Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GG
New Contributor

Created on ‎06-27-2020 12:40 AM

IPSec VPN between Fortigate 100F 6.0.2 and VmWare NSX 6.3.5 fails

Hi,

i set vpn refering this guide,

 

I have:

Fortigate 100F 6.0.2

Vmware 6.5 with NSX 6.3.5

 

(internal natted LAN 192.168.2.0/24) <-> Fortigate (WAN2 5.x.y.z)

<---------------------V P N          I P S E C-------------------------------->

NSX (WAN 137.x.y.z) <-> (internal natted LAN 10.10.10.0/24)

 



config vpn ipsec phase1-interface
edit "fortigate2nsx"
        set interface "wan2"
        set keylife 28800
        set peertype any
        set proposal aes256-sha1
        set dhgrp 14
        set nattraversal disable
        set remote-gw 137.x.y.z
        set psksecret ENC *********************
next
end


config vpn ipsec phase2-interface


edit "fortigate2nsx"
        set phase1name "fortigate2nsx"
        set proposal aes256-sha1
        set dhgrp 14
        set src-addr-type name
        set dst-addr-type name
        set keylifeseconds 3600
        set src-name "fortigate_internal_subnet_name"
        set dst-name "nsx_internal_subnet_name"
    next
end
 
on NSX
  
 
and get this error:
 
ike 0:fortigate2nsx:2904: out 47DBBA2A6E9F22CAA751F4EBE3AB9E7508******************************
ike 0:fortigate2nsx:2904: sent IKE msg (P2_RETRANSMIT): 5.x.y.z:500->137.x.y.z:500, len=428, id=47dbba2a6e9f22ca/a751f4ebe3ab9e75:3e5c2006
ike 0: comes 137.x.y.z:500->5.x.y.z:500,ifindex=8....
ike 0: IKEv1 exchange=Informational id=47dbba2a6e9f22ca/a751f4ebe3ab9e75:121f175a len=76
ike 0: in 47DBBA2A6E9F22CAA751F4EB*******************************************
ike 0:fortigate2nsx:2904: dec 47DBBA2A6E9F22CAA751F4E***************************
ike 0:fortigate2nsx:2904: notify msg received: INVALID-ID-INFORMATION
ike 0: comes 137.x.y.z:500->5.x.y.z:500,ifindex=8....
ike 0: IKEv1 exchange=Quick id=47dbba2a6e9f22ca/a751f4ebe3ab9e75:c818312f len=428
ike 0: in 47DBBA2A6E9F22CAA751F4EBE3AB9E75081020******************************
ike 0:fortigate2nsx:2904:264199: responder received first quick-mode message
ike 0:fortigate2nsx:2904: dec 47DBBA2A6E9F22CAA751F4EBE3AB9E75081020****************************
ike 0:fortigate2nsx:2904:264199: peer proposal is: peer:0:10.10.10.0-10.10.10.255:0, me:0:192.168.2.0-192.168.2.255:0
ike 0:fortigate2nsx:2904:fortigate2nsx:264199: trying
ike 0:fortigate2nsx:2904:264199: no matching phase2 found
ike 0:fortigate2nsx:2904:264199: failed to get responder proposal
ike 0:fortigate2nsx:2904: error processing quick-mode message from 137.x.y.z as responder
ike 0:fortigate2nsx:2904: out 47DBBA2A6E9F22CAA751F4EBE3AB9E75081020013E5C200**************************
ike 0:fortigate2nsx:2904: sent IKE msg (P2_RETRANSMIT): 5.x.y.z:500->137.x.y.z:500, len=428, id=47dbba2a6e9f22ca/a751f4ebe3ab9e75:3e5c2006
ike 0: comes 137.x.y.z:500->5.x.y.z:500,ifindex=8....
ike 0: IKEv1 exchange=Informational id=47dbba2a6e9f22ca/a751f4ebe3ab9e75:cca959f8 len=76
ike 0: in 47DBBA2A6E9F22CAA751F4EBE3AB9E7508100501CCA95**********************************************
ike 0:fortigate2nsx:2904: dec 47DBBA2A6E9F22CAA751F4EBE3AB9E7508100501C********************************************
ike 0:fortigate2nsx:2904: notify msg received: INVALID-ID-INFORMATION
ike 0:fortigate2nsx:2904:fortigate2nsx:264197: quick-mode negotiation failed due to retry timeout
ike 0:fortigate2nsx:2904: send IKE SA delete 47dbba2a6e9f22ca/a751f4ebe3ab9e75
ike 0:fortigate2nsx:2904: enc 47DBBA2A6E9F22CAA751F4EBE3AB9E750810050118A8*****************************
ike 0:fortigate2nsx:2904: out 47DBBA2A6E9F22CAA751F4EBE3AB9E7***************************
ike 0:fortigate2nsx:2904: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 5.x.y.z:500->137.x.y.z:500, len=92, id=47dbba2a6e9f22ca/a751f4ebe3ab9e75:18a86c52
ike 0:fortigate2nsx: connection expiring due to phase1 down
ike 0:fortigate2nsx: deleting
ike 0:fortigate2nsx: deleted
ike 0:fortigate2nsx: set oper down
ike 0:fortigate2nsx: schedule auto-negotiate
ike 0:fortigate2nsx: carrier down
ike 0: comes 137.x.y.z:500->5.x.y.z:500,ifindex=8....
ike 0: IKEv1 exchange=Informational id=47dbba2a6e9f22ca/a751f4ebe3ab9e75:4bebd856 len=92
ike 0: in 47DBBA2A6E9F22CAA751F4EBE3AB9E7508100****************************************
ike 0: no established IKE SA for exchange-type Informational from 137.x.y.z:500->5.x.y.z 8 cookie 47dbba2a6e9f22ca/a751f4ebe3ab9e75, drop
ike 0:fortigate2nsx: auto-negotiate connection
ike 0:fortigate2nsx: created connection: 0x17cd46e0 8 5.x.y.z->137.x.y.z:500.
ike 0:fortigate2nsx:2905: initiator: main mode is sending 1st message...
ike 0:fortigate2nsx:2905: cookie 334fb40860461a9b/0000000000000000
ike 0:fortigate2nsx:2905: out 334FB40860461A9B00000000000000000110000000010000******************
ike 0:fortigate2nsx:2905: sent IKE msg (ident_i1send): 5.x.y.z:500->137.x.y.z:500, len=168, id=334fb40860461a9b/0000000000000000
ike 0: comes 137.x.y.z:500->5.x.y.z:500,ifindex=8....
ike 0: IKEv1 exchange=Identity Protection id=334fb40860461a9b/d31f75929acc627c len=120
ike 0: in 334FB40860461A9BD31F75929ACC627C011002000000000**********************
ike 0:fortigate2nsx:2905: initiator: main mode get 1st response...
ike 0:fortigate2nsx:2905: VID unknown (12): OSW{UGAoLgKd
ike 0:fortigate2nsx:2905: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:fortigate2nsx:2905: DPD negotiated
ike 0:fortigate2nsx:2905: negotiation result
ike 0:fortigate2nsx:2905: proposal id = 1:
ike 0:fortigate2nsx:2905: protocol id = ISAKMP:
ike 0:fortigate2nsx:2905: trans_id = KEY_IKE.
ike 0:fortigate2nsx:2905: encapsulation = IKE/none
ike 0:fortigate2nsx:2905: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fortigate2nsx:2905: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fortigate2nsx:2905: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fortigate2nsx:2905: type=OAKLEY_GROUP, val=MODP2048.
ike 0:fortigate2nsx:2905: ISAKMP SA lifetime=28800
ike 0:fortigate2nsx:2905: out 334FB40860461A9BD31F75929ACC627C0410020000000000000001340A00010*************************
ike 0:fortigate2nsx:2905: sent IKE msg (ident_i2send): 5.x.y.z:500->137.x.y.z:500, len=308, id=334fb40860461a9b/d31f75929acc627c
ike 0: comes 137.x.y.z:500->5.x.y.z:500,ifindex=8....
ike 0: IKEv1 exchange=Identity Protection id=334fb40860461a9b/d31f75929acc627c len=308
ike 0: in 334FB40860461A9BD31F75929ACC627C04100200000000000000013******************************
ike 0:fortigate2nsx:2905: initiator: main mode get 2nd response...
ike 0:fortigate2nsx:2905: nat unavailable
ike 0:fortigate2nsx:2905: ISAKMP SA 334fb40860461a9b/d31f75929acc627c key 32:BA5B8277704C63DBA31FC32DF51406BBAE5145193D0FEB878DA9C883715CEC34
ike 0:fortigate2nsx:2905: add INITIAL-CONTACT
ike 0:fortigate2nsx:2905: enc 334FB40860461A9BD31F75929ACC627C0510020100000000000000******************************
ike 0:fortigate2nsx:2905: out 334FB40860461A9BD31F75929ACC627C0510020100000000000000**************************
ike 0:fortigate2nsx:2905: sent IKE msg (ident_i3send): 5.x.y.z:500->137.x.y.z:500, len=108, id=334fb40860461a9b/d31f75929acc627c
ike 0: comes 137.x.y.z:500->5.x.y.z:500,ifindex=8....
ike 0: IKEv1 exchange=Identity Protection id=334fb40860461a9b/d31f75929acc627c len=76
ike 0: in 334FB40860461A9BD31F75929ACC627C05100201000000000000004C14E2**************************
ike 0:fortigate2nsx:2905: initiator: main mode get 3rd response...
ike 0:fortigate2nsx:2905: dec 334FB40860461A9BD31F75929ACC627C05100201000000000000004************************
ike 0:fortigate2nsx:2905: peer identifier IPV4_ADDR 137.x.y.z
ike 0:fortigate2nsx:2905: PSK authentication succeeded
ike 0:fortigate2nsx:2905: authentication OK
ike 0:fortigate2nsx:2905: established IKE SA 334fb40860461a9b/d31f75929acc627c
ike 0:fortigate2nsx: set oper up
ike 0:fortigate2nsx: schedule auto-negotiate
ike 0:fortigate2nsx:2905: no pending Quick-Mode negotiations
ike 0:fortigate2nsx: carrier up
ike 0: comes 137.x.y.z:500->5.x.y.z:500,ifindex=8....
ike 0: IKEv1 exchange=Quick id=334fb40860461a9b/d31f75929acc627c:8daa3b23 len=428
ike 0: in 334FB40860461A9BD31F75929ACC627C081020018DAA3B23000001AC ***************
ike 0:fortigate2nsx:2905:264202: responder received first quick-mode message
ike 0:fortigate2nsx:2905: dec 334FB40860461A9BD31F75929ACC627C081020018D*************************
ike 0:fortigate2nsx:2905:264202: peer proposal is: peer:0:10.10.10.0-10.10.10.255:0, me:0:192.168.2.0-192.168.2.255:0
ike 0:fortigate2nsx:2905:fortigate2nsx:264202: trying
ike 0:fortigate2nsx:2905:264202: no matching phase2 found
ike 0:fortigate2nsx:2905:264202: failed to get responder proposal
ike 0:fortigate2nsx:2905: error processing quick-mode message from 137.x.y.z as responder
ike 0: comes 137.x.y.z:500->5.x.y.z:500,ifindex=8....
ike 0: IKEv1 exchange=Quick id=334fb40860461a9b/d31f75929acc627c:8daa3b23 len=428
ike 0: in 334FB40860461A9BD31F75929ACC627C081020018DAA3B23000001A*********************
ike 0:fortigate2nsx:2905:264203: responder received first quick-mode message
ike 0:fortigate2nsx:2905: dec 334FB40860461A9BD31F75929ACC627C081020018DAA3B23000001AC0*****************
ike 0:fortigate2nsx:2905:264203: peer proposal is: peer:0:10.10.10.0-10.10.10.255:0, me:0:192.168.2.0-192.168.2.255:0
ike 0:fortigate2nsx:2905:fortigate2nsx:264203: trying
ike 0:fortigate2nsx:2905:264203: no matching phase2 found
ike 0:fortigate2nsx:2905:264203: failed to get responder proposal
ike 0:fortigate2nsx:2905: error processing quick-mode message from 137.x.y.z as responder
 
somebody can help me?
 
thanks

					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			 
 


		
			
					
		
	
				
		
			
					
			

	
		

			
					

						
								
							
					

					
						
							

								
									
										
                                         
                                         
										
											
		
			

				Preview file
			

		
		

			41 KB
		

	
										
										
									
									
								
							

							
								

									
							    

							
							
						
						
					
				
			
				
			
		

	
	


		
				
		
			
		
			
					
	

		
			
				
						
							Labels:
						
						
		

			
		

	
					
			
		
	


	

	

	

				
		
	
	


		

	

		

			
		

			
		

	

		

			

	
		
			

  3753


		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Kudos

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
			
					
				
		
	
	


		

			

	
		
			
					
		
			

				
			

		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	

	
			
		

	


					

	

		

			
 

		

		

			
		

		

			
 

		

	



				
		
		
			
			
		
		
			
			
		
		
			
		
			
			
	

		0 REPLIES 0
	


		
		
			
			
			
					
	
			

			

			


	

	
		

			

			
	

	

		


	

	

	

	



	

	

		
		
	


	

	




			
				


	
			
				

					
						

							
		

			

	
			
				
					
				
				
			
		


		

	
							

								
								
							

							

								

	
									
								


							

						

					
				

			
		
	


			
		

	

	

				
		
		
			
		
	
	


		

			

	
		
			


 

   

     
 

     

       
     

     

       
 

     

   

 


		
			
 
Labels

	
	
	

		
			

	

		
 

		

			

				
					

						

							
								
        
	
							
						

					

				
				

					

						
		
				

					

	
	


				

			
	
					

				

			

		

		
 

	



			
		
	


 

		
			
 
Top Kudoed Authors


	

	

	

	
		

	 
	
	
	


	
	
View all



 

		
	
	


		

	

		

			
		

	

		

			

	
		
			

	

		

			

	
		
			
		
	
	


		

	

		

			

	
		
			
 
 
 
  
 Broad. Integrated. Automated. 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
 
 
 Social Media  
 
 
 Security Research  
 
 Company  
 
 
 News & Articles  
 
 Contact Us  
 
 
 



		

			
Copyright  2024 Fortinet, Inc. All Rights Reserved.