Hi All,
We have created a site 2 site VPN from Fortigate to PFsense firewall. I have checked and verified that all configurations are matched with each other like IKE mode , preshared key etc. I have generated the given below logs. Can someone please look into the logs and let me know what could be the issue.
ike 0:Diag: IPsec SA connect 3 10.11.11.5->CustomerIP:500 negotiating ike 0:Diag: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation ike 0:Diag:233372: initiator: main mode is sending 1st message... ike 0:Diag:233372: cookie 360c9faddebb34af/0000000000000000 ike 0:Diag:233372: out 360C9FADDEBB34AF00000000000000000110020000000000000001240D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E01008003000180020002800400020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:Diag:233372: sent IKE msg (ident_i1send): 10.11.11.5:500->CustomerIP:500, len=292, id=360c9faddebb34af/0000000000000000 ike 0: comes CustomerIP:500->10.11.11.5:500,ifindex=3.... ike 0: IKEv1 exchange=Identity Protection id=360c9faddebb34af/5a0489a8af1142b7 len=164 ike 0: in 360C9FADDEBB34AF5A0489A8AF1142B70110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200028004000280030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F ike 0:Diag:233372: initiator: main mode get 1st response... ike 0:Diag:233372: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:Diag:233372: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:Diag:233372: DPD negotiated ike 0:Diag:233372: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000 ike 0:Diag:233372: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:Diag:233372: selected NAT-T version: RFC 3947 ike 0:Diag:233372: negotiation result ike 0:Diag:233372: proposal id = 1: ike 0:Diag:233372: protocol id = ISAKMP: ike 0:Diag:233372: trans_id = KEY_IKE. ike 0:Diag:233372: encapsulation = IKE/none ike 0:Diag:233372: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256 ike 0:Diag:233372: type=OAKLEY_HASH_ALG, val=SHA. ike 0:Diag:233372: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:Diag:233372: type=OAKLEY_GROUP, val=MODP1024. ike 0:Diag:233372: ISAKMP SA lifetime=86400 ike 0:Diag:233372: out 360C9FADDEBB34AF5A0489A8AF1142B70410020000000000000000E40A000084C13C89A8CF03D04F0295C43DCAC04EAE35C140DE3B065C1813FC611D8C72DA60BFDE3F9A2614EFBBFDA09D295FA49EC6ED6D63B2690D5453D58870C3816DD30469899354B5250BD4C08293D97288DDF438212A84356EE31F40F2F6DE9D416A784B39F474F039DC7D0A91929EB7E340D144F4646651A4082C79D9A13D0EA3547614000014E6A5C59BB4B3759FB1F952DFB47DD859140000187F06B9117DCC631A384A9ED21B978D94DB9F1D080000001893A708E3C8FCE4A81AD8F7866DB9CB6E209C6B51 ike 0:Diag:233372: sent IKE msg (ident_i2send): 10.11.11.5:500->CustomerIP:500, len=228, id=360c9faddebb34af/5a0489a8af1142b7 ike 0: comes CustomerIP:500->10.11.11.5:500,ifindex=3.... ike 0: IKEv1 exchange=Identity Protection id=360c9faddebb34af/5a0489a8af1142b7 len=244 ike 0: in 360C9FADDEBB34AF5A0489A8AF1142B70410020000000000000000F40A0000841FD82A379294E7407FFB34E0EF613B088264D42B804A3E32938520D52F0372C26081E6194F455388B61FF206ABFFE2B74A99551D1A02092DF6113A361FC1BF257F8DA88203D882484EC7E28CF120010BAE033D6817F48A5A8C06FB8ED5D1A8E9CB593F994779B014F6C1F7DFCA3BF96868A423B2AAEE6A4BF6F6178D55CA36A214000024331799E40B1D794C245CB4403F438884016172BDED56F52B23782DE962D1254C14000018C549D2A8AAF64CCD150541A0A386108E5CA226B0000000187F06B9117DCC631A384A9ED21B978D94DB9F1D08 ike 0:Diag:233372: initiator: main mode get 2nd response... ike 0:Diag:233372: received NAT-D payload type 20 ike 0:Diag:233372: received NAT-D payload type 20 ike 0:Diag:233372: NAT detected: ME ike 0:Diag:233372: NAT-T float port 4500 ike 0:Diag:233372: ISAKMP SA 360c9faddebb34af/5a0489a8af1142b7 key 32:537547271D063F604DA55A9B82A46FCC4D0A0B259544B72F3B88F5129531CDD5 ike 0:Diag:233372: add INITIAL-CONTACT ike 0:Diag:233372: enc 360C9FADDEBB34AF5A0489A8AF1142B705100201000000000000005C0800000C010000000A0B0B050B00001893B2E85FB488E9E1BB4CD05CFBE119FDAA632D2D0000001C0000000101106002360C9FADDEBB34AF5A0489A8AF1142B7 ike 0:Diag:233372: out 360C9FADDEBB34AF5A0489A8AF1142B705100201000000000000006C71A3E259B2E8233E28BD1D53B361ABE5AB5D70461B66865E991433C4843E8E667120F95FC8598056D16D3AA0A3C1828453A0A7BE742144513615CE94DC26EE0FE628CB92D5724D099F550DA2E6BB5408 ike 0:Diag:233372: sent IKE msg (ident_i3send): 10.11.11.5:4500->CustomerIP:4500, len=108, id=360c9faddebb34af/5a0489a8af1142b7 ike 0: comes CustomerIP:4500->10.11.11.5:4500,ifindex=3.... ike 0: IKEv1 exchange=Informational id=360c9faddebb34af/5a0489a8af1142b7:c693f99f len=92 ike 0: in 360C9FADDEBB34AF5A0489A8AF1142B708100501C693F99F0000005C8F95DE79D6FDCF143D9CCC3BD04D1A0E6FDC24EDD9B713656C0ED57CF37E5060CA0D60F78453FC5455C5FC8D148C47E84FDA0136C7EE6FE8472B62E672B4D113 ike 0:Diag:233372: dec 360C9FADDEBB34AF5A0489A8AF1142B708100501C693F99F0000005C0B000018C37029997A5CE4ABCD4D5D842A7B67FCEC7790320000001C0000000101100018360C9FADDEBB34AF5A0489A8AF1142B7000000000000000000000000
ike 0:Diag:232993: negotiation timeout, deleting ike 0:Diag: connection expiring due to phase1 down ike 0:Diag: deleting ike 0:Diag: deleted ike 0:Diag: schedule auto-negotiate
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's saying it successfully exchanged the initial IKE exchange with the other end on port 500 and changed the port to 4500 due to NAT-T. But it can't get any response from the other end on port 4500. Check the same on the other end and if the other end is not receiving the third packet on port 4500, something inbetween is likely blocking it.
Hi,
Thanks for your comment and looking into this case. I have resolved the case by looking into the pfsense logs. Actually the FortiGate is deployed in AWS. As AWS Mapped the public IP against NIC on which private IP is already assigned. So on FortiGate WAN interface private IP is assigned and I have allocate the Public IP on it.
In pfsense, I had defined the peer identifier as peer IP address but when pfsense receive the peer identifier it was private IP of WAN interface. So it was giving the error IDR "Private IP (like 10.11.11.5") does not match with ( Pubic IP "The elastic IP which was assigned)".
I had changed the peer identifier to private IP of WAN interface and VPN comes UP. I have also attached the screenshot below as well.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1711 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.