We are trying to establish IPSec between FGT and peplink
FGT side, DDNS is enabled. Phase one is not established.
While using IP instead of FQDN, the tunnel is established successfully. What could be the issue?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
You may consider to double check whether FQDN is resolved successfully to the correct IP address.
Moreover, you may consider to collect IKE debugs on both IPsec peers simultaneously while trying to bring up the tunnel:
diagnose debug application ike -1
diagnose debug enable
Hi,
Thank you for the reply
Checked the FQDN. It is taking the right IP.
the debug output is attaching below.
ike 0: comes 185.170.143.116:500->2.50.16.105:500,ifindex=53,vrf=0....
ike 0: IKEv1 exchange=Informational id=838b078643e2187d/1b0f1c3199aa6c42:bb455e66 len=108 vrf=0
ike 0: in 838B078643E2187D1B0F1C3199AA6C4208100501BB455E660000006C51B8B2911D32CB7076D94716FCD6548EF08D81A751B24622285C4E9364748F273DF1E138016A28CADE34CB94036CF375BA390EDA3A7FD7F5CF73B93B771413E72EC1E161CFAE36127B56AB2B2C80BF57
ike 0:ARAS:12293: dec 838B078643E2187D1B0F1C3199AA6C4208100501BB455E660000006C0C0000243F0C7130569B67F5680ABCA5A80C886EEFDB00CAB48584A0932875D2533313CB0000001C0000000101100001838B078643E2187D1B0F1C3199AA6C4200000000000000000000000000000000
ike 0:ARAS:12293: recv ISAKMP SA delete 838b078643e2187d/1b0f1c3199aa6c42
ike 0:ARAS: schedule auto-negotiate
ike 0:ARAS:ARAS: IPsec SA connect 53 2.50.16.105->185.170.143.116:0
ike 0:ARAS:ARAS: using existing connection
ike 0:ARAS:ARAS: traffic triggered, serial=1 6:192.168.4.5:56177->6:192.168.8.5:1720
ike 0:ARAS:ARAS: config found
ike 0:ARAS:ARAS: IPsec SA connect 53 2.50.16.105->185.170.143.116:500 negotiating
ike 0:ARAS:12291:ARAS:118676: ISAKMP SA still negotiating, queuing quick-mode request
ike 0:ARAS:ARAS: IPsec SA connect 53 2.50.16.105->185.170.143.116:0
ike 0:ARAS:ARAS: using existing connection
ike 0:ARAS:ARAS: traffic triggered, serial=1 6:192.168.4.5:56177->6:192.168.8.5:1720
ike 0:ARAS:ARAS: config found
ike 0:ARAS: request is on the queue
ike 0:ARAS:12291: out F4ED054B91E00F3A8832B1457E4D24C105100201000000000000006C67983DBD20637293F4ECFB2FC4F8383DB48EE65DD9D8A84610134EF85CBABBA89FE6857D41F9FDB4CD0C3D7AB096B7DD89DCE48F91F4DB12B3D7ED89873E09BF07D618A759BCFD8AFA38448BB9690CBA
ike 0:ARAS:12291: sent IKE msg (P1_RETRANSMIT): 2.50.16.105:500->185.170.143.116:500, len=108, vrf=0, id=f4ed054b91e00f3a/8832b1457e4d24c1
ike 0: comes 185.170.143.116:500->2.50.16.105:500,ifindex=53,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=256a68f81f4ff6ab/0000000000000000 len=224 vrf=0
ike 0: in 256A68F81F4FF6AB00000000000000000110020000000000000000E00D00006400000001000000010000005800010002030000280101000080010007800E0080800200048004000E80030001800B0001000C000400015180000000280201000080010007800E0080800200048004000580030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D3800000000D0000144A131C81070358455C5728F20E95452F0000001490CB80913EBB696E086381B5EC427B1F
ike 0:256a68f81f4ff6ab/0000000000000000:12294: responder: main mode get 1st message...
ike 0:256a68f81f4ff6ab/0000000000000000:12294: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:256a68f81f4ff6ab/0000000000000000:12294: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:256a68f81f4ff6ab/0000000000000000:12294: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:256a68f81f4ff6ab/0000000000000000:12294: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:256a68f81f4ff6ab/0000000000000000:12294: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:256a68f81f4ff6ab/0000000000000000:12294: negotiation result
ike 0:256a68f81f4ff6ab/0000000000000000:12294: proposal id = 1:
ike 0:256a68f81f4ff6ab/0000000000000000:12294: protocol id = ISAKMP:
ike 0:256a68f81f4ff6ab/0000000000000000:12294: trans_id = KEY_IKE.
ike 0:256a68f81f4ff6ab/0000000000000000:12294: encapsulation = IKE/none
ike 0:256a68f81f4ff6ab/0000000000000000:12294: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:256a68f81f4ff6ab/0000000000000000:12294: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:256a68f81f4ff6ab/0000000000000000:12294: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:256a68f81f4ff6ab/0000000000000000:12294: type=OAKLEY_GROUP, val=MODP2048.
ike 0:256a68f81f4ff6ab/0000000000000000:12294: ISAKMP SA lifetime=86400
ike 0:256a68f81f4ff6ab/0000000000000000:12294: SA proposal chosen, matched gateway ARAS
ike 0: found ARAS 2.50.16.105 53 -> 185.170.143.116:500
ike 0:ARAS:12294: selected NAT-T version: RFC 3947
ike 0:ARAS:12294: cookie 256a68f81f4ff6ab/9ca77b5f94580c1d
ike 0:ARAS:12294: out 256A68F81F4FF6AB9CA77B5F94580C1D0110020000000000000000C00D00003C00000001000000010000003000010001000000280101000080010007800E0080800200048004000E80030001800B0001000C0004000151800D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:ARAS:12294: sent IKE msg (ident_r1send): 2.50.16.105:500->185.170.143.116:500, len=192, vrf=0, id=256a68f81f4ff6ab/9ca77b5f94580c1d
ike 0: comes 185.170.143.116:500->2.50.16.105:500,ifindex=53,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=256a68f81f4ff6ab/9ca77b5f94580c1d len=396 vrf=0
ike 0: in 256A68F81F4FF6AB9CA77B5F94580C1D04100200000000000000018C0A000104D4CB8077A1728590F14CE4909535A09F4C16FFB81E94CBABB9B1DFF357F68D854F7E0A532FC96A7D87151B9C1ECD306D19ECEE895E79C5B24ED9034720FDEADE61F3D452253419EBD082E3FAE29493D1688B2CFDFA83B2A8E9E5EF05254E248ABD09D8C43D46667B2A061BF3050FDC32DB9C12572EEA23DDE1ABFA7F11028B45E4F816F7D9734BC4D721130CE115D7110E8D6E3957F45275B3540B4A9A5006D9EA9DC15E800F42018A734C019074F34149821FCB3F711C436EA32D3AE1E16354DF8FEB8104BCA841AB0788831D846A2140257FC8D14F1095D0377DA718D5B8E2D9D7497628CE983F951FA3F802D03A2B6B6DA7FB33B22BFF2A1CE451BDDAE04E140000249F50B1B1E4E445456329DF2444DF2CB5F3AEF07B28DE6ACCA331CF77BB43D466140000241C608618C836B9150E5BE993ADE0A60FFB99F6AC37D39F84A9D2B6710E61458A00000024908B618D6B1AD801A1AA00C130698DD47FC711C424AA6832B9B331AD7C0E5DC7
ike 0:ARAS:12294: responder:main mode get 2nd message...
ike 0:ARAS:12294: received NAT-D payload type 20
ike 0:ARAS:12294: received NAT-D payload type 20
ike 0:ARAS:12294: NAT not detected
ike 0:ARAS:12294: out 256A68F81F4FF6AB9CA77B5F94580C1D04100200000000000000017C0A00010470314C01EC1E39529538EEB1E536A0B42692765B27D0577A56A97617E844429EA3C5C85B3123EC4FF033250530CEA594245C8C99032E44F525E7910F285F9FF1390A1A1A6A2E0087070B60BAD3BCB6A657A8419C369EB546ADDA288F0DBD266FE2D0BE89A95C068E3AD56A4D06A13836D697F8B21E56BE422116D303869D62A4CFD247212C1CB86BCC8818BEF0B86CE0F8A02BC6C0EC939CBB92527C4F07BE2DCDA655E45531BEF6440105913AC921AF911BBD3FD581C183454E26D163B3E9655BC14231652820BF15695DDA1A509A255B088431F43DF95F4ED91599E42BE98196CD4F97233D16C774F42666A59D32223DF9B9AC533F901873FBEF65A99DF8BC14000014D9835D65B85752371A17A9439A51D43D14000024908B618D6B1AD801A1AA00C130698DD47FC711C424AA6832B9B331AD7C0E5DC7000000241C608618C836B9150E5BE993ADE0A60FFB99F6AC37D39F84A9D2B6710E61458A
ike 0:ARAS:12294: sent IKE msg (ident_r2send): 2.50.16.105:500->185.170.143.116:500, len=380, vrf=0, id=256a68f81f4ff6ab/9ca77b5f94580c1d
ike 0:ARAS:12294: ISAKMP SA 256a68f81f4ff6ab/9ca77b5f94580c1d key 16:DD1943E14576D17D9241C6F56EA501D5
ike shrank heap by 159744 bytes
ike 0: comes 185.170.143.116:500->2.50.16.105:500,ifindex=53,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=256a68f81f4ff6ab/9ca77b5f94580c1d len=108 vrf=0
ike 0: in 256A68F81F4FF6AB9CA77B5F94580C1D05100201000000000000006CA1772A77DF76BD8FCF279F95F7E1066C82E4D97AC42342DDAB0E9394F2A295E46A5970B0D3DF183D75FF022FAF899B7716B3B4397C9F905B108AA8C0F24227957247C3B9577E313BFDBDD74B3C6A2E35
ike 0:ARAS:12294: responder: main mode get 3rd message...
ike 0:ARAS:12294: dec 256A68F81F4FF6AB9CA77B5F94580C1D05100201000000000000006C0800000C01000000B9AA8F740B0000245D5123DBF64D829F282681E56FD45BCDDF984626A17F57755DCF50AF8910E75E0000001C0000000101106002256A68F81F4FF6AB9CA77B5F94580C1D00000000
ike 0:ARAS:12294: received p1 notify type INITIAL-CONTACT
ike 0:ARAS:12294: peer identifier IPV4_ADDR 185.170.143.116
ike 0:ARAS:12294: PSK authentication succeeded
ike 0:ARAS:12294: authentication OK
ike 0:ARAS:12294: enc 256A68F81F4FF6AB9CA77B5F94580C1D05100201000000000000004C0800000C010000000232106900000024D96625D58C12DF2677694DA2671725B58466661CA879FF51DD59B4330A487848
ike 0:ARAS:12294: out 256A68F81F4FF6AB9CA77B5F94580C1D05100201000000000000005CDE54414805188FFE7FBAA40A28BD963498111EF1D5D710458465F643A73B6453BFE246A6504358EE5332EA88342B46FABA68C06793FD6AFB93ECA3A050F47028
ike 0:ARAS:12294: sent IKE msg (ident_r3send): 2.50.16.105:500->185.170.143.116:500, len=92, vrf=0, id=256a68f81f4ff6ab/9ca77b5f94580c1d
ike 0:ARAS:12294: established IKE SA 256a68f81f4ff6ab/9ca77b5f94580c1d
ike 0:ARAS:12294: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:ARAS:12294: processing INITIAL-CONTACT
ike 0:ARAS: flushing
ike 0:ARAS: flushed
ike 0:ARAS:12294: processed INITIAL-CONTACT
ike 0:ARAS: schedule auto-negotiate
ike 0:ARAS:12294: no pending Quick-Mode negotiations
ike 0: comes 185.170.143.116:500->2.50.16.105:500,ifindex=53,vrf=0....
ike 0: IKEv1 exchange=Informational id=256a68f81f4ff6ab/9ca77b5f94580c1d:68541e6f len=108 vrf=0
ike 0: in 256A68F81F4FF6AB9CA77B5F94580C1D0810050168541E6F0000006CBF0CAE60DAD96AB7F98EC8C435C3D586D943997B03B07C7F55AAAD9EAA7F57236BB45426D38530BD35397AA60EF33601BCFE085B240E8F3FAE1AD57E47390951E73ED0D24ABCBD764D95F04F80549C5D
ike 0:ARAS:12294: dec 256A68F81F4FF6AB9CA77B5F94580C1D0810050168541E6F0000006C0C000024F33F11E04498A4394C1E39565C4F228B0DFC9D79D0EB652BDEA8F08AF908931E0000001C0000000101100001256A68F81F4FF6AB9CA77B5F94580C1D00000000000000000000000000000000
ike 0:ARAS:12294: recv ISAKMP SA delete 256a68f81f4ff6ab/9ca77b5f94580c1d
ike 0:ARAS:ARAS: IPsec SA connect 53 2.50.16.105->185.170.143.116:0
ike 0:ARAS:ARAS: using existing connection
ike 0:ARAS:ARAS: traffic triggered, serial=1 17:192.168.4.5:50795->17:192.168.8.5:50795
ike 0:ARAS:ARAS: config found
ike 0:ARAS:ARAS: IPsec SA connect 53 2.50.16.105->185.170.143.116:500 negotiating
ike 0:ARAS:12291:ARAS:118679: ISAKMP SA still negotiating, queuing quick-mode request
ike 0:ARAS:12291: negotiation timeout, deleting
ike 0:ARAS: connection expiring due to phase1 down
ike 0:ARAS: deleting
ike 0:ARAS: deleted
ike 0:ARAS: set oper down
ike 0:ARAS: schedule auto-negotiate
Hello,
IPsec phase 1 looks good (established IKE SA).
FortiGate received a request to terminate the tunnel (recv ISAKMP SA delete).
I would recommend to check whether IPsec phase 2 settings are matching on both sides.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.