Dears,
I have recently created a site to site IPsec tunnel btw our FortiGate and checkpoint.
and the tunnel is not going up, and by checking the following logs, I am seeing (received notify type AUTHENTICATION_FAILED) and (invalid IKE request SPI) errors.
Please see the following logs:
ike 0: IKEv2 exchange=INFORMATIONAL id=e1519865e17da7b0/5123928013c3bd04 len=80 ike 0: in E1519865E17DA7B05123928013C3BD042E20250000000000000000502A00003467D2EACA3A93C2A5AC9F512055321871C7EF292DE106F8A5DF63241425E84902EA8721EF5F96484D83CDB02EA7A2E31F ike 0: invalid IKE request SPI e1519865e17da7b0/5123928013c3bd04 ike 0:CamcoHO-Detasad:CamcoHO-Detasad: chosen to populate IKE_SA traffic-selectors ike 0:CamcoHO-Detasad: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation ike 0:CamcoHO-Detasad:1326757: out 1C8C39E1DBA142E50000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C0000000804000005280000C80005000065D57E6710F66955C3593BEC07BD530AE3677093B1069B4A4631FB84F9FA61964A6157F4294EEB00E41E3966FDFE057FE6AD42F3E5C120FEFF9BD69C88EF072311505E9320648DA0E68FB66F44642A9432051477FF19B5BFBD4B9413474576BECDF583C44709425469CCF3594A09C13D2230F5424CFC2434C475273B69355B98D9C77D711257FD025ABDDDDB2F5407B0D243A082C0B1821B99C72C3AD09C102584049C4C2BF1BF1DC4B5C6D895F79D40E480CDC808948D5974900F0CA17B84F429000024637C04A6FBDB1B67993FE21DF0CFC01C3E14EB7DFB93EAB7496980C61B1AD6D9000000080000402E ike 0:CamcoHO-Detasad:1326757: sent IKE msg (SA_INIT): 172.16.59.254:500->195.101.1.92:500, len=320, id=1c8c39e1dba142e5/0000000000000000 ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=1c8c39e1dba142e5/ac6beb70c5479926 len=433 ike 0: in 1C8C39E1DBA142E5AC6BEB70C54799262120222000000000000001B1220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C0000000804000005280000C8000500006B74CAED55E3AE6B6EBE73EDC1A13902C85CC8C1C29DD490B53E07D346BEB526E9B4973955D0ECA4A0AF1BD6E0313C493A019E4D172350DC4694ABA62922FC089067C0321FBA989A57C10D4DFDFB2A88BF46F8ADB652839D359C0E20AE6F9714ED2D92242B2F8A00D43C95CF0DD3C520ED444B4A69ED6C036D00BA7769DC24AA8B618281959E0A66F97C455CCC99739963B4206014D997F6C9A1B66B8D58BEACEAC45FE9F6595FFC9D76129A55BA806B09C97FC3AAFFEAABC66EC2F958B13E2B260000188E14BBA381E40719930042904DB18F6EEA6FF8C22900007D04234B71255613E130DDE34269C9CC30D46F0841E00715286D7073AAB28A7C0F86CE38930038058AB1A980CB20EC4096A10DC9EBB4AFEDC99BFB86775727E787DDC789074B6E780EED2DB9AF6461493309C89513680197280A2C55C3FCD390F53A053BC9FB62ECEED493F87E23D80B6D2BECBAC0726F7BCC6F0000000800004022 ike 0:CamcoHO-Detasad:1326757: initiator received SA_INIT response ike 0:CamcoHO-Detasad:1326757: processing notify type CHILDLESS_IKEV2_SUPPORTED ike 0:CamcoHO-Detasad:1326757: incoming proposal: ike 0:CamcoHO-Detasad:1326757: proposal id = 1: ike 0:CamcoHO-Detasad:1326757: protocol = IKEv2: ike 0:CamcoHO-Detasad:1326757: encapsulation = IKEv2/none ike 0:CamcoHO-Detasad:1326757: type=ENCR, val=AES_CBC (key_len = 256) ike 0:CamcoHO-Detasad:1326757: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:CamcoHO-Detasad:1326757: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:CamcoHO-Detasad:1326757: type=DH_GROUP, val=MODP1536. ike 0:CamcoHO-Detasad:1326757: matched proposal id 1 ike 0:CamcoHO-Detasad:1326757: proposal id = 1: ike 0:CamcoHO-Detasad:1326757: protocol = IKEv2: ike 0:CamcoHO-Detasad:1326757: encapsulation = IKEv2/none ike 0:CamcoHO-Detasad:1326757: type=ENCR, val=AES_CBC (key_len = 256) ike 0:CamcoHO-Detasad:1326757: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:CamcoHO-Detasad:1326757: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:CamcoHO-Detasad:1326757: type=DH_GROUP, val=MODP1536. ike 0:CamcoHO-Detasad:1326757: lifetime=1440 ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_ei 32:24DABDD2F90B7B7090332E9BB3C6B63F64ACBDDC9E699C77EFDC7CC7A668A1CA ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_er 32:A416605B55F00CD906A76DD1EBD453B4A31EB75135FA87BC4CFD31B162523C8B ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_ai 32:531E281813BBC890C2CE92CE6FB0DD47F9457C5F113ECC1BDFEA260F6E0F4FD5 ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_ar 32:8D7F7075702DC450403C106A2643677D99E8E3D7E764A9A449497C5E8C9FB878 ike 0:CamcoHO-Detasad:1326757: initiator preparing AUTH msg ike 0:CamcoHO-Detasad:1326757: sending INITIAL-CONTACT ike 0:CamcoHO-Detasad:1326757: enc 2900000C01000000AC103BFE27000008000040002900002802000000498B293D294C4D69ABF0F07B741A6A577793A73045E97DC8C0D71676BBBF300021000008000040242C00002C0000002801030403434E67F40300000C0100000C800E0100030000080300000C00000008050000002D00001801000000070000100000FFFFAC103C00AC103CFF0000001801000000070000100000FFFFC0A87000C0A870FF0F0E0D0C0B0A0908070605040302010F ike 0:CamcoHO-Detasad:1326757: out 1C8C39E1DBA142E5AC6BEB70C54799262E20230800000001000000F0230000D46B2794CC11C037FE5BF3CE4F5E63DF5CE38D776BDA00E65850D35D9D0F1A269A647EC81EB0D28A0174783B7FBDF700957C9C714901143DF8E0136BAD0B321B20C3FB6833CFF27D3D15CD173C77DBAEDC2FF829B55B4F29969ABC7536D50490C6D420BE3DF3AC8E4CF7B651743ACE6CF960A165960F3E34FF4871FCBED4567C84F9FBA568754872F898A240E1610E519A9AC1E286DBF541E1DD75AFD4AF0044AACB86C17222AAEC3CFAA631AB34973AD64E1AEC5E7AFC8FB17A8EC456D48C6F7AD0A67200A5C8F924D6CD1363063371F0 ike 0:CamcoHO-Detasad:1326757: sent IKE msg (AUTH): 172.16.59.254:500->195.101.1.92:500, len=240, id=1c8c39e1dba142e5/ac6beb70c5479926:00000001 ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=INFORMATIONAL id=8c0344073f77d1c1/07654201b19cca0d len=80 ike 0: in 8C0344073F77D1C107654201B19CCA0D2E20250000000000000000502A0000345E25E9724B93659D6C75E36BBA2020872D662F8F205F1356D44FADB235892753A401CB23707DAABB436415AE48D72A7E ike 0: invalid IKE request SPI 8c0344073f77d1c1/07654201b19cca0d ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=AUTH_RESPONSE id=1c8c39e1dba142e5/ac6beb70c5479926:00000001 len=80 ike 0: in 1C8C39E1DBA142E5AC6BEB70C54799262E2023200000000100000050290000340A812B7C8E4395C9DB62EB394A20F4AAA133D0872534DAE730ECA0D0711B47C1AE7A92FC868812561C8DEF5135A4D637 ike 0:CamcoHO-Detasad:1326757: dec 1C8C39E1DBA142E5AC6BEB70C54799262E2023200000000100000028290000040000000800000018 ike 0:CamcoHO-Detasad:1326757: initiator received AUTH msg ike 0:CamcoHO-Detasad:1326757: received notify type AUTHENTICATION_FAILED ike 0:CamcoHO-Detasad:1326757: schedule delete of IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=INFORMATIONAL id=1c8c39e1dba142e5/ac6beb70c5479926 len=80 ike 0: in 1C8C39E1DBA142E5AC6BEB70C54799262E20250000000000000000502A000034F884AE5C47E93B57B04B3B0E774B56C40528643E7AA933517C86E63929DD1C3696B57253D81D0F001C4F190F387BAFA2 ike 0:CamcoHO-Detasad:1326757: dec 1C8C39E1DBA142E5AC6BEB70C54799262E20250000000000000000282A0000040000000801000000 ike 0:CamcoHO-Detasad:1326757: initiator received AUTH msg ike 0:CamcoHO-Detasad:1326757: response message_id 0, expected 2 ike 0:CamcoHO-Detasad:1326757: unexpected payload type 42 ike 0:CamcoHO-Detasad:1326757: schedule delete of IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 ike 0:CamcoHO-Detasad:1326757: scheduled delete of IKE SA 1c8c39e1dba142e5/ac6beb70c5479926
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Did you match the ph1/ph2 settings in the fortigate to the vpn-communities in the CHKP? I would triple check all settings down to the topology.
Afterward rerun diag debug app ike -1 and fw ctl zdebug drop or look at the logs in smartview. You might want to use vpn debug also on the chkp if the ph1/ph2 settings looks like a match.
And lastly assuming the chkp is policy-based, make sure you have the local/remote subnets matching the fortigate.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.