Hi everyone. To preface this, I typically don't deal with Fortigate equipment, so I'm new to the platform, but I do use other vendors' firewalls regularly. I'm reasonably sure I've got my config on my end here in order, but it's 100% possible I've made a mistake in my configuration. However, this is my read on what I'm seeing here.
I've got a VPN set up with another company is a remote country with a giant time zone difference, making this more difficult to deal with. I've set up my end and provided them with the criteria to make the connection with and made an attempt, when they had their configuration in place, to bring up the link. We can't seem to make it out of Phase 1 into Phase 2 negotiations. See below for a sanitized version of the debug log of our attempted connection:
ike 0:VPN: schedule auto-negotiate ike 0:VPN:VPN: chosen to populate IKE_SA traffic-selectors ike 0:VPN: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation ike 0:VPN:139129: out 756317AA05C7043E000000000000000021202208000000000000013C220000300000002C010100040300000C0100000C800E01000300000802000007030000080300000E00000008040000152800008C0015000001D844E682D101F62F330BDF0BE25D1635911185E7C07D80E8C151F0F41070A151C6036442ADAC377D08A80F4205353930113542BB0F78302B87907941DA2F413E6C0184B3A31EA60B6975DC120562626705BD616A624B6C4F245358B0DA4FDC58E077B45771CD9713FBBBA6011D1E5C7FA19D03B7A2B3323E7E60F821A55A80174A12CC290000243D8EA56714DB85EE44D303AE3468F541ACF85EF919FDBF7730C3CD3A6C898B7A2900001C00004004E7F3628FED5F6D0B593772082AAB5F76CCE839BD2900001C00004005544FBFCA8EBEB143987B3C697E1949E818E3B3A7000000080000402E ike 0:VPN:139129: sent IKE msg (SA_INIT): Source IP:500->Destination IP:500, len=316, vrf=0, id=756317aa05c7043e/0000000000000000 ike 0: comes Destination IP:500->Source IP:500,ifindex=7,vrf=0.... ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=756317aa05c7043e/f31f8b219a47ffb8 len=324 ike 0: in 756317AA05C7043EF31F8B219A47FFB8212022200000000000000144220000300000002C010100040300000C0100000C800E0100030000080300000E030000080200000700000008040000152800008C0015000000E050E8D7EBA45F45610435C61CDB2AFCB84DB9619C88D0D2D94F69262F97D5F35ED2935FF06F3348131064485801F616CF025DDD07291940A01A03E6EF57875EA8004645BFFF811D840DD90A714236F39529646B0F02C131D8AA213A15F8DCBDC9016F08049004668E4E3E9A5ABAC963E880CA7E438392C21088DDCFDB5A1E3908A9FB290000242CD8E241FF19CFC1DC56A7EBEDACDDB089C5D6BDDEC4638B4F8BA0FFB92631652900001C0000400409F2CB6EBF9C01B1F0DA883D18681FFED6DC4AE42900001C0000400584D42BB3016EA1F53A46F7E3E23502219B062088290000080000402E0000000800004014 ike 0:VPN:139129: initiator received SA_INIT response ike 0:VPN:139129: processing notify type NAT_DETECTION_SOURCE_IP ike 0:VPN:139129: processing NAT-D payload ike 0:VPN:139129: NAT not detected ike 0:VPN:139129: process NAT-D ike 0:VPN:139129: processing notify type NAT_DETECTION_DESTINATION_IP ike 0:VPN:139129: processing NAT-D payload ike 0:VPN:139129: NAT not detected ike 0:VPN:139129: process NAT-D ike 0:VPN:139129: processing notify type FRAGMENTATION_SUPPORTED ike 0:VPN:139129: processing notify type 16404 ike 0:VPN:139129: incoming proposal: ike 0:VPN:139129: proposal id = 1: ike 0:VPN:139129: protocol = IKEv2: ike 0:VPN:139129: encapsulation = IKEv2/none ike 0:VPN:139129: type=ENCR, val=AES_CBC (key_len = 256) ike 0:VPN:139129: type=INTEGR, val=AUTH_HMAC_SHA2_512_256 ike 0:VPN:139129: type=PRF, val=PRF_HMAC_SHA2_512 ike 0:VPN:139129: type=DH_GROUP, val=ECP521. ike 0:VPN:139129: matched proposal id 1 ike 0:VPN:139129: proposal id = 1: ike 0:VPN:139129: protocol = IKEv2: ike 0:VPN:139129: encapsulation = IKEv2/none ike 0:VPN:139129: type=ENCR, val=AES_CBC (key_len = 256) ike 0:VPN:139129: type=INTEGR, val=AUTH_HMAC_SHA2_512_256 ike 0:VPN:139129: type=PRF, val=PRF_HMAC_SHA2_512 ike 0:VPN:139129: type=DH_GROUP, val=ECP521. ike 0:VPN:139129: lifetime=86400 ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_ei 32:528079CCB504700AF92FF09B07D379A4B4B55AB7DD3A466B76D3C03C2BC97102 ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_er 32:9FA507DBC218D82F55B01036344D1120877CA7F9C6A4BDA1E72547213D3FC5F5 ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_ai 64:8160A6418343FB8A102193C4B9AEE97B022E724A8805151431245FF9F09C0987A6C727D0F6AA57E4EDE821FAB53534CC964D5C362DE4A962415EE774728A8F83 ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_ar 64:607FE3A60A042B18C3802BC4ABAE38CE02B3162C9C5CF24036CF17B74520D4876173AFD3958E4A02522D611D2BF5E9A08FFAC94B6C1EEF37498390642B5B8309 ike 0:VPN:139129: initiator preparing AUTH msg ike 0:VPN:139129: sending INITIAL-CONTACT ike 0:VPN:139129: enc 2900000C0100000018DE17EE270000080000400029000048020000000938294BB7C4981DADDD042D60549B636CCFF3AB8632D83ABE1DC9C4236C75E0990E01CF62C19E3BC99A1A8A2E98B52781177B2E1C5525C0C6A5EF043CC73C9121000008000040242C00002C0000002801030403A3DD186D0300000C0100000C800E0100030000080300000E00000008050000002D00001801000000070000100000FFFFC0A80A00C0A80AFF0000001801000000070000100000FFFFC0A80200C0A802FF0F0E0D0C0B0A0908070605040302010F ike 0:VPN:139129: out 756317AA05C7043EF31F8B219A47FFB82E20230800000001000001202300010422C5135B8EA7EF630F1DE05A1EF8BB0387A80BE4CD7890CDDE5B0BB008D2871E1CC78CC23DD687A4A1E55E5A24E3D18341D7494D0BA3B47EC2F4E095B407ADAA4F0E708C3FBBABF1877B7CA8BEA17255630EE4397E715147A90CD137524F18E49691AD199D27D0473FA0AB1F6F0592F64E274B19EF73596DC423223629C035D9A293AEAAF2F07F865680E8D08375DEF0F09F50874C907A748762EE2B04DD4B07AC6F23A886BD4727BD0777620712D6EF09448AA6080F9FFEDE60A02B936CB241D094492B9C93D361FB93958849868C67614C736AB853B8B2456F71C923B2290F1B2BB56189770CA7D984C9317D101D9EE0C8A8EF0E8C0ADA68A4B7DEEB1214C3 ike 0:VPN:139129: sent IKE msg (AUTH): Source IP:500->Destination IP:500, len=288, vrf=0, id=756317aa05c7043e/f31f8b219a47ffb8:00000001 ike 0: comes Destination IP:500->Source IP:500,ifindex=7,vrf=0.... ike 0: IKEv2 exchange=AUTH_RESPONSE id=756317aa05c7043e/f31f8b219a47ffb8:00000001 len=96 ike 0: in 756317AA05C7043EF31F8B219A47FFB82E2023200000000100000060290000440DE027B8AC83CFDC49E1CDAD59519E72B115BE9E0BE1F82FFAC586EA027981ED2288E315D08F51FB4D76698F1574999AFEABF07274E49A704E8187FAC806521E ike 0:VPN:139129: dec 756317AA05C7043EF31F8B219A47FFB82E2023200000000100000028290000040000000800000018 ike 0:VPN:139129: initiator received AUTH msg ike 0:VPN:139129: received notify type AUTHENTICATION_FAILED ike 0:VPN:139129: schedule delete of IKE SA 756317aa05c7043e/f31f8b219a47ffb8 ike 0:VPN:139129: scheduled delete of IKE SA 756317aa05c7043e/f31f8b219a47ffb8 ike 0:VPN: connection expiring due to phase1 down ike 0:VPN: deleting ike 0:VPN: deleted
Based on documentation (to be honest, mostly form posts on the Fortinet site), my read on this is that we get to Phase 1 negotiations. We seem to be agreeing on a set of ciphers, and then when we get to the pre-shared key check (which I THINK is the AUTH message back and forth) we fail, and the process stops.
Am I reading that correctly, or is there something else that I'm missing there? The other end of the link seems pretty certain that the password is right on their end, but what I'm seeing, I think, is telling me otherwise. If someone could weigh in on this, I would really appreciate it.
Obviously if there's information I've left out that may be useful, please let me know and I can provide it (obviously in a sanitized form).
We're not using certs, we're using a PSK. Unfortunately my colleagues on the other end of the connection are convinced that that isn't the issue. Right now I'm really just looking for a sanity check, because I also came to that conclusion (the mismatched key). I appreciate your response, if anything I can use this info to show the people on my end of this that I'm not out to lunch :p
I appreciate everyone's advice. I'm reasonably sure that my initial take was correct, however the people on the other side of the connection were not convinced of this, thus were a little difficult to work with. I eventually scrapped the plan to use a PTP VPN and worked around the issue using another solution, and now all is well again.
Thanks again for all of the advice. I really appreciate it.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.