- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: S2S-IPsec-tunnel-Fortigate-Checkpoint
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
S2S-IPsec-tunnel-Fortigate-Checkpoint
Dears,
I have recently created a site to site IPsec tunnel btw our FortiGate and checkpoint.
and the tunnel is not going up, and by checking the following logs, I am seeing (received notify type AUTHENTICATION_FAILED) and (invalid IKE request SPI) errors.
Please see the following logs:
ike 0: IKEv2 exchange=INFORMATIONAL id=e1519865e17da7b0/5123928013c3bd04 len=80 ike 0: in E1519865E17DA7B05123928013C3BD042E20250000000000000000502A00003467D2EACA3A93C2A5AC9F512055321871C7EF292DE106F8A5DF63241425E84902EA8721EF5F96484D83CDB02EA7A2E31F ike 0: invalid IKE request SPI e1519865e17da7b0/5123928013c3bd04 ike 0:CamcoHO-Detasad:CamcoHO-Detasad: chosen to populate IKE_SA traffic-selectors ike 0:CamcoHO-Detasad: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation ike 0:CamcoHO-Detasad:1326757: out 1C8C39E1DBA142E50000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C0000000804000005280000C80005000065D57E6710F66955C3593BEC07BD530AE3677093B1069B4A4631FB84F9FA61964A6157F4294EEB00E41E3966FDFE057FE6AD42F3E5C120FEFF9BD69C88EF072311505E9320648DA0E68FB66F44642A9432051477FF19B5BFBD4B9413474576BECDF583C44709425469CCF3594A09C13D2230F5424CFC2434C475273B69355B98D9C77D711257FD025ABDDDDB2F5407B0D243A082C0B1821B99C72C3AD09C102584049C4C2BF1BF1DC4B5C6D895F79D40E480CDC808948D5974900F0CA17B84F429000024637C04A6FBDB1B67993FE21DF0CFC01C3E14EB7DFB93EAB7496980C61B1AD6D9000000080000402E ike 0:CamcoHO-Detasad:1326757: sent IKE msg (SA_INIT): 172.16.59.254:500->195.101.1.92:500, len=320, id=1c8c39e1dba142e5/0000000000000000 ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=1c8c39e1dba142e5/ac6beb70c5479926 len=433 ike 0: in 1C8C39E1DBA142E5AC6BEB70C54799262120222000000000000001B1220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C0000000804000005280000C8000500006B74CAED55E3AE6B6EBE73EDC1A13902C85CC8C1C29DD490B53E07D346BEB526E9B4973955D0ECA4A0AF1BD6E0313C493A019E4D172350DC4694ABA62922FC089067C0321FBA989A57C10D4DFDFB2A88BF46F8ADB652839D359C0E20AE6F9714ED2D92242B2F8A00D43C95CF0DD3C520ED444B4A69ED6C036D00BA7769DC24AA8B618281959E0A66F97C455CCC99739963B4206014D997F6C9A1B66B8D58BEACEAC45FE9F6595FFC9D76129A55BA806B09C97FC3AAFFEAABC66EC2F958B13E2B260000188E14BBA381E40719930042904DB18F6EEA6FF8C22900007D04234B71255613E130DDE34269C9CC30D46F0841E00715286D7073AAB28A7C0F86CE38930038058AB1A980CB20EC4096A10DC9EBB4AFEDC99BFB86775727E787DDC789074B6E780EED2DB9AF6461493309C89513680197280A2C55C3FCD390F53A053BC9FB62ECEED493F87E23D80B6D2BECBAC0726F7BCC6F0000000800004022 ike 0:CamcoHO-Detasad:1326757: initiator received SA_INIT response ike 0:CamcoHO-Detasad:1326757: processing notify type CHILDLESS_IKEV2_SUPPORTED ike 0:CamcoHO-Detasad:1326757: incoming proposal: ike 0:CamcoHO-Detasad:1326757: proposal id = 1: ike 0:CamcoHO-Detasad:1326757: protocol = IKEv2: ike 0:CamcoHO-Detasad:1326757: encapsulation = IKEv2/none ike 0:CamcoHO-Detasad:1326757: type=ENCR, val=AES_CBC (key_len = 256) ike 0:CamcoHO-Detasad:1326757: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:CamcoHO-Detasad:1326757: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:CamcoHO-Detasad:1326757: type=DH_GROUP, val=MODP1536. ike 0:CamcoHO-Detasad:1326757: matched proposal id 1 ike 0:CamcoHO-Detasad:1326757: proposal id = 1: ike 0:CamcoHO-Detasad:1326757: protocol = IKEv2: ike 0:CamcoHO-Detasad:1326757: encapsulation = IKEv2/none ike 0:CamcoHO-Detasad:1326757: type=ENCR, val=AES_CBC (key_len = 256) ike 0:CamcoHO-Detasad:1326757: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:CamcoHO-Detasad:1326757: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:CamcoHO-Detasad:1326757: type=DH_GROUP, val=MODP1536. ike 0:CamcoHO-Detasad:1326757: lifetime=1440 ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_ei 32:24DABDD2F90B7B7090332E9BB3C6B63F64ACBDDC9E699C77EFDC7CC7A668A1CA ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_er 32:A416605B55F00CD906A76DD1EBD453B4A31EB75135FA87BC4CFD31B162523C8B ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_ai 32:531E281813BBC890C2CE92CE6FB0DD47F9457C5F113ECC1BDFEA260F6E0F4FD5 ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_ar 32:8D7F7075702DC450403C106A2643677D99E8E3D7E764A9A449497C5E8C9FB878 ike 0:CamcoHO-Detasad:1326757: initiator preparing AUTH msg ike 0:CamcoHO-Detasad:1326757: sending INITIAL-CONTACT ike 0:CamcoHO-Detasad:1326757: enc 2900000C01000000AC103BFE27000008000040002900002802000000498B293D294C4D69ABF0F07B741A6A577793A73045E97DC8C0D71676BBBF300021000008000040242C00002C0000002801030403434E67F40300000C0100000C800E0100030000080300000C00000008050000002D00001801000000070000100000FFFFAC103C00AC103CFF0000001801000000070000100000FFFFC0A87000C0A870FF0F0E0D0C0B0A0908070605040302010F ike 0:CamcoHO-Detasad:1326757: out 1C8C39E1DBA142E5AC6BEB70C54799262E20230800000001000000F0230000D46B2794CC11C037FE5BF3CE4F5E63DF5CE38D776BDA00E65850D35D9D0F1A269A647EC81EB0D28A0174783B7FBDF700957C9C714901143DF8E0136BAD0B321B20C3FB6833CFF27D3D15CD173C77DBAEDC2FF829B55B4F29969ABC7536D50490C6D420BE3DF3AC8E4CF7B651743ACE6CF960A165960F3E34FF4871FCBED4567C84F9FBA568754872F898A240E1610E519A9AC1E286DBF541E1DD75AFD4AF0044AACB86C17222AAEC3CFAA631AB34973AD64E1AEC5E7AFC8FB17A8EC456D48C6F7AD0A67200A5C8F924D6CD1363063371F0 ike 0:CamcoHO-Detasad:1326757: sent IKE msg (AUTH): 172.16.59.254:500->195.101.1.92:500, len=240, id=1c8c39e1dba142e5/ac6beb70c5479926:00000001 ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=INFORMATIONAL id=8c0344073f77d1c1/07654201b19cca0d len=80 ike 0: in 8C0344073F77D1C107654201B19CCA0D2E20250000000000000000502A0000345E25E9724B93659D6C75E36BBA2020872D662F8F205F1356D44FADB235892753A401CB23707DAABB436415AE48D72A7E ike 0: invalid IKE request SPI 8c0344073f77d1c1/07654201b19cca0d ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=AUTH_RESPONSE id=1c8c39e1dba142e5/ac6beb70c5479926:00000001 len=80 ike 0: in 1C8C39E1DBA142E5AC6BEB70C54799262E2023200000000100000050290000340A812B7C8E4395C9DB62EB394A20F4AAA133D0872534DAE730ECA0D0711B47C1AE7A92FC868812561C8DEF5135A4D637 ike 0:CamcoHO-Detasad:1326757: dec 1C8C39E1DBA142E5AC6BEB70C54799262E2023200000000100000028290000040000000800000018 ike 0:CamcoHO-Detasad:1326757: initiator received AUTH msg ike 0:CamcoHO-Detasad:1326757: received notify type AUTHENTICATION_FAILED ike 0:CamcoHO-Detasad:1326757: schedule delete of IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=INFORMATIONAL id=1c8c39e1dba142e5/ac6beb70c5479926 len=80 ike 0: in 1C8C39E1DBA142E5AC6BEB70C54799262E20250000000000000000502A000034F884AE5C47E93B57B04B3B0E774B56C40528643E7AA933517C86E63929DD1C3696B57253D81D0F001C4F190F387BAFA2 ike 0:CamcoHO-Detasad:1326757: dec 1C8C39E1DBA142E5AC6BEB70C54799262E20250000000000000000282A0000040000000801000000 ike 0:CamcoHO-Detasad:1326757: initiator received AUTH msg ike 0:CamcoHO-Detasad:1326757: response message_id 0, expected 2 ike 0:CamcoHO-Detasad:1326757: unexpected payload type 42 ike 0:CamcoHO-Detasad:1326757: schedule delete of IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 ike 0:CamcoHO-Detasad:1326757: scheduled delete of IKE SA 1c8c39e1dba142e5/ac6beb70c5479926
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you match the ph1/ph2 settings in the fortigate to the vpn-communities in the CHKP? I would triple check all settings down to the topology.
Afterward rerun diag debug app ike -1 and fw ctl zdebug drop or look at the logs in smartview. You might want to use vpn debug also on the chkp if the ph1/ph2 settings looks like a match.
And lastly assuming the chkp is policy-based, make sure you have the local/remote subnets matching the fortigate.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Labels
-
FortiGate
6,746 -
FortiClient
1,341 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
88 -
FortiCloud Products
85 -
IPsec
83 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Logging
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.