Linksys BEFVP41, aggressive mode and INVALID-MAJOR-VERSION

kaj73 · ‎02-27-2005

I have a VPN connection between my Fortigate-60 2.80, build358, 050128 and a Linksys BEFVP41 V2 (1.01.01 beta1, Sep 22 2004). I use aggressive mode for the connection, because the Linksys has a dynamic IP and I use peer IDs to differentiate between multiple dialup tunnel. The connection can be established and traffic flows in both directions. The only problem is: Both gateways are logging an info message every 10 seconds. Fortigate (CLI debug mode):

 Comes <Linksys-IP>:500-><Fortigate-IP>:500,ifindex=3, wan1, vf_id=0....
 Exchange Mode = 5, Message id = 0x00000000, Len = 57
 #######  ISAKMP INFO ##########
 You should send a protected info...

Linksys:

 UDP from <Fortigate-IP>:500 to <Linksys-IP>:500 
 IKE[1] Tx >> Notify : INVALID-MAJOR-VERSION

It only seems to appear in aggressive mode. As I said before, this message has only informational meaning, and doesn' t seem to stress the gateways, but I' d like to know the cause of it. Does the FortiGate send packets with wrong headers? Has anyone seen with this kind of message?

Report Inappropriate Content · ‎02-28-2005

I thougt that Peer ID doesn' t work in aggressive mode. But may I suggest to use DDNS on the linksys side (to enable resolution of the dynamic IP) and setup a LAN-LAN tunnel and not a dialup tunnel? This way you can use main mode tunnels. The 2.80 supports DDNS tunnels. Regards, Eric

kaj73 · ‎02-28-2005

Some clarification: Aggressive mode is the only way to get my setup running. See [1] for more details. I tried DDNS (giving the Linksys a DynDNS name), but then the tunnel can only be established from the Fortigate side. The resolution of the DDNS address is only done, if the tunnel is brought up from the Fortigate web interface; otherwise the connection attempt of the Linksys device is considered as " dialup-connection" . (Not to think about change of IP address of the Linksys device during operation). See also [2]. There are 11 possible ways to use Peer IDs. See table 1 on page 52 of the VPN Guide [3]. I use " Accept this peer ID" with " Dialup User - Aggressive mode" . " Accept this peer ID" isn' t available with any " Main mode" configuration. Thanks for your answer anyway, Eric :-). OK, the question is open again for everybody ;-) The RFC is unfortunately not of much use for me in this situation. Who is to blame, the Fortigate or the Linksys box? Any way to look into the exchanged packets? --- [1] Multiple Dialup VPNs, http://support.fortinet.com/forum/tm.asp?m=8695 [2] problems with remote dyndns gateways, http://support.fortinet.com/forum/tm.asp?m=6555 [3] VPN Guide, http://kc.forticare.com/default.asp?id=422&Lang=1

Report Inappropriate Content · ‎02-28-2005

I know it' s inconvenient only be able to initiate the tunnel from the Fortigate side, however to can use the ping function to make sure the tunnel is always up. As the linksys, well in my experience, if it works don' t ask any further... you should be happy it works.

kaj73 · ‎03-01-2005

use the ping function to make sure the tunnel is always up

Ah, thanks for the tip, I will try this.

kaj73 · ‎05-14-2005

Just a little update: After I upgraded our FG60 to 2.80, build393, 050405 the messages are gone on both sides.

Report Inappropriate Content · ‎05-24-2005

Hey kaj, can you post a print screen on the Linksys 41' s I had so much trouble trying to make them stable to a FG60, about 3 of them so far... We were about to give up and install 50A' s but then I read your post... Are they rock solid in operation?? no need to reboot anything at any time? Ours are dial-up agressive to a fixed IP over ADSL FG60 THANKS in advance!

kaj73 · ‎05-25-2005

See attached the screenshot of the VPN section of the Linksys Router. I will attach the advanced configuration dialog to a new posting. Some infos regarding our setup: - Our FortiGate has a fixed IP address, now running with firmware 2.80, build393 - The Linksys router (4 at the moment) are either connected directly to the Internet via PPPoE with a dynamic IP address or they work behind an existing Gateway/Firewall (which of course must support IPSec Passthrough) - The Linksys router use (as you can see in the screenshots) aggressive mode and peer IDs I recommend the latest Linksys firmware 1.01.04. The older version only supported DES encryption for phase 1 in aggressive mode (seemed to be a bug). We had no problems with stability so far, but the routers are not heavily stressed or so, just normal usage (mainly used to connect the SIP VoIP phone to our asterisk server). Here are the settings of our FG60:

# show vpn ipsec phase1 sgLinksys01
 config vpn ipsec phase1
     edit " sgLinksys01" 
         set type dynamic
         set dpd enable
         set dhgrp 2
         set proposal 3des-sha1
         set peertype one
         set mode aggressive
         set psksecret ENC XXXXXXXXX
         set peerid " Linksys01" 
     next
 end
 
 # show vpn ipsec phase2 tunLinksys01
 config vpn ipsec phase2
     edit " tunLinksys01" 
         set dhgrp 2
         set pfs enable
         set phase1name " sgLinksys01" 
         set proposal 3des-sha1
         set replay enable
         set keylifeseconds 14400
     next
 end

kaj73 · ‎05-25-2005

OK, and here is the advanced VPN configuration dialog of the Linksys BEFVP41