Hi everyone. To preface this, I typically don't deal with Fortigate equipment, so I'm new to the platform, but I do use other vendors' firewalls regularly. I'm reasonably sure I've got my config on my end here in order, but it's 100% possible I've made a mistake in my configuration. However, this is my read on what I'm seeing here.
I've got a VPN set up with another company is a remote country with a giant time zone difference, making this more difficult to deal with. I've set up my end and provided them with the criteria to make the connection with and made an attempt, when they had their configuration in place, to bring up the link. We can't seem to make it out of Phase 1 into Phase 2 negotiations. See below for a sanitized version of the debug log of our attempted connection:
ike 0:VPN: schedule auto-negotiate
ike 0:VPN:VPN: chosen to populate IKE_SA traffic-selectors
ike 0:VPN: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:VPN:139129: out 756317AA05C7043E000000000000000021202208000000000000013C220000300000002C010100040300000C0100000C800E01000300000802000007030000080300000E00000008040000152800008C0015000001D844E682D101F62F330BDF0BE25D1635911185E7C07D80E8C151F0F41070A151C6036442ADAC377D08A80F4205353930113542BB0F78302B87907941DA2F413E6C0184B3A31EA60B6975DC120562626705BD616A624B6C4F245358B0DA4FDC58E077B45771CD9713FBBBA6011D1E5C7FA19D03B7A2B3323E7E60F821A55A80174A12CC290000243D8EA56714DB85EE44D303AE3468F541ACF85EF919FDBF7730C3CD3A6C898B7A2900001C00004004E7F3628FED5F6D0B593772082AAB5F76CCE839BD2900001C00004005544FBFCA8EBEB143987B3C697E1949E818E3B3A7000000080000402E
ike 0:VPN:139129: sent IKE msg (SA_INIT): Source IP:500->Destination IP:500, len=316, vrf=0, id=756317aa05c7043e/0000000000000000
ike 0: comes Destination IP:500->Source IP:500,ifindex=7,vrf=0....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=756317aa05c7043e/f31f8b219a47ffb8 len=324
ike 0: in 756317AA05C7043EF31F8B219A47FFB8212022200000000000000144220000300000002C010100040300000C0100000C800E0100030000080300000E030000080200000700000008040000152800008C0015000000E050E8D7EBA45F45610435C61CDB2AFCB84DB9619C88D0D2D94F69262F97D5F35ED2935FF06F3348131064485801F616CF025DDD07291940A01A03E6EF57875EA8004645BFFF811D840DD90A714236F39529646B0F02C131D8AA213A15F8DCBDC9016F08049004668E4E3E9A5ABAC963E880CA7E438392C21088DDCFDB5A1E3908A9FB290000242CD8E241FF19CFC1DC56A7EBEDACDDB089C5D6BDDEC4638B4F8BA0FFB92631652900001C0000400409F2CB6EBF9C01B1F0DA883D18681FFED6DC4AE42900001C0000400584D42BB3016EA1F53A46F7E3E23502219B062088290000080000402E0000000800004014
ike 0:VPN:139129: initiator received SA_INIT response
ike 0:VPN:139129: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:VPN:139129: processing NAT-D payload
ike 0:VPN:139129: NAT not detected
ike 0:VPN:139129: process NAT-D
ike 0:VPN:139129: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:VPN:139129: processing NAT-D payload
ike 0:VPN:139129: NAT not detected
ike 0:VPN:139129: process NAT-D
ike 0:VPN:139129: processing notify type FRAGMENTATION_SUPPORTED
ike 0:VPN:139129: processing notify type 16404
ike 0:VPN:139129: incoming proposal:
ike 0:VPN:139129: proposal id = 1:
ike 0:VPN:139129: protocol = IKEv2:
ike 0:VPN:139129: encapsulation = IKEv2/none
ike 0:VPN:139129: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:VPN:139129: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:VPN:139129: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:VPN:139129: type=DH_GROUP, val=ECP521.
ike 0:VPN:139129: matched proposal id 1
ike 0:VPN:139129: proposal id = 1:
ike 0:VPN:139129: protocol = IKEv2:
ike 0:VPN:139129: encapsulation = IKEv2/none
ike 0:VPN:139129: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:VPN:139129: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:VPN:139129: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:VPN:139129: type=DH_GROUP, val=ECP521.
ike 0:VPN:139129: lifetime=86400
ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_ei 32:528079CCB504700AF92FF09B07D379A4B4B55AB7DD3A466B76D3C03C2BC97102
ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_er 32:9FA507DBC218D82F55B01036344D1120877CA7F9C6A4BDA1E72547213D3FC5F5
ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_ai 64:8160A6418343FB8A102193C4B9AEE97B022E724A8805151431245FF9F09C0987A6C727D0F6AA57E4EDE821FAB53534CC964D5C362DE4A962415EE774728A8F83
ike 0:VPN:139129: IKE SA 756317aa05c7043e/f31f8b219a47ffb8 SK_ar 64:607FE3A60A042B18C3802BC4ABAE38CE02B3162C9C5CF24036CF17B74520D4876173AFD3958E4A02522D611D2BF5E9A08FFAC94B6C1EEF37498390642B5B8309
ike 0:VPN:139129: initiator preparing AUTH msg
ike 0:VPN:139129: sending INITIAL-CONTACT
ike 0:VPN:139129: enc 2900000C0100000018DE17EE270000080000400029000048020000000938294BB7C4981DADDD042D60549B636CCFF3AB8632D83ABE1DC9C4236C75E0990E01CF62C19E3BC99A1A8A2E98B52781177B2E1C5525C0C6A5EF043CC73C9121000008000040242C00002C0000002801030403A3DD186D0300000C0100000C800E0100030000080300000E00000008050000002D00001801000000070000100000FFFFC0A80A00C0A80AFF0000001801000000070000100000FFFFC0A80200C0A802FF0F0E0D0C0B0A0908070605040302010F
ike 0:VPN:139129: out 756317AA05C7043EF31F8B219A47FFB82E20230800000001000001202300010422C5135B8EA7EF630F1DE05A1EF8BB0387A80BE4CD7890CDDE5B0BB008D2871E1CC78CC23DD687A4A1E55E5A24E3D18341D7494D0BA3B47EC2F4E095B407ADAA4F0E708C3FBBABF1877B7CA8BEA17255630EE4397E715147A90CD137524F18E49691AD199D27D0473FA0AB1F6F0592F64E274B19EF73596DC423223629C035D9A293AEAAF2F07F865680E8D08375DEF0F09F50874C907A748762EE2B04DD4B07AC6F23A886BD4727BD0777620712D6EF09448AA6080F9FFEDE60A02B936CB241D094492B9C93D361FB93958849868C67614C736AB853B8B2456F71C923B2290F1B2BB56189770CA7D984C9317D101D9EE0C8A8EF0E8C0ADA68A4B7DEEB1214C3
ike 0:VPN:139129: sent IKE msg (AUTH): Source IP:500->Destination IP:500, len=288, vrf=0, id=756317aa05c7043e/f31f8b219a47ffb8:00000001
ike 0: comes Destination IP:500->Source IP:500,ifindex=7,vrf=0....
ike 0: IKEv2 exchange=AUTH_RESPONSE id=756317aa05c7043e/f31f8b219a47ffb8:00000001 len=96
ike 0: in 756317AA05C7043EF31F8B219A47FFB82E2023200000000100000060290000440DE027B8AC83CFDC49E1CDAD59519E72B115BE9E0BE1F82FFAC586EA027981ED2288E315D08F51FB4D76698F1574999AFEABF07274E49A704E8187FAC806521E
ike 0:VPN:139129: dec 756317AA05C7043EF31F8B219A47FFB82E2023200000000100000028290000040000000800000018
ike 0:VPN:139129: initiator received AUTH msg
ike 0:VPN:139129: received notify type AUTHENTICATION_FAILED
ike 0:VPN:139129: schedule delete of IKE SA 756317aa05c7043e/f31f8b219a47ffb8
ike 0:VPN:139129: scheduled delete of IKE SA 756317aa05c7043e/f31f8b219a47ffb8
ike 0:VPN: connection expiring due to phase1 down
ike 0:VPN: deleting
ike 0:VPN: deleted
Based on documentation (to be honest, mostly form posts on the Fortinet site), my read on this is that we get to Phase 1 negotiations. We seem to be agreeing on a set of ciphers, and then when we get to the pre-shared key check (which I THINK is the AUTH message back and forth) we fail, and the process stops.
Am I reading that correctly, or is there something else that I'm missing there? The other end of the link seems pretty certain that the password is right on their end, but what I'm seeing, I think, is telling me otherwise. If someone could weigh in on this, I would really appreciate it.
Obviously if there's information I've left out that may be useful, please let me know and I can provide it (obviously in a sanitized form).
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @JonnyPartridge,
I am glad to hear that everything is working well for now. It is our pleasure to assist you.
Regards,
Minh
Hey Jonny,
I seem to be having the same issue, and i notice that the issue you had reported seems to be fixed, can you let me know what was the changes you did?
Hi,
I can see it's ikeV2.
Please refer to this link:
Also, the Auth Failed message is received from the other end. Please try to change the remote end device to initiator and try to bring up the tunnel.
You may also refer to this link:
https://community.fortinet.com/t5/Customer-Service/Technical-Tip-How-to-make-sure-the-FortiGate-will....
BR,
Manosh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.