Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daniyal
New Contributor

S2S-IPsec-tunnel-Fortigate-Checkpoint

Dears,

I have recently created a site to site IPsec tunnel btw our FortiGate and checkpoint. 

and the tunnel is not going up, and by checking the following logs, I am seeing (received notify type AUTHENTICATION_FAILED) and (invalid IKE request SPI) errors.

Please see the following logs:

ike 0: IKEv2 exchange=INFORMATIONAL id=e1519865e17da7b0/5123928013c3bd04 len=80 ike 0: in E1519865E17DA7B05123928013C3BD042E20250000000000000000502A00003467D2EACA3A93C2A5AC9F512055321871C7EF292DE106F8A5DF63241425E84902EA8721EF5F96484D83CDB02EA7A2E31F ike 0: invalid IKE request SPI e1519865e17da7b0/5123928013c3bd04 ike 0:CamcoHO-Detasad:CamcoHO-Detasad: chosen to populate IKE_SA traffic-selectors ike 0:CamcoHO-Detasad: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation ike 0:CamcoHO-Detasad:1326757: out 1C8C39E1DBA142E50000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C0000000804000005280000C80005000065D57E6710F66955C3593BEC07BD530AE3677093B1069B4A4631FB84F9FA61964A6157F4294EEB00E41E3966FDFE057FE6AD42F3E5C120FEFF9BD69C88EF072311505E9320648DA0E68FB66F44642A9432051477FF19B5BFBD4B9413474576BECDF583C44709425469CCF3594A09C13D2230F5424CFC2434C475273B69355B98D9C77D711257FD025ABDDDDB2F5407B0D243A082C0B1821B99C72C3AD09C102584049C4C2BF1BF1DC4B5C6D895F79D40E480CDC808948D5974900F0CA17B84F429000024637C04A6FBDB1B67993FE21DF0CFC01C3E14EB7DFB93EAB7496980C61B1AD6D9000000080000402E ike 0:CamcoHO-Detasad:1326757: sent IKE msg (SA_INIT): 172.16.59.254:500->195.101.1.92:500, len=320, id=1c8c39e1dba142e5/0000000000000000 ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=1c8c39e1dba142e5/ac6beb70c5479926 len=433 ike 0: in 1C8C39E1DBA142E5AC6BEB70C54799262120222000000000000001B1220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C0000000804000005280000C8000500006B74CAED55E3AE6B6EBE73EDC1A13902C85CC8C1C29DD490B53E07D346BEB526E9B4973955D0ECA4A0AF1BD6E0313C493A019E4D172350DC4694ABA62922FC089067C0321FBA989A57C10D4DFDFB2A88BF46F8ADB652839D359C0E20AE6F9714ED2D92242B2F8A00D43C95CF0DD3C520ED444B4A69ED6C036D00BA7769DC24AA8B618281959E0A66F97C455CCC99739963B4206014D997F6C9A1B66B8D58BEACEAC45FE9F6595FFC9D76129A55BA806B09C97FC3AAFFEAABC66EC2F958B13E2B260000188E14BBA381E40719930042904DB18F6EEA6FF8C22900007D04234B71255613E130DDE34269C9CC30D46F0841E00715286D7073AAB28A7C0F86CE38930038058AB1A980CB20EC4096A10DC9EBB4AFEDC99BFB86775727E787DDC789074B6E780EED2DB9AF6461493309C89513680197280A2C55C3FCD390F53A053BC9FB62ECEED493F87E23D80B6D2BECBAC0726F7BCC6F0000000800004022 ike 0:CamcoHO-Detasad:1326757: initiator received SA_INIT response ike 0:CamcoHO-Detasad:1326757: processing notify type CHILDLESS_IKEV2_SUPPORTED ike 0:CamcoHO-Detasad:1326757: incoming proposal: ike 0:CamcoHO-Detasad:1326757: proposal id = 1: ike 0:CamcoHO-Detasad:1326757: protocol = IKEv2: ike 0:CamcoHO-Detasad:1326757: encapsulation = IKEv2/none ike 0:CamcoHO-Detasad:1326757: type=ENCR, val=AES_CBC (key_len = 256) ike 0:CamcoHO-Detasad:1326757: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:CamcoHO-Detasad:1326757: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:CamcoHO-Detasad:1326757: type=DH_GROUP, val=MODP1536. ike 0:CamcoHO-Detasad:1326757: matched proposal id 1 ike 0:CamcoHO-Detasad:1326757: proposal id = 1: ike 0:CamcoHO-Detasad:1326757: protocol = IKEv2: ike 0:CamcoHO-Detasad:1326757: encapsulation = IKEv2/none ike 0:CamcoHO-Detasad:1326757: type=ENCR, val=AES_CBC (key_len = 256) ike 0:CamcoHO-Detasad:1326757: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike 0:CamcoHO-Detasad:1326757: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:CamcoHO-Detasad:1326757: type=DH_GROUP, val=MODP1536. ike 0:CamcoHO-Detasad:1326757: lifetime=1440 ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_ei 32:24DABDD2F90B7B7090332E9BB3C6B63F64ACBDDC9E699C77EFDC7CC7A668A1CA ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_er 32:A416605B55F00CD906A76DD1EBD453B4A31EB75135FA87BC4CFD31B162523C8B ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_ai 32:531E281813BBC890C2CE92CE6FB0DD47F9457C5F113ECC1BDFEA260F6E0F4FD5 ike 0:CamcoHO-Detasad:1326757: IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 SK_ar 32:8D7F7075702DC450403C106A2643677D99E8E3D7E764A9A449497C5E8C9FB878 ike 0:CamcoHO-Detasad:1326757: initiator preparing AUTH msg ike 0:CamcoHO-Detasad:1326757: sending INITIAL-CONTACT ike 0:CamcoHO-Detasad:1326757: enc 2900000C01000000AC103BFE27000008000040002900002802000000498B293D294C4D69ABF0F07B741A6A577793A73045E97DC8C0D71676BBBF300021000008000040242C00002C0000002801030403434E67F40300000C0100000C800E0100030000080300000C00000008050000002D00001801000000070000100000FFFFAC103C00AC103CFF0000001801000000070000100000FFFFC0A87000C0A870FF0F0E0D0C0B0A0908070605040302010F ike 0:CamcoHO-Detasad:1326757: out 1C8C39E1DBA142E5AC6BEB70C54799262E20230800000001000000F0230000D46B2794CC11C037FE5BF3CE4F5E63DF5CE38D776BDA00E65850D35D9D0F1A269A647EC81EB0D28A0174783B7FBDF700957C9C714901143DF8E0136BAD0B321B20C3FB6833CFF27D3D15CD173C77DBAEDC2FF829B55B4F29969ABC7536D50490C6D420BE3DF3AC8E4CF7B651743ACE6CF960A165960F3E34FF4871FCBED4567C84F9FBA568754872F898A240E1610E519A9AC1E286DBF541E1DD75AFD4AF0044AACB86C17222AAEC3CFAA631AB34973AD64E1AEC5E7AFC8FB17A8EC456D48C6F7AD0A67200A5C8F924D6CD1363063371F0 ike 0:CamcoHO-Detasad:1326757: sent IKE msg (AUTH): 172.16.59.254:500->195.101.1.92:500, len=240, id=1c8c39e1dba142e5/ac6beb70c5479926:00000001 ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=INFORMATIONAL id=8c0344073f77d1c1/07654201b19cca0d len=80 ike 0: in 8C0344073F77D1C107654201B19CCA0D2E20250000000000000000502A0000345E25E9724B93659D6C75E36BBA2020872D662F8F205F1356D44FADB235892753A401CB23707DAABB436415AE48D72A7E ike 0: invalid IKE request SPI 8c0344073f77d1c1/07654201b19cca0d ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=AUTH_RESPONSE id=1c8c39e1dba142e5/ac6beb70c5479926:00000001 len=80 ike 0: in 1C8C39E1DBA142E5AC6BEB70C54799262E2023200000000100000050290000340A812B7C8E4395C9DB62EB394A20F4AAA133D0872534DAE730ECA0D0711B47C1AE7A92FC868812561C8DEF5135A4D637 ike 0:CamcoHO-Detasad:1326757: dec 1C8C39E1DBA142E5AC6BEB70C54799262E2023200000000100000028290000040000000800000018 ike 0:CamcoHO-Detasad:1326757: initiator received AUTH msg ike 0:CamcoHO-Detasad:1326757: received notify type AUTHENTICATION_FAILED ike 0:CamcoHO-Detasad:1326757: schedule delete of IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 ike 0: comes 195.101.1.92:500->172.16.59.254:500,ifindex=3.... ike 0: IKEv2 exchange=INFORMATIONAL id=1c8c39e1dba142e5/ac6beb70c5479926 len=80 ike 0: in 1C8C39E1DBA142E5AC6BEB70C54799262E20250000000000000000502A000034F884AE5C47E93B57B04B3B0E774B56C40528643E7AA933517C86E63929DD1C3696B57253D81D0F001C4F190F387BAFA2 ike 0:CamcoHO-Detasad:1326757: dec 1C8C39E1DBA142E5AC6BEB70C54799262E20250000000000000000282A0000040000000801000000 ike 0:CamcoHO-Detasad:1326757: initiator received AUTH msg ike 0:CamcoHO-Detasad:1326757: response message_id 0, expected 2 ike 0:CamcoHO-Detasad:1326757: unexpected payload type 42 ike 0:CamcoHO-Detasad:1326757: schedule delete of IKE SA 1c8c39e1dba142e5/ac6beb70c5479926 ike 0:CamcoHO-Detasad:1326757: scheduled delete of IKE SA 1c8c39e1dba142e5/ac6beb70c5479926

1 REPLY 1
emnoc
Esteemed Contributor III

Did you match the ph1/ph2 settings in the fortigate to the vpn-communities in the CHKP? I would triple check all settings down to the topology.

 

Afterward rerun diag debug app ike -1 and  fw ctl zdebug drop  or look at the logs in smartview. You might want to use vpn debug also on the chkp if the ph1/ph2 settings looks like a match.

 

And lastly assuming the chkp is policy-based, make sure you have the local/remote subnets matching the fortigate.

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors