Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Anglais
New Contributor II

Setting up Working IPSec tunnel dialup iOS - IKEv2

I am experiencing challenges in setting up a functional IKEv2 for dialup iOS devices. I have an IKEv1 tunnel which is working normal but I'd like to switch to IKEv2. The device is 80E running 7.2.7.

Maybe one of you here have faced with similar issues before or have enough experience to point me to a right solution to fix this issue would be great. 

 

Below are details you might need to assist me with. 

FWTPRFP001 # ike 0: comes 174.X.X.X:12615->19.X.X.X:500,ifindex=5,vrf=0....
ike 0: IKEv2 exchange=SA_INIT id=b48f14cf6bade837/0000000000000000 len=370
ike 0: in B48F14CF6BADE8370000000000000000212022080000000000000172220000A402000024010100030300000C01000014800E010003000008020000050000000804000013020000240201000303000
00C01000014800E01000300000802000005000000080400000E0200002C030100040300000C0100000C800E01000300000802000005030000080300000C00000008040000130000002C040100040300000C0100
000C800E01000300000802000005030000080300000C000000080400000E28000048001300003ABC9D4D7D45EB7213726D1FF0472CA41BB1C676AA58B4D7FA193E579571B7B290EC19290AE66378221DBD0E613
507F24E0E6856B70E2A6D1D5AB3C6D97302462900001454FDF403A6AA65FB06BE33ABD21F5D9029000008000040162900001C00004004C3B7C2160ABBFE11EC5CAFC8176F9B4CEC0448C12900001C00004005A1
6815E2FAD3EACCCAA4423378C6C9968B807C8C290000080000402E0000000E0000402F000400030002
ike 0:b48f14cf6bade837/0000000000000000:0: responder received SA_INIT msg
ike 0:b48f14cf6bade837/0000000000000000:0: received notify type 16406
ike 0:b48f14cf6bade837/0000000000000000:0: ignoring unauthenticated notify payload (16406)
ike 0:b48f14cf6bade837/0000000000000000:0: received notify type NAT_DETECTION_SOURCE_IP
ike 0:b48f14cf6bade837/0000000000000000:0: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:b48f14cf6bade837/0000000000000000:0: received notify type FRAGMENTATION_SUPPORTED
ike 0:b48f14cf6bade837/0000000000000000:0: received notify type SIGNATURE_HASH_ALGORITHMS
ike 0:b48f14cf6bade837/0000000000000000:0: incoming proposal:
ike 0:b48f14cf6bade837/0000000000000000:0: proposal id = 1:
ike 0:b48f14cf6bade837/0000000000000000:0: protocol = IKEv2:
ike 0:b48f14cf6bade837/0000000000000000:0: encapsulation = IKEv2/none
ike 0:b48f14cf6bade837/0000000000000000:0: type=ENCR, val=AES_GCM_16 (key_len = 256)
ike 0:b48f14cf6bade837/0000000000000000:0: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:b48f14cf6bade837/0000000000000000:0: type=DH_GROUP, val=ECP256.
ike 0:b48f14cf6bade837/0000000000000000:0: proposal id = 2:
ike 0:b48f14cf6bade837/0000000000000000:0: protocol = IKEv2:
ike 0:b48f14cf6bade837/0000000000000000:0: encapsulation = IKEv2/none
ike 0:b48f14cf6bade837/0000000000000000:0: type=ENCR, val=AES_GCM_16 (key_len = 256)
ike 0:b48f14cf6bade837/0000000000000000:0: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:b48f14cf6bade837/0000000000000000:0: type=DH_GROUP, val=MODP2048.
ike 0:b48f14cf6bade837/0000000000000000:0: proposal id = 3:
ike 0:b48f14cf6bade837/0000000000000000:0: protocol = IKEv2:
ike 0:b48f14cf6bade837/0000000000000000:0: encapsulation = IKEv2/none
ike 0:b48f14cf6bade837/0000000000000000:0: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:b48f14cf6bade837/0000000000000000:0: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:b48f14cf6bade837/0000000000000000:0: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:b48f14cf6bade837/0000000000000000:0: type=DH_GROUP, val=ECP256.
ike 0:b48f14cf6bade837/0000000000000000:0: proposal id = 4:
ike 0:b48f14cf6bade837/0000000000000000:0: protocol = IKEv2:
ike 0:b48f14cf6bade837/0000000000000000:0: encapsulation = IKEv2/none
ike 0:b48f14cf6bade837/0000000000000000:0: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:b48f14cf6bade837/0000000000000000:0: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:b48f14cf6bade837/0000000000000000:0: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:b48f14cf6bade837/0000000000000000:0: type=DH_GROUP, val=MODP2048.
ike 0: cache rebuild start
ike 0:IPSEcFortinet: cached as dynamic
ike 0:MainDCVPN: cached as dynamic
ike 0: cache rebuild done
ike 0:b48f14cf6bade837/0000000000000000:0: matched proposal id 3
ike 0:b48f14cf6bade837/0000000000000000:0: proposal id = 3:
ike 0:b48f14cf6bade837/0000000000000000:0: protocol = IKEv2:
ike 0:b48f14cf6bade837/0000000000000000:0: encapsulation = IKEv2/none
ike 0:b48f14cf6bade837/0000000000000000:0: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:b48f14cf6bade837/0000000000000000:0: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:b48f14cf6bade837/0000000000000000:0: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:b48f14cf6bade837/0000000000000000:0: type=DH_GROUP, val=ECP256.
ike 0:b48f14cf6bade837/0000000000000000:0: lifetime=86400
ike 0:b48f14cf6bade837/0000000000000000:0: SA proposal chosen, matched gateway MainDCVPN
ike 0:MainDCVPN: created connection: 0x61956f8 5 19.X.X.X->174.X.X.X:12615.
ike 0:MainDCVPN:0: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:MainDCVPN:0: processing NAT-D payload
ike 0:MainDCVPN:0: NAT detected: PEER
ike 0:MainDCVPN:0: process NAT-D
ike 0:MainDCVPN:0: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:MainDCVPN:0: processing NAT-D payload
ike 0:MainDCVPN:0: NAT detected: ME PEER
ike 0:MainDCVPN:0: process NAT-D
ike 0:MainDCVPN:0: processing notify type FRAGMENTATION_SUPPORTED
ike 0:MainDCVPN:0: processing notify type SIGNATURE_HASH_ALGORITHMS
ike 0:MainDCVPN:0: responder preparing SA_INIT msg
ike 0:MainDCVPN:0: generate DH public value request queued
ike 0:MainDCVPN:0: responder preparing SA_INIT msg
ike 0:MainDCVPN:0: compute DH shared secret request queued
ike 0:MainDCVPN:0: responder preparing SA_INIT msg
ike 0:MainDCVPN:0: create NAT-D hash local 19.X.X.X/500 remote 174.X.X.X/12615
ike 0:MainDCVPN:0: out B48F14CF6BADE837ED286FD61EEC71AC2120222000000000000000E8220000300000002C030100040300000C0100000C800E01000300000802000005030000080300000C00000008
0400001328000048001300008AFB4C2B0D7DD1CBC8BC968EEE76FBEA8AB481D09AE16106D86BE6575B4274EB6EB8DF818D6B77454E37790EDDD54DD6C522F7C7BCE4EB32ED513B01E0749CEC29000014C51710E
F1D8657834588CBF973A52DC72900001C000040045FEDAD04CF3829A85584010537237E5AA19219732900001C0000400536A0E45FE7A381678B322019CCA2ECADB6C9C5C7000000080000402E
ike 0:MainDCVPN:0: sent IKE msg (SA_INIT_RESPONSE): 19.X.X.X:500->174.X.X.X:12615, len=232, vrf=0, id=b48f14cf6bade837/ed286fd61eec71ac
ike 0:MainDCVPN:0: IKE SA b48f14cf6bade837/ed286fd61eec71ac SK_ei 32:3B51D349FC7CC86BFFC4A406AE950503691763369E190DAEFC2E0392E572DC23
ike 0:MainDCVPN:0: IKE SA b48f14cf6bade837/ed286fd61eec71ac SK_er 32:42AD0D0FF0145841FE8AA47C557AC5E8643D0B796DA34AAB0B8268FEDAF2E36E
ike 0:MainDCVPN:0: IKE SA b48f14cf6bade837/ed286fd61eec71ac SK_ai 32:2203137FB69E52734354C86430B0CE5BD55754E4708D2A65FB318A783AE8F8C8
ike 0:MainDCVPN:0: IKE SA b48f14cf6bade837/ed286fd61eec71ac SK_ar 32:75F03722D6D9986ACCC3644A8252CB8381B409EF9D8724A14DE8799324ABFF82
ike 0: comes 174.X.X.X:12608->19.X.X.X:4500,ifindex=5,vrf=0....
ike 0: IKEv2 exchange=AUTH id=b48f14cf6bade837/ed286fd61eec71ac:00000001 len=384
ike 0: in B48F14CF6BADE837ED286FD61EEC71AC2E2023080000000100000180230001641C6B320D6B2D54816BE88BC10BD48B4619F2B923BDF34F4345684B31354AE895FECCD25B3378092D67DB64664832E
895EFFE67E4D4B9F20B446CC99C99EB6E9A925AC9D2B85977F448C328195899EB6753B4B783A9863D7CCF5DAFE26F8A9EFDFB3EB976FD80264B8B8B84EA4DAD3B4231F70EB4C7ED6AFC41061465A64CD029379A
C4F5A59E9A115D39F118F3D2A8D05E647D7C17781D7DDA6BC62B381AE524F8FD25597E7494EE7ABEF7B429BDD505E8EFC8DA4B8224C21518676B60609A8B7D329C2D30F7B7C0CC0CE8FEB4C282E03F81ECEF97B
F6A2A6A4977196C7EB61BBBA6ABCA3367BC7FD5722ABA023F297C7BD7C6B8F18FF2596E9D27DC4E089D6F119FE8399C2CF817D7294FAA133CDC312703BE402F2422E1DFBB18FF093DD1ACB75A32EB44BA8A3491
87972EE73DA43042A5A90A075A55C0720174F85FE7F210F8E083C4891E811AF11D4D2955984D633B611A108234FF2909A37B05A577DBE9
ike 0:MainDCVPN:0: dec B48F14CF6BADE837ED286FD61EEC71AC2E2023080000000100000154230000042900000B0200000043555424000008000040002F000015020000007374616D706564453138323031
29000028010000000001000000020000000600000003000000080000000C0000000A000000190000290000080000400A210000080000400B2C00004C020000200103040204348DBC0300000C01000014800E010
00000000805000000000000280203040304348DBC0300000C0100000C800E0100030000080300000C00000008050000002D00004002000000070000100000FFFF00000000FFFFFFFF080000280000FFFF000000
00000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2900004002000000070000100000FFFF00000000FFFFFFFF080000280000FFFF00000000000000000000000000000000FFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFF000000080000400C
ike 0:MainDCVPN:0: responder received AUTH msg
ike 0:MainDCVPN:0: processing notify type INITIAL_CONTACT
ike 0:MainDCVPN:0: processing notify type ESP_TFC_PADDING_NOT_SUPPORTED
ike 0:MainDCVPN:0: processing notify type NON_FIRST_FRAGMENTS_ALSO
ike 0:MainDCVPN:0: processing notify type MOBIKE_SUPPORTED
ike 0:MainDCVPN:0: received peer identifier FQDN 'CUT'
ike 0:MainDCVPN:0: re-validate gw ID
ike 0:MainDCVPN:0: gw validation OK
ike 0:MainDCVPN:0: responder preparing EAP identity request
ike 0:MainDCVPN:0: enc 2700000B02000000435554300000280200000011C3ED8F4484AB4A78148CE596F53C5A3757B122C3B4ED0F10D3A6EAA139267900000009010000050103020103
ike 0:MainDCVPN:0: remote port change 12615 -> 12608
ike 0:MainDCVPN:0: out B48F14CF6BADE837ED286FD61EEC71AC2E2023200000000100000080240000648E466C5C07550A09FC3952CC99AA2A9B5C9782216F0507796939C3D6A784CC673141BBB0426C7DF1
3873FEC8115F2C40200CE791AB72B4D6128020088F4A48EAB3FD42C4D9B3FC22EF77CFB10B5EA2F21C5DC1F6ABD4FD7181DD66CCD1B7A111
ike 0:MainDCVPN:0: sent IKE msg (AUTH_RESPONSE): 19.X.X.X:4500->174.X.X.X:12608, len=128, vrf=0, id=b48f14cf6bade837/ed286fd61eec71ac:00000001
ike 0: comes 174.X.X.X:12615->19.X.X.X:500,ifindex=5,vrf=0....
ike 0: IKEv2 exchange=SA_INIT id=a249f5499bd7f227/0000000000000000 len=370
ike 0: in A249F5499BD7F2270000000000000000212022080000000000000172220000A402000024010100030300000C01000014800E010003000008020000050000000804000013020000240201000303000
00C01000014800E01000300000802000005000000080400000E0200002C030100040300000C0100000C800E01000300000802000005030000080300000C00000008040000130000002C040100040300000C0100
000C800E01000300000802000005030000080300000C000000080400000E28000048001300007BFBCF7F9B7AE17BFE2D5F951B193888BA93B4CC287D4AA0B5A8F70BFEFC4C0A7FDA75C4FA4E3B7646562E1ADA4
3F78D5E6F5E2C8D09B0A5B805C3E115AA3D7329000014DDB85F8CBD9EA2881E1E41BE80C3B0E429000008000040162900001C000040047396DE8C2BDF952834C73F58EBA2F578B0114B242900001C00004005B8
7EBD1A428D710D3B6050E671042EDF6CEA59FE290000080000402E0000000E0000402F000400030002
ike 0:a249f5499bd7f227/0000000000000000:1: responder received SA_INIT msg
ike 0:a249f5499bd7f227/0000000000000000:1: received notify type 16406
ike 0:a249f5499bd7f227/0000000000000000:1: ignoring unauthenticated notify payload (16406)
ike 0:a249f5499bd7f227/0000000000000000:1: received notify type NAT_DETECTION_SOURCE_IP
ike 0:a249f5499bd7f227/0000000000000000:1: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:a249f5499bd7f227/0000000000000000:1: received notify type FRAGMENTATION_SUPPORTED
ike 0:a249f5499bd7f227/0000000000000000:1: received notify type SIGNATURE_HASH_ALGORITHMS
ike 0:a249f5499bd7f227/0000000000000000:1: incoming proposal:
ike 0:a249f5499bd7f227/0000000000000000:1: proposal id = 1:
ike 0:a249f5499bd7f227/0000000000000000:1: protocol = IKEv2:
ike 0:a249f5499bd7f227/0000000000000000:1: encapsulation = IKEv2/none
ike 0:a249f5499bd7f227/0000000000000000:1: type=ENCR, val=AES_GCM_16 (key_len = 256)
ike 0:a249f5499bd7f227/0000000000000000:1: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:a249f5499bd7f227/0000000000000000:1: type=DH_GROUP, val=ECP256.
ike 0:a249f5499bd7f227/0000000000000000:1: proposal id = 2:
ike 0:a249f5499bd7f227/0000000000000000:1: protocol = IKEv2:
ike 0:a249f5499bd7f227/0000000000000000:1: encapsulation = IKEv2/none
ike 0:a249f5499bd7f227/0000000000000000:1: type=ENCR, val=AES_GCM_16 (key_len = 256)
ike 0:a249f5499bd7f227/0000000000000000:1: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:a249f5499bd7f227/0000000000000000:1: type=DH_GROUP, val=MODP2048.
ike 0:a249f5499bd7f227/0000000000000000:1: proposal id = 3:
ike 0:a249f5499bd7f227/0000000000000000:1: protocol = IKEv2:
ike 0:a249f5499bd7f227/0000000000000000:1: encapsulation = IKEv2/none
ike 0:a249f5499bd7f227/0000000000000000:1: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:a249f5499bd7f227/0000000000000000:1: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:a249f5499bd7f227/0000000000000000:1: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:a249f5499bd7f227/0000000000000000:1: type=DH_GROUP, val=ECP256.
ike 0:a249f5499bd7f227/0000000000000000:1: proposal id = 4:
ike 0:a249f5499bd7f227/0000000000000000:1: protocol = IKEv2:
ike 0:a249f5499bd7f227/0000000000000000:1: encapsulation = IKEv2/none
ike 0:a249f5499bd7f227/0000000000000000:1: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:a249f5499bd7f227/0000000000000000:1: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:a249f5499bd7f227/0000000000000000:1: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:a249f5499bd7f227/0000000000000000:1: type=DH_GROUP, val=MODP2048.
ike 0:a249f5499bd7f227/0000000000000000:1: matched proposal id 3
ike 0:a249f5499bd7f227/0000000000000000:1: proposal id = 3:
ike 0:a249f5499bd7f227/0000000000000000:1: protocol = IKEv2:
ike 0:a249f5499bd7f227/0000000000000000:1: encapsulation = IKEv2/none
ike 0:a249f5499bd7f227/0000000000000000:1: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:a249f5499bd7f227/0000000000000000:1: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:a249f5499bd7f227/0000000000000000:1: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:a249f5499bd7f227/0000000000000000:1: type=DH_GROUP, val=ECP256.
ike 0:a249f5499bd7f227/0000000000000000:1: lifetime=86400
ike 0:a249f5499bd7f227/0000000000000000:1: SA proposal chosen, matched gateway MainDCVPN
ike 0: found MainDCVPN 19.X.X.X 5 -> 174.X.X.X:12615
ike 0:MainDCVPN:1: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:MainDCVPN:1: processing NAT-D payload
ike 0:MainDCVPN:1: NAT detected: PEER
ike 0:MainDCVPN:1: process NAT-D
ike 0:MainDCVPN:1: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:MainDCVPN:1: processing NAT-D payload
ike 0:MainDCVPN:1: NAT detected: ME PEER
ike 0:MainDCVPN:1: process NAT-D
ike 0:MainDCVPN:1: processing notify type FRAGMENTATION_SUPPORTED
ike 0:MainDCVPN:1: processing notify type SIGNATURE_HASH_ALGORITHMS
ike 0:MainDCVPN:1: responder preparing SA_INIT msg
ike 0:MainDCVPN:1: generate DH public value request queued
ike 0:MainDCVPN:1: responder preparing SA_INIT msg
ike 0:MainDCVPN:1: compute DH shared secret request queued
ike 0:MainDCVPN:1: responder preparing SA_INIT msg
ike 0:MainDCVPN:1: create NAT-D hash local 19.X.X.X/500 remote 174.X.X.X/12615
ike 0:MainDCVPN:1: out A249F5499BD7F22777CC49B6769934602120222000000000000000E8220000300000002C030100040300000C0100000C800E01000300000802000005030000080300000C00000008
04000013280000480013000080291701FBF0A73ED614E7FFE7EB4B61EFE3A7249145DAC7DB56D9DF3E3C06D32F25300A3C30D3D73EC09CBCA78AEF8CFD1A17B3014AD97CA0841F7C8B284F5F290000146CEF43C
63B201543E65EC9ECBE0224252900001C00004004AA3923E4016EA629F4F430079244DA9D2A72E9582900001C0000400527FBD78720D5F78DFE8E636FF4E0283E3C2B86E0000000080000402E
ike 0:MainDCVPN:1: sent IKE msg (SA_INIT_RESPONSE): 19.X.X.X:500->174.X.X.X:12615, len=232, vrf=0, id=a249f5499bd7f227/77cc49b676993460
ike 0:MainDCVPN:1: IKE SA a249f5499bd7f227/77cc49b676993460 SK_ei 32:6D61E29A4BCE0CDE27DA13C3B190C953A8B300CCCBC2B8A0828F83415040C684
ike 0:MainDCVPN:1: IKE SA a249f5499bd7f227/77cc49b676993460 SK_er 32:A05178F26AF1F8333DA53C173E099D052B8DC48F3648563B034E014A7584EB6F
ike 0:MainDCVPN:1: IKE SA a249f5499bd7f227/77cc49b676993460 SK_ai 32:DFFC82676BB4F9E3204802D84929C2AC3AB1B1F5210F1BA67856234CB52168BF
ike 0:MainDCVPN:1: IKE SA a249f5499bd7f227/77cc49b676993460 SK_ar 32:6B519700D772FCF99F08D06FEA3C9BBA45AEC692455BC597491B79EDFAA25E1C
ike 0: comes 174.X.X.X:12608->19.X.X.X:4500,ifindex=5,vrf=0....
ike 0: IKEv2 exchange=AUTH id=a249f5499bd7f227/77cc49b676993460:00000001 len=384
ike 0: in A249F5499BD7F22777CC49B6769934602E20230800000001000001802300016400741B8C6261AE068B8717B572765038F02F2E3A150111DCEE53024064CEB78F5CC4D5A7A8A7D75E710E6A4DAC236
4BC9729FB56D098D7642347ECB461ED81AEB2FF7C1E2370617A7A07B061E76A429689EE819836B853D811F43304AAE3188F9A6E7872A82257B0C6D6B26FC0C4F8EFD3D92A5594BA4DB6854E9458994756018822
3C8CC77AA20D60FA27DBA6CF3BBADB758255682EED6C4E47A448420568F83476EE5D7D6B004223C3A692AF6A25490D3422F615B1533BA1373DE7BBCD30E21F712077C6AB74106397208FB236E1DB71470EE26F6
AA62B897C88EE2B34E66CFFF571069C4B3A6881DCB2AF1BB02BF3979BB277364BD4C5C1FAC3DAC470851C3FDFCB4C2683B766C34A1FA8253FC84D1B08472D6A771E924F89ACD31128F7D4632F213D6CBF9A5A5E
C16BD48F6C229CE14DE54F3246A5A5F3E40ED44915D98AD411172C4471853433635FF33908778D49E5B3AF40811FE7CC3EEC66A65EE323
ike 0:MainDCVPN:1: dec A249F5499BD7F22777CC49B6769934602E2023080000000100000154230000042900000B0200000043555424000008000040002F000015020000007374616D706564453138323031
29000028010000000001000000020000000600000003000000080000000C0000000A000000190000290000080000400A210000080000400B2C00004C02000020010304020E9C92A20300000C01000014800E010
0000000080500000000000028020304030E9C92A20300000C0100000C800E0100030000080300000C00000008050000002D00004002000000070000100000FFFF00000000FFFFFFFF080000280000FFFF000000
00000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2900004002000000070000100000FFFF00000000FFFFFFFF080000280000FFFF00000000000000000000000000000000FFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFF000000080000400C
ike 0:MainDCVPN:1: responder received AUTH msg
ike 0:MainDCVPN:1: processing notify type INITIAL_CONTACT
ike 0:MainDCVPN:1: processing notify type ESP_TFC_PADDING_NOT_SUPPORTED
ike 0:MainDCVPN:1: processing notify type NON_FIRST_FRAGMENTS_ALSO
ike 0:MainDCVPN:1: processing notify type MOBIKE_SUPPORTED
ike 0:MainDCVPN:1: received peer identifier FQDN 'CUT'
ike 0:MainDCVPN:1: re-validate gw ID
ike 0:MainDCVPN:1: gw validation OK
ike 0:MainDCVPN:1: responder preparing EAP identity request
ike 0:MainDCVPN:1: enc 2700000B0200000043555430000028020000006FE5AC5334BD4AC65E795BFC8AE5DE547BBD4FC9A54ED7C79F36FEF856108A5E00000009010100050103020103
ike 0:MainDCVPN:1: remote port change 12615 -> 12608
ike 0:MainDCVPN:1: out A249F5499BD7F22777CC49B6769934602E20232000000001000000802400006401BD3BF19FF35CB09642DC17A6B5351BA7C3BCB506CEB3388BF890FCF81E5A2FCE5291154D6CEF8B
1B263AA32F4C792F60FAB7E3E338C270B1079CEC4DFFBB46FACFCF3A5946318DC3FACA05E1ED03E383C183499FD14CADAFA69E0CE691D2D3
ike 0:MainDCVPN:1: sent IKE msg (AUTH_RESPONSE): 19.X.X.X:4500->174.X.X.X:12608, len=128, vrf=0, id=a249f5499bd7f227/77cc49b676993460:00000001
ike shrank heap by 110592 bytes

---------------------------------------------

config vpn ipsec phase1-interface
edit "MainDCVPN"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256
set localid "EDO"
set negotiate-timeout 300
set dpd on-idle
set dhgrp 19 14 5
set eap enable
set eap-identity send-request
set authusrgrp "RemoteVPNUsers"
set ipv4-start-ip 10.130.10.200
set ipv4-end-ip 10.130.10.250
set ipv4-netmask 255.255.255.0
set dns-mode auto
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "MainDCVPN"
set phase1name "MainDCVPN"
set proposal aes128-sha256 aes256-sha256
set dhgrp 19 14 5
next
end

1 Solution
smaruvala
Staff
Staff

Hello,

 

I am assuming you are using the native IoS VPN. Please correct me if I am wrong.

 

- If you see the logs we can see that the firewall is preparing the EAP packet which is part of the IKE_AUTH response (4th message in IKEv2.)

ike 0:MainDCVPN:0: responder preparing EAP identity request

- We can see that the firewall is sending 4th message out.

ike 0:MainDCVPN:0: sent IKE msg (AUTH_RESPONSE): 19.X.X.X:4500->174.X.X.X:12608, len=128, vrf=0, id=b48f14cf6bade837/ed286fd61eec71ac:00000001

- After this it does not continue as there is no EAP message from the client. 

- From this I am assuming the issue with some setting the IoS.

- One thing which comes to my mind is that for the IKEv2 in IOS it uses certificate for authentication. Download app 'apple configurator' and create a new profile with vpn setting. and install it.

iphone side you have three options for authentication:
none , username , certificate
None: if you choose it you and disable certificate you get preshared key but no user/password
username: to enter username and password for authentication
certificate: certificate authentication

If you use None it means you can connect either RSASignature + eap or preshare key, if you want
eap, probably you have to use certificate.

 

Regards,

Shiva

View solution in original post

7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Hello Anglais,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anglais
New Contributor II

Thank you for your support @Anthony_E  - really appreciate the effort. 

Anthony_E
Community Manager
Community Manager

Anytime @Anglais !

I hope you will find your answer :)!

Anthony-Fortinet Community Team.
hbac
Staff
Staff

Hi @Anglais,

 

I don't see any errors from the debug output. Did you get any error messages when trying to connect? Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-dialup-IPsec-tunnel-with-Radius-serv...

 

You can also run this debug and try to connect again. 

 

di deb app fnbamd -1 

di deb en 

 

Regards, 

Anglais
New Contributor II

Hey @hbac,

I wasn't able to find any errors either and that's why I am really at lost. When I try connecting after couple of seconds it just drop the connection attempt with no errors. 

Tried this debug command with no outputs returned when I launch the connection attempt.

di deb app fnbamd -1 

di deb en 

smaruvala
Staff
Staff

Hello,

 

I am assuming you are using the native IoS VPN. Please correct me if I am wrong.

 

- If you see the logs we can see that the firewall is preparing the EAP packet which is part of the IKE_AUTH response (4th message in IKEv2.)

ike 0:MainDCVPN:0: responder preparing EAP identity request

- We can see that the firewall is sending 4th message out.

ike 0:MainDCVPN:0: sent IKE msg (AUTH_RESPONSE): 19.X.X.X:4500->174.X.X.X:12608, len=128, vrf=0, id=b48f14cf6bade837/ed286fd61eec71ac:00000001

- After this it does not continue as there is no EAP message from the client. 

- From this I am assuming the issue with some setting the IoS.

- One thing which comes to my mind is that for the IKEv2 in IOS it uses certificate for authentication. Download app 'apple configurator' and create a new profile with vpn setting. and install it.

iphone side you have three options for authentication:
none , username , certificate
None: if you choose it you and disable certificate you get preshared key but no user/password
username: to enter username and password for authentication
certificate: certificate authentication

If you use None it means you can connect either RSASignature + eap or preshare key, if you want
eap, probably you have to use certificate.

 

Regards,

Shiva

Anglais
New Contributor II

@smaruvala

I will look into this as soon I get to work today. Thank you for pointing me in the right direction. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors