B8E7EF2671BE5E8C896402D7D565F0ABFC5786DEBCD1F463C570A5BACC7DCE0DF53D2D43643079F1C68CC7EB1B6FB0F93656BEC87494573A7FE8B8E28659C3759C84D70FDFAC93231509896ED25AE0E34EFF6D0185630F02ACAFAEDF3ABBFB75D53405E4C8E1EEFB61F88A49F9182F806308321270500001481BF443C271A14ACFAE26FDE85D58D260D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD
ike 0:f9add5f4dab4647a/0000000000000000:334: responder: aggressive mode get 1st message...
ike 0:f9add5f4dab4647a/0000000000000000:334: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:f9add5f4dab4647a/0000000000000000:334: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:f9add5f4dab4647a/0000000000000000:334: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:f9add5f4dab4647a/0000000000000000:334: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:f9add5f4dab4647a/0000000000000000:334: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:f9add5f4dab4647a/0000000000000000:334: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:f9add5f4dab4647a/0000000000000000:334: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:f9add5f4dab4647a/0000000000000000:334: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:f9add5f4dab4647a/0000000000000000:334: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:f9add5f4dab4647a/0000000000000000:334: VID FORTIGATE 8299031757A36082C6A621DE000502BD
ike 0:f9add5f4dab4647a/0000000000000000:334: negotiation result
ike 0:f9add5f4dab4647a/0000000000000000:334: proposal id = 1:
ike 0:f9add5f4dab4647a/0000000000000000:334: protocol id = ISAKMP:
ike 0:f9add5f4dab4647a/0000000000000000:334: trans_id = KEY_IKE.
ike 0:f9add5f4dab4647a/0000000000000000:334: encapsulation = IKE/none
ike 0:f9add5f4dab4647a/0000000000000000:334: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:f9add5f4dab4647a/0000000000000000:334: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:f9add5f4dab4647a/0000000000000000:334: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f9add5f4dab4647a/0000000000000000:334: type=OAKLEY_GROUP, val=MODP2048.
ike 0:f9add5f4dab4647a/0000000000000000:334: ISAKMP SA lifetime=86400
ike 0:f9add5f4dab4647a/0000000000000000:334: SA proposal chosen, matched gateway M2FS2S
ike 0: found M2FS2S SANITIZED 42 -> SANITIZED:500
ike 0:M2FS2S:334: received peer identifier FQDN 'admin'
ike 0:M2FS2S:334: peer is FortiGate/FortiOS (v5 b701)
ike 0:M2FS2S:334: selected NAT-T version: RFC 3947
ike 0:M2FS2S:334: cookie f9add5f4dab4647a/810078ea0d7e1c3f
ike 0:M2FS2S:334: ISAKMP SA f9add5f4dab4647a/810078ea0d7e1c3f key 16:39662E25388723DE7C1628C30F4B7FA4
ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F01100400000000000000022D0400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104A2A65D0ADDAFD2DB8FB5E6479D1575E8D50D0DB7D091C7B0A788AA75501C308710AF054464BAF736692561F56A3B593432A34B3413A1C8C65DBC5BD18CC85035AD69EB5564903A2CF3679072436EF0A7E0C4A364E2DFFCB91F9132C4ECBA86C554DA226B733A1F537B6657157B82D4337ADC10F22AAEDCD05EF389BACCF9E4F8F661014BE19E182120FDD3DAFA1A7028DE88A7AAF4CD4442BEB6A7FB4B68F53E07A328E2A031E6B6B34CF2D1E83CA6868381F9666ED40F73E938E3BE24595DB46B6B8BAAC44AE361960B17B9C9FEDFC906FFF96D11CCE40EF1EE29B7523EB55956165944EB4450797EBDAE2FC17232FABA2A4724778574CEB577BB619ACA555005000014EC77C577B6B5CDBD5419D06E5CE01CED0800000D0200000061646D696E0D000018CCF29B2813D1D19D2EC4BEDC5AC5C9148F915235140000144A131C81070358455C5728F20E95452F14000018638CBA7594BE235A4E5368B1D48334C3D022486D0D00001823C8FE8D71F0FF6EE2B6586DD6B0F557FE4A5B320D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000502BD0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:M2FS2S:334: sent IKE msg (agg_r1send): SANITIZED:500->SANITIZED:500, len=557, id=f9add5f4dab4647a/810078ea0d7e1c3f
ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0
ike 0:M2FS2S:M2FS2S: using existing connection
ike 0:M2FS2S:M2FS2S: config found
ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:500 negotiating
ike 0:M2FS2S:334:M2FS2S:164: ISAKMP SA still negotiating, queuing quick-mode request
diag deb disike 0:M2FS2S:333: out 5317B64AFFB2931200000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104AC7B513A51C14B3A612C42E6DC83989D86DA4E0E73F8DE03752699CEC059C70A32D90CCF57029A7032E9077DBFE55798EA6CE02CC2363922064EE621397D770E9288FE1F9ED8569CD8AF8607B1C1100CC71EAD921322DC34E28DF43BD76C2FF9A0A8073832B15132804CD1B403F43F142110859B3AE1E9F49E6CCE57BC37FC3116BC5DB30E27B1ECE57EDB62241FDA32C4636514126D836A48CE210246D82484F6DD19044BB5D78FC613954C51DDEC916CFAE22E5F47488756158E3750CB1521BB43A4B8DB1DA6659FA5BA6D3601C5EC01660419685ECE7A9ED627DDEDAE246366473E9C81C8AD4FAD9C9C8D2FAB5DBD76A7A296BB761859E242E5F10F1087840500001485D2B06DBD1B351F59061C44EBE066410D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD
ike 0:M2FS2S:333: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=585, id=5317b64affb29312/0000000000000000
ike 0:M2FS2S:334: fragment on 544 byte boundary
ike 0:M2FS2S:334: send fragment len 544 id 1 index 1 last 0
ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000002200000020400010100F9ADD5F4DAB4647A810078EA0D7E1C3F01100400000000000000022D0400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104A2A65D0ADDAFD2DB8FB5E6479D1575E8D50D0DB7D091C7B0A788AA75501C308710AF054464BAF736692561F56A3B593432A34B3413A1C8C65DBC5BD18CC85035AD69EB5564903A2CF3679072436EF0A7E0C4A364E2DFFCB91F9132C4ECBA86C554DA226B733A1F537B6657157B82D4337ADC10F22AAEDCD05EF389BACCF9E4F8F661014BE19E182120FDD3DAFA1A7028DE88A7AAF4CD4442BEB6A7FB4B68F53E07A328E2A031E6B6B34CF2D1E83CA6868381F9666ED40F73E938E3BE24595DB46B6B8BAAC44AE361960B17B9C9FEDFC906FFF96D11CCE40EF1EE29B7523EB55956165944EB4450797EBDAE2FC17232FABA2A4724778574CEB577BB619ACA555005000014EC77C577B6B5CDBD5419D06E5CE01CED0800000D0200000061646D696E0D000018CCF29B2813D1D19D2EC4BEDC5AC5C9148F915235140000144A131C81070358455C5728F20E95452F14000018638CBA7594BE235A4E5368B1D48334C3D022486D0D00001823C8FE8D71F0FF6EE2B6586DD6B0F557FE4A5B320D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621
ike 0:M2FS2S:334: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=544, id=f9add5f4dab4647a/810078ea0d7e1c3f
ike 0:M2FS2S:334: send fragment len 85 id 1 index 2 last 1
ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000000550000003900010201DE000502BD0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:M2FS2S:334: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=85, id=f9add5f4dab4647a/810078ea0d7e1c3f
ike 0: comes SANITIZED:500->SANITIZED:500,ifindex=42....
ike 0: IKEv1 exchange=Aggressive id=f9add5f4dab4647a/0000000000000000 len=585
ike 0: in F9ADD5F4DAB4647A00000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104625B9ABBA6185FF7BC6C31992AFCD6FF9C2EBDAB66B805772E70E37D36E0525490E3AF27A901D22FD3611B4B70AB7BBFAC65868FB3D5714C587A034AB7A5730B07F2CF611BC9AFF0C359FE11F2D981A66342F50019FFD5AB5A33736B4825666135F2E4CE931DB755B7C4FC1B7AD55B3F3D58B6B9E4E8790D655F81CA86069C27A0814D6A90687AFFABFA3E3B8E7EF2671BE5E8C896402D7D565F0ABFC5786DEBCD1F463C570A5BACC7DCE0DF53D2D43643079F1C68CC7EB1B6FB0F93656BEC87494573A7FE8B8E28659C3759C84D70FDFAC93231509896ED25AE0E34EFF6D0185630F02ACAFAEDF3ABBFB75D53405E4C8E1EEFB61F88A49F9182F806308321270500001481BF443C271A14ACFAE26FDE85D58D260D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD
ike 0:M2FS2S:334: retransmission, re-send last message
ike 0:M2FS2S:334: fragment on 544 byte boundary
ike 0:M2FS2S:334: send fragment len 544 id 2 index 1 last 0
ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000002200000020400020100F9ADD5F4DAB4647A810078EA0D7E1C3F01100400000000000000022D0400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104A2A65D0ADDAFD2DB8FB5E6479D1575E8D50D0DB7D091C7B0A788AA75501C308710AF054464BAF736692561F56A3B593432A34B3413A1C8C65DBC5BD18CC85035AD69EB5564903A2CF3679072436EF0A7E0C4A364E2DFFCB91F9132C4ECBA86C554DA226B733A1F537B6657157B82D4337ADC10F22AAEDCD05EF389BACCF9E4F8F661014BE19E182120FDD3DAFA1A7028DE88A7AAF4CD4442BEB6A7FB4B68F53E07A328E2A031E6B6B34CF2D1E83CA6868381F9666ED40F73E938E3BE24595DB46B6B8BAAC44AE361960B17B9C9FEDFC906FFF96D11CCE40EF1EE29B7523EB55956165944EB4450797EBDAE2FC17232FABA2A4724778574CEB577BB619ACA555005000014EC77C577B6B5CDBD5419D06E5CE01CED0800000D0200000061646D696E0D000018CCF29B2813D1D19D2EC4BEDC5AC5C9148F915235140000144A131C81070358455C5728F20E95452F14000018638CBA7594BE235A4E5368B1D48334C3D022486D0D00001823C8FE8D71F0FF6EE2B6586DD6B0F557FE4A5B320D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621
ike 0:M2FS2S:334: sent IKE msg (retransmit): SANITIZED:500->SANITIZED:500, len=544, id=f9add5f4dab4647a/810078ea0d7e1c3f
ike 0:M2FS2S:334: send fragment len 85 id 2 index 2 last 1
ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000000550000003900020201DE000502BD0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:M2FS2S:334: sent IKE msg (retransmit): SANITIZED:500->SANITIZED:500, len=85, id=f9add5f4dab4647a/810078ea0d7e1c3f
ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0
ike 0:M2FS2S:M2FS2S: using existing connection
ike 0:M2FS2S:M2FS2S: config found
ike 0:M2FS2S: request is on the queue
ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0
ike 0:M2FS2S:M2FS2S: using existing connection
ike 0:M2FS2S:M2FS2S: config found
ike 0:M2FS2S: request is on the queue
ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0
ike 0:M2FS2S:M2FS2S: using existing connection
ike 0:M2FS2S:M2FS2S: config found
ike 0:M2FS2S: request is on the queue
ike 0:M2FS2S:333: out 5317B64AFFB2931200000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104AC7B513A51C14B3A612C42E6DC83989D86DA4E0E73F8DE03752699CEC059C70A32D90CCF57029A7032E9077DBFE55798EA6CE02CC2363922064EE621397D770E9288FE1F9ED8569CD8AF8607B1C1100CC71EAD921322DC34E28DF43BD76C2FF9A0A8073832B15132804CD1B403F43F142110859B3AE1E9F49E6CCE57BC37FC3116BC5DB30E27B1ECE57EDB62241FDA32C4636514126D836A48CE210246D82484F6DD19044BB5D78FC613954C51DDEC916CFAE22E5F47488756158E3750CB1521BB43A4B8DB1DA6659FA5BA6D3601C5EC01660419685ECE7A9ED627DDEDAE246366473E9C81C8AD4FAD9C9C8D2FAB5DBD76A7A296BB761859E242E5F10F1087840500001485D2B06DBD1B351F59061C44EBE066410D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD
ike 0:M2FS2S:333: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=585, id=5317b64affb29312/0000000000000000
ike 0:M2FS2S:334: fragment on 544 byte boundary
ike 0:M2FS2S:334: send fragment len 544 id 3 index 1 last 0
ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000002200000020400030100F9ADD5F4DAB4647A810078EA0D7E1C3F01100400000000000000022D0400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104A2A65D0ADDAFD2DB8FB5E6479D1575E8D50D0DB7D091C7B0A788AA75501C308710AF054464BAF736692561F56A3B593432A34B3413A1C8C65DBC5BD18CC85035AD69EB5564903A2CF3679072436EF0A7E0C4A364E2DFFCB91F9132C4ECBA86C554DA226B733A1F537B6657157B82D4337ADC10F22AAEDCD05EF389BACCF9E4F8F661014BE19E182120FDD3DAFA1A7028DE88A7AAF4CD4442BEB6A7FB4B68F53E07A328E2A031E6B6B34CF2D1E83CA6868381F9666ED40F73E938E3BE24595DB46B6B8BAAC44AE361960B17B9C9FEDFC906FFF96D11CCE40EF1EE29B7523EB55956165944EB4450797EBDAE2FC17232FABA2A4724778574CEB577BB619ACA555005000014EC77C577B6B5CDBD5419D06E5CE01CED0800000D0200000061646D696E0D000018CCF29B2813D1D19D2EC4BEDC5AC5C9148F915235140000144A131C81070358455C5728F20E95452F14000018638CBA7594BE235A4E5368B1D48334C3D022486D0D00001823C8FE8D71F0FF6EE2B6586DD6B0F557FE4A5B320D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621
ike 0:M2FS2S:334: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=544, id=f9add5f4dab4647a/810078ea0d7e1c3f
ike 0:M2FS2S:334: send fragment len 85 id 3 index 2 last 1
ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000000550000003900030201DE000502BD0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:M2FS2S:334: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=85, id=f9add5f4dab4647a/810078ea0d7e1c3f
ike 0: comes SANITIZED:500->SANITIZED:500,ifindex=42....
ike 0: IKEv1 exchange=Aggressive id=f9add5f4dab4647a/0000000000000000 len=585
ike 0: in F9ADD5F4DAB4647A00000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104625B9ABBA6185FF7BC6C31992AFCD6FF9C2EBDAB66B805772E70E37D36E0525490E3AF27A901D22FD3611B4B70AB7BBFAC65868FB3D5714C587A034AB7A5730B07F2CF611BC9AFF0C359FE11F2D981A66342F50019FFD5AB5A33736B4825666135F2E4CE931DB755B7C4FC1B7AD55B3F3D58B6B9E4E8790D655F81CA86069C27A0814D6A90687AFFABFA3E3B8E7EF2671BE5E8C896402D7D565F0ABFC5786DEBCD1F463C570A5BACC7DCE0DF53D2D43643079F1C68CC7EB1B6FB0F93656BEC87494573A7FE8B8E28659C3759C84D70FDFAC93231509896ED25AE0E34EFF6D0185630F02ACAFAEDF3ABBFB75D53405E4C8E1EEFB61F88A49F9182F806308321270500001481BF443C271A14ACFAE26FDE85D58D260D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD
ike 0:M2FS2S:334: retransmission, re-send last message
ike 0:M2FS2S:334: fragment on 544 byte boundary
ike 0:M2FS2S:334: send fragment len 544 id 4 index 1 last 0
ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000002200000020400040100F9ADD5F4DAB4647A810078EA0D7E1C3F01100400000000000000022D0400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104A2A65D0ADDAFD2DB8FB5E6479D1575E8D50D0DB7D091C7B0A788AA75501C308710AF054464BAF736692561F56A3B593432A34B3413A1C8C65DBC5BD18CC85035AD69EB5564903A2CF3679072436EF0A7E0C4A364E2DFFCB91F9132C4ECBA86C554DA226B733A1F537B6657157B82D4337ADC10F22AAEDCD05EF389BACCF9E4F8F661014BE19E182120FDD3DAFA1A7028DE88A7AAF4CD4442BEB6A7FB4B68F53E07A328E2A031E6B6B34CF2D1E83CA6868381F9666ED40F73E938E3BE24595DB46B6B8BAAC44AE361960B17B9C9FEDFC906FFF96D11CCE40EF1EE29B7523EB55956165944EB4450797EBDAE2FC17232FABA2A4724778574CEB577BB619ACA555005000014EC77C577B6B5CDBD5419D06E5CE01CED0800000D0200000061646D696E0D000018CCF29B2813D1D19D2EC4BEDC5AC5C9148F915235140000144A131C81070358455C5728F20E95452F14000018638CBA7594BE235A4E5368B1D48334C3D022486D0D00001823C8FE8D71F0FF6EE2B6586DD6B0F557FE4A5B320D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621
ike 0:M2FS2S:334: sent IKE msg (retransmit): SANITIZED:500->SANITIZED:500, len=544, id=f9add5f4dab4647a/810078ea0d7e1c3f
ike 0:M2FS2S:334: send fragment len 85 id 4 index 2 last 1
ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000000550000003900040201DE000502BD0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:M2FS2S:334: sent IKE msg (retransmit): SANITIZED:500->SANITIZED:500, len=85, id=f9add5f4dab4647a/810078ea0d7e1c3f
ike shrank heap by 135168 bytes
ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0
ike 0:M2FS2S:M2FS2S: using existing connection
ike 0:M2FS2S:M2FS2S: config found
ike 0:M2FS2S: request is on the queue
ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0
ike 0:M2FS2S:M2FS2S: using existing connection
ike 0:M2FS2S:M2FS2S: config found
ike 0:M2FS2S: request is on the queue
ike 0:M2FS2S:333: negotiation timeout, deleting
ike 0:M2FS2S: schedule auto-negotiate
ike 0:M2FS2S:334: negotiation timeout, deleting
ike 0:M2FS2S: connection expiring due to phase1 down
ike 0:M2FS2S: deleting
ike 0:M2FS2S: flushing
ike 0:M2FS2S: flushed
ike 0:M2FS2S: deleted
ike 0:M2FS2S: set oper down
ike 0:M2FS2S: auto-negotiate connection
ike 0:M2FS2S: created connection: 0x368c1d0 42 SANITIZED->SANITIZED:500.
ike 0:M2FS2S:335: initiator: aggressive mode is sending 1st message...
ike 0:M2FS2S:335: cookie 0995ec555152a014/0000000000000000
ike 0:M2FS2S:335: out 0995EC555152A01400000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104E6F0669A6C1EE95A29C2AFAE699384B66624B57D523FE577934E9F9AF4D3D817640D9C3AC5917169DF9DF88C54D6B8B454852BC920BEA324EC89E6BE02FC1AB3CDBA63A19A0FB3E9DC6ABD2852FB1C51CDA6915211AF593252BBA7F66C52EE1942EB21FABB9D20AC307AA6372E45E34732D7446571A1E539A0E00D76E78F0A5EA36A936E43996C35A3C2799A6D2FD702FACC20F2D41E86E41C8FEC27E14A34D5BA24AD3C2F2EDB91BBD19759F2AB93FC767741AF7884FA8CEBEBCEA5988DA00147D89CD166F6FE660ADD2379FA2DDDECD9A2E8634BA419B6E010BEF1E64BC70622FF27E0B59EC2915F16508EFBBF31BCB0FE2735795001D5C233F931E4074B1605000014177712296C02408003BF8DEB73EDF27E0D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD
Hi,
and welcome to the forums.
- if fragmentation is an issue with your new ISP, have you configured the smaller MTU on the physical interface? The VLAN interface which your VPN is connected to inherits these kind of parameters from it's physical parent.
- you use 'localID = admin' on both sides. One should be 'localID' (on the remote FGT), the other 'peerID' (on the central FGT). I don't think that this is the root cause but it needs correction anyway if you want to support more than one tunnel concurrently.
- choosing v5.25 on the remote FGT is, ehm, bold. This release is quite new, and has it's issues in some areas. IPsec VPN is not one of them as far as I know but...you should try v5.2.3 (not v5.2.4) as a more stable choice. No idea what version you're using on the central FGT.
Be aware that downgrading might reset your configuration, keep a backup and be ready to restore it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.