Hi everyone. To preface this, I typically don't deal with Fortigate equipment, so I'm new to the platform, but I do use other vendors' firewalls regularly. I'm reasonably sure I've got my config on my end here in order, but it's 100% possible I've made a mistake in my configuration. However, this is my read on what I'm seeing here.
I've got a VPN set up with another company is a remote country with a giant time zone difference, making this more difficult to deal with. I've set up my end and provided them with the criteria to make the connection with and made an attempt, when they had their configuration in place, to bring up the link. We can't seem to make it out of Phase 1 into Phase 2 negotiations. See below for a sanitized version of the debug log of our attempted connection:
ike 0:VPN: schedule auto-negotiate
ike 0:VPN:VPN: chosen to populate IKE_SA traffic-selectors
ike 0:VPN: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:VPN:139129: out 756317AA05C7043E000000000000000021202208000000000000013C220000300000002C010100040300000C0100000C800E01000300000802000007030000080300000E00000008040000152800008C0015000001D844E682D101F62F330BDF0BE25D1635911185E7C07D80E8C151F0F41070A151C6036442ADAC377D08A80F4205353930113542BB0F78302B87907941DA2F413E6C0184B3A31EA60B6975DC120562626705BD616A624B6C4F245358B0DA4FDC58E077B45771CD9713FBBBA6011D1E5C7FA19D03B7A2B3323E7E60F821A55A80174A12CC290000243D8EA56714DB85EE44D303AE3468F541ACF85EF919FDBF7730C3CD3A6C898B7A2900001C00004004E7F3628FED5F6D0B593772082AAB5F76CCE839BD2900001C00004005544FBFCA8EBEB143987B3C697E1949E818E3B3A7000000080000402E
ike 0:VPN:139129: sent IKE msg (SA_INIT): Source IP:500->Destination IP:500, len=316, vrf=0, id=756317aa05c7043e/0000000000000000
ike 0: comes Destination IP:500->Source IP:500,ifindex=7,vrf=0....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=756317aa05c7043e/f31f8b219a47ffb8 len=324
ike 0: in 756317AA05C7043EF31F8B219A47FFB8212022200000000000000144220000300000002C010100040300000C0100000C800E0100030000080300000E030000080200000700000008040000152800008C0015000000E050E8D7EBA45F45610435C61CDB2AFCB84DB9619C88D0D2D94F69262F97D5F35ED2935FF06F3348131064485801F616CF025DDD07291940A01A03E6EF57875EA8004645BFFF811D840DD90A714236F39529646B0F02C131D8AA213A15F8DCBDC9016F08049004668E4E3E9A5ABAC963E880CA7E438392C21088DDCFDB5A1E3908A9FB290000242CD8E241FF19CFC1DC56A7EBEDACDDB089C5D6BDDEC4638B4F8BA0FFB92631652900001C0000400409F2CB6EBF9C01B1F0DA883D18681FFED6DC4AE42900001C0000400584D42BB3016EA1F53A46F7E3E23502219B062088290000080000402E0000000800004014
ike 0:VPN:139129: initiator received SA_INIT response
ike 0:VPN:139129: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:VPN:139129: processing NAT-D payload
ike 0:VPN:139129: NAT not detected
ike 0:VPN:139129: process NAT-D
ike 0:VPN:139129: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:VPN:139129: processing NAT-D payload
ike 0:VPN:139129: NAT not detected
ike 0:VPN:139129: process NAT-D
ike 0:VPN:139129: processing notify type FRAGMENTATION_SUPPORTED
ike 0:VPN:139129: processing notify type 16404
ike 0:VPN:139129: incoming proposal:
ike 0:VPN:139129: proposal id = 1:
ike 0:VPN:139129: protocol = IKEv2:
ike 0:VPN:139129: encapsulation = IKEv2/none
ike 0:VPN:139129: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:VPN:139129: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:VPN:139129: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:VPN:139129: type=DH_GROUP, val=ECP521.
ike 0:VPN:139129: matched proposal id 1
ike 0:VPN:139129: proposal id = 1:
ike 0:VPN:139129: protocol = IKEv2:
ike 0:VPN:139129: encapsulation = IKEv2/none
ike 0:VPN:139129: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:VPN:139129: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:VPN:139129: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:VPN:139129: type=DH_GROUP, val=ECP521.
ike 0:VPN:139129: lifetime=86400
ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_ei 32:528079CCB504700AF92FF09B07D379A4B4B55AB7DD3A466B76D3C03C2BC97102
ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_er 32:9FA507DBC218D82F55B01036344D1120877CA7F9C6A4BDA1E72547213D3FC5F5
ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_ai 64:8160A6418343FB8A102193C4B9AEE97B022E724A8805151431245FF9F09C0987A6C727D0F6AA57E4EDE821FAB53534CC964D5C362DE4A962415EE774728A8F83
ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_ar 64:607FE3A60A042B18C3802BC4ABAE38CE02B3162C9C5CF24036CF17B74520D4876173AFD3958E4A02522D611D2BF5E9A08FFAC94B6C1EEF37498390642B5B8309
ike 0:VPN:139129: initiator preparing AUTH msg
ike 0:VPN:139129: sending INITIAL-CONTACT
ike 0:VPN:139129: enc 2900000C0100000018DE17EE270000080000400029000048020000000938294BB7C4981DADDD042D60549B636CCFF3AB8632D83ABE1DC9C4236C75E0990E01CF62C19E3BC99A1A8A2E98B52781177B2E1C5525C0C6A5EF043CC73C9121000008000040242C00002C0000002801030403A3DD186D0300000C0100000C800E0100030000080300000E00000008050000002D00001801000000070000100000FFFFC0A80A00C0A80AFF0000001801000000070000100000FFFFC0A80200C0A802FF0F0E0D0C0B0A0908070605040302010F
ike 0:VPN:139129: out 756317AA05C7043EF31F8B219A47FFB82E20230800000001000001202300010422C5135B8EA7EF630F1DE05A1EF8BB0387A80BE4CD7890CDDE5B0BB008D2871E1CC78CC23DD687A4A1E55E5A24E3D18341D7494D0BA3B47EC2F4E095B407ADAA4F0E708C3FBBABF1877B7CA8BEA17255630EE4397E715147A90CD137524F18E49691AD199D27D0473FA0AB1F6F0592F64E274B19EF73596DC423223629C035D9A293AEAAF2F07F865680E8D08375DEF0F09F50874C907A748762EE2B04DD4B07AC6F23A886BD4727BD0777620712D6EF09448AA6080F9FFEDE60A02B936CB241D094492B9C93D361FB93958849868C67614C736AB853B8B2456F71C923B2290F1B2BB56189770CA7D984C9317D101D9EE0C8A8EF0E8C0ADA68A4B7DEEB1214C3
ike 0:VPN:139129: sent IKE msg (AUTH): Source IP:500->Destination IP:500, len=288, vrf=0, id=756317aa05c7043e/f31f8b219a47ffb8:00000001
ike 0: comes Destination IP:500->Source IP:500,ifindex=7,vrf=0....
ike 0: IKEv2 exchange=AUTH_RESPONSE id=756317aa05c7043e/f31f8b219a47ffb8:00000001 len=96
ike 0: in 756317AA05C7043EF31F8B219A47FFB82E2023200000000100000060290000440DE027B8AC83CFDC49E1CDAD59519E72B115BE9E0BE1F82FFAC586EA027981ED2288E315D08F51FB4D76698F1574999AFEABF07274E49A704E8187FAC806521E
ike 0:VPN:139129: dec 756317AA05C7043EF31F8B219A47FFB82E2023200000000100000028290000040000000800000018
ike 0:VPN:139129: initiator received AUTH msg
ike 0:VPN:139129: received notify type AUTHENTICATION_FAILED
ike 0:VPN:139129: schedule delete of IKE SA 756317aa05c7043e/f31f8b219a47ffb8
ike 0:VPN:139129: scheduled delete of IKE SA 756317aa05c7043e/f31f8b219a47ffb8
ike 0:VPN: connection expiring due to phase1 down
ike 0:VPN: deleting
ike 0:VPN: deleted
Based on documentation (to be honest, mostly form posts on the Fortinet site), my read on this is that we get to Phase 1 negotiations. We seem to be agreeing on a set of ciphers, and then when we get to the pre-shared key check (which I THINK is the AUTH message back and forth) we fail, and the process stops.
Am I reading that correctly, or is there something else that I'm missing there? The other end of the link seems pretty certain that the password is right on their end, but what I'm seeing, I think, is telling me otherwise. If someone could weigh in on this, I would really appreciate it.
Obviously if there's information I've left out that may be useful, please let me know and I can provide it (obviously in a sanitized form).
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yup auth failed. So you have a PSK mismatch in my opinion or one side is configured for certificate auth and not PSK for example.
Hi @JonnyPartridge,
Is it an IPsec tunnel between two FortiGates? Please check the PSK and local id under phase1 configuration.
Regards,
It's actually between our Fortigate and a Sophos device. I've recommended my friends on the other end of the link check those settings as well though.
Thanks for the input.
Can you check the preshared key if they match ?
Hello,
From the given logs
received notify type AUTHENTICATION_FAILED
As per the log , it states that the Authentication fails because of a mismatch in pres-hared key or, if you use a certificate authentication , the specific certificate should be imported accordingly,
received notify type AUTHENTICATION_FAILED
We're not using certs, we're using a PSK. Unfortunately my colleagues on the other end of the connection are convinced that that isn't the issue. Right now I'm really just looking for a sanity check, because I also came to that conclusion (the mismatched key). I appreciate your response, if anything I can use this info to show the people on my end of this that I'm not out to lunch :p
Hi @JonnyPartridge,
Most likely the PSK is mismatch between both side. Maybe try with something simple and then check the tunnel again?
Regards,
Minh
Can you check the debug on the other side to see if they are seeing a different error message.
Some vendors require local-id to be set. Here is an article with more information on that:
I appreciate everyone's advice. I'm reasonably sure that my initial take was correct, however the people on the other side of the connection were not convinced of this, thus were a little difficult to work with. I eventually scrapped the plan to use a PTP VPN and worked around the issue using another solution, and now all is well again.
Thanks again for all of the advice. I really appreciate it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.