Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jhuwe
New Contributor

IPSec Tunnel negotiation failure - VID unknown (12)

Good morning,

 

I'm trying to connect my 600D(v6.0.3b200) to Oracle Cloud. I can't get the tunnel to establish, though I'm fairly certain I have everything matched up. Any help would be greatly appreciated!

 

When doing a ike debug in the command line, I get

ike 0: comes 129.xxx.xxx.xxx:500->216.yyy.yyy.yyy:500,ifindex=9.... ike 0: IKEv1 exchange=Identity Protection id=a8d0ca6a5fcf7131/0000000000000000 len=224 ike 0: in A8D0CA6A5FCF713100000000000000000110020000000000000000E00D00003C000000010000000100000030000100010000002800010000800B0001000C0004000151808001000780020004800300018004000E800E01000D0000104F456E4847404740514665600D000014AFCAD71368A1F1C96B8696FC775701000D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D00001490CB80913EBB696E086381B5EC427B1F0D000014CD60464335DF21F87CFDB2FC68B6A448000000144485152D18B6BBCD0BE8A8469579DDCC ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: responder: main mode get 1st message... ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: VID unknown (12): OEnHG@G@QFe` ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56 ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448 ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: incoming proposal: ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: proposal id = 0: ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: protocol id = ISAKMP: ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: trans_id = KEY_IKE. ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: encapsulation = IKE/none ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256 ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: type=OAKLEY_HASH_ALG, val=SHA2_256. ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: type=OAKLEY_GROUP, val=MODP2048. ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: ISAKMP SA lifetime=86400 ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: negotiation failure ike Negotiate ISAKMP SA Error: ike 0:a8d0ca6a5fcf7131/0000000000000000:638684: no SA proposal chosen

My config on the 600D is:

config vpn ipsec phase1-interface

    edit "ORACLE-CLOUD"

        set interface "port10"

        set ike-version 2

        set peertype any

        set proposal aes256-sha256

        set dhgrp 14

        set remote-gw 129.xxx.xxx.xxx

        set psksecret ENC  F0z[...]Q==

    next

end

config vpn ipsec phase2-interface

    edit "ORACLE-CLOUD"

        set phase1name "ORACLE-CLOUD"

        set proposal aes256-sha256

        set dhgrp 14

        set replay disable

        set src-addr-type name         set dst-addr-type name

        set keylifeseconds 3600         set src-name "all"         set dst-name "ORACLE-CLOUD"

    next end

See attached image for my Oracle Cloud config

 

0 REPLIES 0
Labels
Top Kudoed Authors