Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wimvs
New Contributor

Created on ‎10-01-2018 02:20 AM

IPSec VPN Issue between Fortigate and PFsense

Hello,

 

We have an issue with a vpn connection between our fortigate 1500 5.4.9 and a pfsense .

Every other day the connection seems to fail, although in the monitor it says up.

 

I tried to run a debug an saw following errors:

 

ike 0: IKEv1 exchange=Informational id=d2b4fbda4a1b86b6/3d93fbe1f03ab63c:c50ec69d len=92
ike 0: in D2B4FBDA4A1B86B63D93FBE1F03AB63C08100501C50EC69D0000005C6B5E7C4EFD095DFA5BCA2A434841E4B0D28396448A736307E765E605C7F27163B35D65933B41CD3926E7608FE97F8E57818771AC40872D5D873CB16C0CB9EBE8
ike 0: comes xxxxxxxxxxxx->xxxxxxxxxxxxxxx:500,ifindex=25....
ike 0: IKEv2 exchange=CREATE_CHILD id=45e679806abf7eff/2d1b3353efb6e979:00000002 len=416
ike 0: in <cut>
ike 0:<vpnname>:11257: dec <cut>
ike 0:<vpnname>:11257: received create-child request
ike 0:<vpnname>:11257: responder received CREATE_CHILD exchange
ike 0:<vpnname>:11257: received notify type ESP_TFC_PADDING_NOT_SUPPORTED
ike 0:<vpnname>:11257: processing child notify type ESP_TFC_PADDING_NOT_SUPPORTED
ike 0:<vpnname>:11257: responder creating new child
ike 0:<vpnname>:11257:1488982: peer proposal:

 

We are stuck here. Sometimes our connection is stable for a long time, then we have times it goes down every 24 hours with 'no' reason.

Any advice is appreciated.

 

Regards.

Wim

 
17470
0 Kudos
6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-01-2018 10:29 AM

Are you using IKEv1 or IKEv2? The capture includes both.

10909
0 Kudos
wimvs
New Contributor
In response to Toshi_Esumi

Created on ‎10-03-2018 05:52 AM

We are using IKEv2 on this one.

 

Regards

Wim

 

 
10910
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to wimvs

Created on ‎10-03-2018 09:10 AM

The particular part of debug log you showed it not an error. A normal exchange based on RFC 5996 [[link]https://tools.ietf.org/html/rfc5996[/link]]

"The ESP_TFC_PADDING_NOT_SUPPORTED notification asserts that the sending endpoint will not accept packets that contain Traffic Flow Confidentiality (TFC) padding over the Child SA being negotiated. If neither endpoint accepts TFC padding, this notification is included in both the request and the response."

 

What do you see in VPN event log?

10910
0 Kudos
wimvs
New Contributor
In response to Toshi_Esumi

Created on ‎10-04-2018 03:16 AM

Hello

 

We got one IPSec Phase 2 error in our event log, but it doesn't say anything meaningfull to us.

 

 

And another one :

 

 

 

 

 

Thanks in advance.

 

Regards

 

Wim

 

 
error1.JPG
Preview file
43 KB
10909
0 Kudos
Sudarsan_Babu
Contributor
In response to wimvs

Created on ‎10-04-2018 03:46 AM

Hi,

 

Can you share debug flow and share . 

 

Regards,

Sudarsan Babu P

 

Regards,

Sudarsan Babu P

Regards, Sudarsan Babu P
10910
0 Kudos
wimvs
New Contributor
In response to Sudarsan_Babu

Created on ‎10-05-2018 02:21 AM

Hello

 

Beneath is the only log I could get, because the times it goes down is sometimes very random. Sometimes it's just around the same hour the next day and that's when I started the debug.

 

There is also quite some jibberisch from an another tunnel to azure in there.

 

Regards

 

Wim

 
vpn_debug.txt
Preview file
154 KB
10910
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.