- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPsec VPN Authentication Failed
Fortigate 60F
Setting up a new IPsec VPN. Phase 1 matches but I am still getting a "AUTHENTICATION_FAILED" error.
Please. Any assistance would be great.
Here is my debug:
ike 0:VPN1: schedule auto-negotiate
ike 0:VPN1: auto-negotiate connection
ike 0:VPN1: created connection: 0x17fc6a00 5 152.x.x.x->174.x.x.x:500.
ike 0:VPN1:VPN1: chosen to populate IKE_SA traffic-selectors
ike 0:VPN1: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:VPN1:5538: out 96957CD2C74F75B60000000000000000212022080000000000000100220000300000002C010100040300000C0100000C800E0080030000080200000203000008030000020000000804000002280000880002000086A849256EF1101F60E86751929A4896EED0779F5F87BDF45945E20F4B30C518FED4175841908A76BC901152045CC7B57E820894EA827C9A6615D2C9991D80DA35DA82CF10A58217A3622CF13CB96EDA10B8B8F1355EE0ACEBB35599C40FD933BD32F16EB670B8F2946A971143AD63331C999EC38A6070C818F7CF35C2A2AEE329000024B9D125ECBEFCCDB03E7D6E5EB3AFFC1013E3D6BD26AD55C8EA46CFD41FD15508000000080000402E
ike 0:VPN1:5538: sent IKE msg (SA_INIT): 152.x.x.x:500->174.x.x.x:500, len=256, id=96957cd2c74f75b6/0000000000000000
ike 0: comes 174.x.x.x:500->152.x.x.x:500,ifindex=5....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=96957cd2c74f75b6/34b5ee933ab5153b len=264
ike 0: in 96957CD2C74F75B634B5EE933AB5153B212022200000000000000108220000300000002C010100040300000C0100000C800E00800300000803000002030000080200000200000008040000022800008800020000DF21D4C142499A845FE871CFBF50437B26B4A083695FD02FF9BEFBBB69DEC5AD02581D3CC9C7DE3F6070C7169FD5703CC2BCC6A018CA3547E60A379BB131595936B32A328DB6CDB5CBD85DF7F0441867A85721E5AA26C56B1DE3BB77B73BE9816BC27AD207FF510B11F9B27A4A88733CCFD2DD571E73EE004BB4ED1441F85D5C29000024B1B18B86E6EF41229A4050AECA2F6FA2F44434B9FE2FB491D247D32F2198733A290000080000402E0000000800004014
ike 0:VPN1:5538: initiator received SA_INIT response
ike 0:VPN1:5538: processing notify type FRAGMENTATION_SUPPORTED
ike 0:VPN1:5538: processing notify type 16404
ike 0:VPN1:5538: incoming proposal:
ike 0:VPN1:5538: proposal id = 1:
ike 0:VPN1:5538: protocol = IKEv2:
ike 0:VPN1:5538: encapsulation = IKEv2/none
ike 0:VPN1:5538: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:VPN1:5538: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:VPN1:5538: type=PRF, val=PRF_HMAC_SHA
ike 0:VPN1:5538: type=DH_GROUP, val=MODP1024.
ike 0:VPN1:5538: matched proposal id 1
ike 0:VPN1:5538: proposal id = 1:
ike 0:VPN1:5538: protocol = IKEv2:
ike 0:VPN1:5538: encapsulation = IKEv2/none
ike 0:VPN1:5538: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:VPN1:5538: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:VPN1:5538: type=PRF, val=PRF_HMAC_SHA
ike 0:VPN1:5538: type=DH_GROUP, val=MODP1024.
ike 0:VPN1:5538: lifetime=3600
ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ei 16:9AEA2F224B7394D3F52F820307889B5B
ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_er 16:102C3213DC19358382E90460B6B98C62
ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ai 20:CFCD9115094B148B28ED6D47E0CCA2614D67B909
ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ar 20:D6AE88230C0F6BA56B580085702BEE0B629CE50F
ike 0:VPN1:5538: initiator preparing AUTH msg
ike 0:VPN1:5538: sending INITIAL-CONTACT
ike 0:VPN1:5538: mode-cfg request APPLICATION_VERSION
ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_ADDRESS
ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_NETMASK
ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_SUBNET
ike 0:VPN1:5538: enc 2900000C0100000098A017FB27000008000040002F00001C020000000BE1DE66DF20C061EF1B5FA115E8548F6519D4CB29000042010000000007002A466F727469476174652D3630462076362E302E362C6275696C64363431342C31393039303620284741290001000000020000000D00002100000800
040242C00002C0000002801030403C79FCA750300000C0100000C800E0080030000080300000200000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF09080706050403020109
ike 0:VPN1:5538: out 96957CD2C74F75B634B5EE933AB5153B2E202308000000010000011C230001006438D5E2D386FDB27E287167F8D2D291825CFAB5F42F0DFB9AE17DC2445FE3950C7B4B0E5F68A87AC26DFE0773E1E387C3806D04DB2F991A1D2E3825CE2C8B206B457FB365FE147F7D005AE8E776FA78E39646183B635BA3F2E4252CB903D47F6C08BDDEC9BFB0F3436E36486A9FE35516EC8070869BC86316580A386515D47D4A9594628AE0AED860BD673B0AD4566F5347605B9F2FE47E1DD47F0705DF9B1F527478BBC4A30660C4B936872AB418A686373090E0BCB809EE40DB511582D37374D07C8052689A76FC676269C2E245611F9E7D6F25C6D003921B99756FCB5C41270AEE0C8F5987936EF421F2564B9898FC488752E8ABD9B43E6BA04A
ike 0:VPN1:5538: sent IKE msg (AUTH): 152.x.x.x:500->174.x.x.x:500, len=284, id=96957cd2c74f75b6/34b5ee933ab5153b:00000001
ike 0: comes 174.x.x.x:500->152.x.x.x:500,ifindex=5....
ike 0: IKEv2 exchange=AUTH_RESPONSE id=96957cd2c74f75b6/34b5ee933ab5153b:00000001 len=76
ike 0: in 96957CD2C74F75B634B5EE933AB5153B2E202320000000010000004C29000030E87C6A0641A3671D61EAB6D1A3B441DF06A4B69205085212C767F750599D579623A42D69603D68049E7ABB84
ike 0:VPN1:5538: dec 96957CD2C74F75B634B5EE933AB5153B2E2023200000000100000028290000040000000800000018
ike 0:VPN1:5538: initiator received AUTH msg
ike 0:VPN1:5538: received notify type AUTHENTICATION_FAILED
ike 0:VPN1:5538: schedule delete of IKE SA 96957cd2c74f75b6/34b5ee933ab5153b
ike 0:VPN1:5538: scheduled delete of IKE SA 96957cd2c74f75b6/34b5ee933ab5153b
ike 0:VPN1: connection expiring due to phase1 down
ike 0:VPN1: deleting
ike 0:VPN1: deleted
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you're trying to set up Dialup VPN from FortiClient 6.4 with IKEv2? AUTH_FAILED with AUTH response generally means the other end didn't see the received PSK was matching.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not dial up. Point to Point. Fortigate to my cloud server.
We did discover the issue, although we still do not understand the why. The previous VPN we used to mirror the servers to our cloud servers was conflicting with the new VPN. They shouldn't have, but they did.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The mode-cfg is throwing things off but this looks like PSK mismatch for IKEv2 and the IKE daemon is reporting this in AUTH_FAIL. Have you triple check the PSK? Your secret is wrong or corrupted.
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you have more than one s2s ipsec that has the same remote gw and connects to the same wan you might have to make sure that they have unique proposals or a peerid set because otherwayse the FGT will take the first one that matches remote gw plus proposals.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you have more than one s2s ipsec that has the same remote gw and connects to the same wan you might have to make sure that they have unique proposals or a peerid set because otherwayse the FGT will take the first one that matches remote gw plus proposals.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
huh! Apology for spamming the thread :\
The forum was somehow stuck and I clicked the save button a few times sinice nothing happened.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you have more than one s2s ipsec that has the same remote gw and connects to the same wan you might have to make sure that they have unique proposals or a peerid set because otherwayse the FGT will take the first one that matches remote gw plus proposals.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you have more than one s2s ipsec that has the same remote gw and connects to the same wan you might have to make sure that they have unique proposals or a peerid set because otherwayse the FGT will take the first one that matches remote gw plus proposals.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you have more than one s2s ipsec that has the same remote gw and connects to the same wan you might have to make sure that they have unique proposals or a peerid set because otherwayse the FGT will take the first one that matches remote gw plus proposals.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams