Hello guys,
Currently we have a necessity of deploying a lot of IPSec VPN's in different IP's from my WAN interface
For some reason that I don't know the VPN's only works if i enable "ping" with secondary addresses on Wan interface
Currently I have 31 IP's in secondary ips on my WAN. The FortiOS have a limitation of 32 IP's
If I don't enable ping, IPSec dont works and I receive this output
ike 0:ecea911495885ac4/0000000000000000:3203: responder: main mode get 1st message...
ike 0:ecea911495885ac4/0000000000000000:3203: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:ecea911495885ac4/0000000000000000:3203: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:ecea911495885ac4/0000000000000000:3203: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:ecea911495885ac4/0000000000000000:3203: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:ecea911495885ac4/0000000000000000:3203: negotiation result
ike 0:ecea911495885ac4/0000000000000000:3203: proposal id = 1:
ike 0:ecea911495885ac4/0000000000000000:3203: protocol id = ISAKMP:
ike 0:ecea911495885ac4/0000000000000000:3203: trans_id = KEY_IKE.
ike 0:ecea911495885ac4/0000000000000000:3203: encapsulation = IKE/none
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:ecea911495885ac4/0000000000000000:3203: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_GROUP, val=MODP1536.
ike 0:ecea911495885ac4/0000000000000000:3203: ISAKMP SA lifetime=86400
ike 0:ecea911495885ac4/0000000000000000:3203: SA proposal chosen, matched gateway VPN_WINOV_SP
ike 0: found VPN_WINOV_SP 200.195.149.26 6 -> 170.231.15.66:500
ike 0:VPN_WINOV_SP:3203: peer is FortiGate/FortiOS (v0 b0)
ike 0:VPN_WINOV_SP:3203: cookie ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (ident_r1send): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:3201: d3fcd5f5f857c37f/0000000000000000 negotiation of IKE SA failed due to retry timeout
ike 0:VPN_WINOV_SP:3201: expiring IKE SA d3fcd5f5f857c37f/0000000000000000
ike 0:VPN_WINOV_SP: deleting
ike 0:VPN_WINOV_SP: deleted
Am I doing something wrong?
Thanks
During the problem state, can you take a sniffer on the specific interface and check if there are proper ARP Requests/replies?
To capture only ARP Packets.
diagnose sniffer packet <interface name> "ether proto 0x0806" 4
and then capture the transactions between peers.
diagnose sniffer packet <interface name> "host 200.195.149.26 and host 170.231.15.66" 6
Also, do you have DPD enabled? if so, can you try disabling the dpd and check?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.