Ipsec site-to-site Microsoft TMG

Rede · ‎11-16-2012

Hello, I' m trying to mount a vpn ipsec with TMG, but phase2 negotiation not begins. Phase 1 in the logs says it is ok. Someone managed to operate the FortiGate-TMG vpn? Thank you.

emnoc · ‎11-16-2012

How' s the TMG setup and how' s the FGT setup? You haven' t provided a lot of details, but you will need to provide configs and diag debug flow outputs. remember the following, ensure the selector is not any any and prefix specified ensure ph-2 settings match for dh,pfs,etc... if your doing route-based, ensure the routes in the table check your fwpolicy check your fwpolicy seq# order Outside of the above , it should be straight forward. Be cautious of any NAT entries on the TMG that might interfer with the VPN options. Ken

PCNSE

NSE

StrongSwan

Rede · ‎11-16-2012

Hello emnoc, I collected the output of diag debug flow. IP addresses have been changed by IP Below the results: ike 0:VPN-HEPTA:Tun_Hepta: IPsec SA connect 3 IP->IP:500 ike 0:VPN-HEPTA:Tun_Hepta: using existing connection ike 0:VPN-HEPTA:Tun_Hepta: config found ike 0:VPN-HEPTA:56:Tun_Hepta:30: quick-mode negotiation failed due to retry timeout ike 0:VPN-HEPTA:56: send ISAKMP delete 04909353babf9d4d/8c22036b6ab29fbf ike 0:VPN-HEPTA:56: enc 04909353BABF9D4D8C22036B6AB29FBF08100501E7FD0613000000500C000018D42DC0251B58FA4B77CE9A147494A696AF8DA8A20000001C000000010110000104909353BABF9D4D8C22036B6AB29FBF ike 0:VPN-HEPTA:56: out 04909353BABF9D4D8C22036B6AB29FBF08100501E7FD06130000005C69D0D8922C126BF972F1EE9379D7FAB6B27806CC9A85D7CC83F181AA4AB5CFF050D15069287CF266592485CAE43D70105BE9F4BAB16D5C32B853FE18437BA57D ike 0:VPN-HEPTA:56: sent IKE msg (ISKAMP SA DELETE-NOTIFY): IP:500->IP:500, len=92, id=04909353babf9d4d/8c22036b6ab29fbf:e7fd0613 ike 0:VPN-HEPTA: connection expiring due to phase1 down ike 0:VPN-HEPTA: deleting ike 0:VPN-HEPTA: flushing ike 0:VPN-HEPTA: flushed ike 0:VPN-HEPTA: deleted ike 0:VPN-HEPTA: set oper down ike 0:VPN-HEPTA: schedule auto-negotiate ike 0:VPN-HEPTA: auto-negotiate connection ike 0:VPN-HEPTA: created connection: 0x99680a8 3 IP->IP:500. ike 0:VPN-HEPTA: carrier down ike 0:VPN-HEPTA: deleting ike 0:VPN-HEPTA: flushing ike 0:VPN-HEPTA: flushed ike 0:VPN-HEPTA: deleted ike 0:VPN-HEPTA: schedule auto-negotiate ike 0:VPN-HEPTA: auto-negotiate connection ike 0:VPN-HEPTA: created connection: 0x99680a8 3 IP->IP:500. ike 0:VPN-HEPTA:57: initiator: main mode is sending 1st message... ike 0:VPN-HEPTA:57: cookie db9098a7523c34d0/0000000000000000 ike 0:VPN-HEPTA:57: out DB9098A7523C34D000000000000000000110020000000000000000F40D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E00808003000180020002800400020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE0004027F ike 0:VPN-HEPTA:57: sent IKE msg (ident_i1send): IP->IP:500, len=244, id=db9098a7523c34d0/0000000000000000 ike 0: comes IP:500->IP:500,ifindex=3.... ike 0: IKEv1 exchange=Identity Protection id=db9098a7523c34d0/3dbe28b9bd18de9b len=212 ike 0: in DB9098A7523C34D03DBE28B9BD18DE9B0110020000000000000000D40D00003C00000001000000010000003001010001000000280101000080010007800E0080800200028004000280030001800B0001000C0004000070800D0000181E2B516905991C7D7C96FCBFB587E461000000080D0000144A131C81070358455C5728F20E95452F0D00001490CB80913EBB696E086381B5EC427B1F0D0000144048B7D56EBCE88525E7DE7F00D6C2D30D000014FB1DE3CDF341B7EA16B7E5BE0855F12000000014E3A5966A76379FE707228231E5CE8652 ike 0:VPN-HEPTA:57: initiator: main mode get 1st response... ike 0:VPN-HEPTA:57: VID MS NT5 ISAKMPOAKLEY 1E2B516905991C7D7C96FCBFB587E46100000008 ike 0:VPN-HEPTA:57: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:VPN-HEPTA:57: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F ike 0:VPN-HEPTA:57: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:VPN-HEPTA:57: VID unknown (16): FB1DE3CDF341B7EA16B7E5BE0855F120 ike 0:VPN-HEPTA:57: VID unknown (16): E3A5966A76379FE707228231E5CE8652 ike 0:VPN-HEPTA:57: selected NAT-T version: RFC 3947 ike 0:VPN-HEPTA:57: negotiation result ike 0:VPN-HEPTA:57: proposal id = 1: ike 0:VPN-HEPTA:57: protocol id = ISAKMP: ike 0:VPN-HEPTA:57: trans_id = KEY_IKE. ike 0:VPN-HEPTA:57: encapsulation = IKE/none ike 0:VPN-HEPTA:57: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:VPN-HEPTA:57: type=OAKLEY_HASH_ALG, val=SHA. ike 0:VPN-HEPTA:57: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:VPN-HEPTA:57: type=OAKLEY_GROUP, val=1024. ike 0:VPN-HEPTA:57: ISKAMP SA lifetime=28800 ike 0:VPN-HEPTA:57: out DB9098A7523C34D03DBE28B9BD18DE9B0410020000000000000000E40A0000847EDB670779B3CC1510570AE21B1B9DDD95B542DF68AA682BC6CF4F18EAF52CF57057F25A473202BA70A58BBF5B8A4E0C9EDFA79B6C464930ECF4EC2D3964C2893E561B50FF9A33173F022F0D55B01A17915773C0B3D27DEF0CB81B3273263E11B8B01576D9A525BEAC72A15C7F1DE7A71AD1F57ACFD54A393C9CE970DEC1AD9D14000014C9879BD83DCC1E9BD2A056ECBF23C66E14000018739B8DBA9F0607319C6312034DB191DC7C12417E00000018F9EBA8F6A5DA92137E701DA9FBF2D91A6514E9D5 ike 0:VPN-HEPTA:57: sent IKE msg (ident_i2send): IP:500->IP:500, len=228, id=db9098a7523c34d0/3dbe28b9bd18de9b ike 0: comes IP:500->IP:500,ifindex=3.... ike 0: IKEv1 exchange=Identity Protection id=db9098a7523c34d0/3dbe28b9bd18de9b len=260 ike 0: in DB9098A7523C34D03DBE28B9BD18DE9B0410020000000000000001040A0000845CC1AE870BE05AFA1505319876BB85725F4FAB9B0EB211858B9214E2CC4E9BD1E37F9E6F6F63B527B644AE6928D5A055A4C93BC3622719F1EB89D98BBC8B9872F17E3B8FA8EED68F6EB9839A1A7EF1A5ED7FBB36B9C64DD57624EAE888D54EA256F2CBB9AF3B992828A36109CFDE8F1C00B7DBE0A9D3CA9B6FB405549443FF251400003423E62AC51C6D4765BE8BDBABB05EDD1196339C196C34B7290A8135037C8401735429497DE37F8D0712288BBC1EF21FB814000018F9EBA8F6A5DA92137E701DA9FBF2D91A6514E9D500000018739B8DBA9F0607319C6312034DB191DC7C12417E ike 0:VPN-HEPTA:57: initiator: main mode get 2nd response... ike 0:VPN-HEPTA:57: NAT not detected ike 0:VPN-HEPTA:57: ISAKMP SA db9098a7523c34d0/3dbe28b9bd18de9b key 16:27DB88ABE79DC50EAE491ECD73AD33B2 ike 0:VPN-HEPTA:57: add INITIAL-CONTACT ike 0:VPN-HEPTA:57: enc DB9098A7523C34D03DBE28B9BD18DE9B05100201000000000000005C0800000C01000000B12B459F0B0000189136CF733A3C7C4B0EB761C4764884F2E71061E80000001C0000000101106002DB9098A7523C34D03DBE28B9BD18DE9B ike 0:VPN-HEPTA:57: out DB9098A7523C34D03DBE28B9BD18DE9B05100201000000000000006C8A9865306094C6043184FAF66AEE860177615665B057BCA5E38D505EB03321ED5491B6FFDF831BCBB8C371A3839C8107C4D89EF368FF576488AC1E3279C99E8DCD63F4C4C4EE63458A6801F3EBF0701C ike 0:VPN-HEPTA:57: sent IKE msg (ident_i3send): IP:500->IP:500, len=108, id=db9098a7523c34d0/3dbe28b9bd18de9b ike 0: comes IP:500->IP:500,ifindex=3.... ike 0: IKEv1 exchange=Identity Protection id=db9098a7523c34d0/3dbe28b9bd18de9b len=76 ike 0: in DB9098A7523C34D03DBE28B9BD18DE9B05100201000000000000004C8BABAD259D2F8F0B659C0217238AC1AE813422B6A5D42725735871791E997D8AA862D5CC9EDFC7AF468BD28CE0BC34E5 ike 0:VPN-HEPTA:57: initiator: main mode get 3rd response... ike 0:VPN-HEPTA:57: dec DB9098A7523C34D03DBE28B9BD18DE9B05100201000000000000004C0800000C01000000B187FCB4000000186339EF782AAC702FA4431293027F100CFF09FAB7000000000000000000000000 ike 0:VPN-HEPTA:57: PSK authentication succeeded ike 0:VPN-HEPTA:57: authentication OK ike 0:VPN-HEPTA:57: established IKE SA db9098a7523c34d0/3dbe28b9bd18de9b ike 0:VPN-HEPTA: DPD disabled, not negotiated ike 0:VPN-HEPTA: set oper up ike 0:VPN-HEPTA: schedule auto-negotiate ike 0:VPN-HEPTA:57: no pending Quick-Mode negotiations ike 0:VPN-HEPTA: carrier up ike shrank heap by 126976 bytes I' ve tried to do for the route, but also created some policies such as: Tunnel -> internal External ->Tunel Internal -> tunnel All released with any service and any source and destination. Follows the configuration of the VPN: show vpn ipsec phase1-interface VPN-HEPTA config vpn ipsec phase1-interface edit " VPN-HEPTA" set interface " port10" set dhgrp 2 set proposal aes128-sha1 set remote-gw xxx.xxx.xxx.xxx set psksecret ENC SQD9CHCanR7GrB76pb4w3XzyOjfMMGegAl23p067Tr4aVLNR8yV2Eu6mHY2w4XWJ0wjlTP1ZqU4fYVc00300PNqX/6if1YMRdljOQR5rv3onUU4F set keepalive 50 next show vpn ipsec phase2-interface Tun_Hepta config vpn ipsec phase2-interface edit " Tun_Hepta" set keepalive enable set phase1name " VPN-HEPTA" set proposal aes128-sha1 set dhgrp 2 set dst-subnet 10.7.0.0 255.255.255.0 set src-subnet 172.17.20.0 255.255.255.0 next