Hello Everyone new here
New to FortiGate also.
I am having a major issue getting a site to site VPN up but first I would like to tell me
how do you ping the other gateway from the Forti CLI? I see ping option but I don't get it
execute ping-options source 10.10.111.254 10.222.221.16
command parse error before '10.222.221.16' Command fail. Return code -61
How do you write this syntax out completely to make it work?
Do you need to open ports in the firewall like Cisco e.g ESP, IKE etc? before running the VPN wizard or custom?
I cannot get phase 1 one to come up.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Ken
Here is the output.
config vpn ipsec phase2-interface edit "TestToCisco" set phase1name "TestToCisco" set proposal 3des-md5 set pfs disable set ipv4-df disable set replay disable set auto-negotiate enable set auto-discovery-sender phase1 set auto-discovery-forwarder phase1 set keylife-type seconds set encapsulation tunnel-mode set comments '' set protocol 0 set src-addr-type subnet set src-port 0 set dst-addr-type subnet set dst-port 0 set keylifeseconds 86400 set src-subnet 0.0.0.0 0.0.0.0 set dst-subnet 0.0.0.0 0.0.0.0 next end
On the fortigate do you have a fwpolicy for the named phase1 interface? You need a policy and the cfg on the fortigate looks okay.
What i see in the debug from cisco is ipsec-sa is failing "phase 2 SA policy not acceptable! " and your phase2 has some issues or I'm thinking a policy is missing on the fortigate. You should be negotiating quad 0s ( 0.0.0.0/0 ) between the two ike-peers
You can run diag debug enable and followed with diag debug app ike -1 on the fortios device to look at it's debug.
Ken Felix
PCNSE
NSE
StrongSwan
I do believe that I have the policies but again I am new and not sure. I asked this in the first post. I have ZBFW on the Cisco and I know that is not it because I removed it to test and still no joy. I feel its on the forti side. Please see this image to see if this is the correct policy your asking for.
Also the forti post was the diag you wanted. I can do it again. No problem. I am not sure what the Phase1 interface is on this box because it names everything and I am used to numbers. I see the name is the same for both phase interfaces.
Is this interface in Network >>> Interfaces ? when I expand my Wan1 interface I see it and it is a Tunnel Interface and it has not been addressed meaning no IP addressing
Here is the debug. What is the pfs there (perfect forward secret) but I have this turned off on both boxes. It is seeing pfs DH 5 and complaining about it.
FORTIGATE # ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8572:TestToCisco:3438: quick-mode negotiation failed due to retry timeout ike 0:TestToCisco:8572: send IKE SA delete f0e854d883317db0/1318bf0cd9f208a7 ike 0:TestToCisco:8572: enc F0E854D883317DB01318BF0CD9F208A70810050197DB750C0000004C0C000014FF385C8824EED81FBDDFEF5B440F97940000001C0000000101100001F0E854D883317DB013 18BF0CD9F208A7 ike 0:TestToCisco:8572: out F0E854D883317DB01318BF0CD9F208A70810050197DB750C00000054AD220909ACEF3C79F312786B3ED78D7D2699BAC97BC7FC5F5D636DB58935CF783C8466C2960BD7BB16 1F00F867C99A26E73611627C76E234 ike 0:TestToCisco:8572: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 73.107.235.45:500->50.250.102.118:500, len=84, id=f0e854d883317db0/1318bf0cd9f208a7:97db750c ike 0:TestToCisco: connection expiring due to phase1 down ike 0:TestToCisco: deleting ike 0:TestToCisco: deleted ike 0:TestToCisco: set oper down ike 0:TestToCisco: schedule auto-negotiate ike 0:TestToCisco: carrier down ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=f0e854d883317db0/1318bf0cd9f208a7:12bda5d9 len=84 ike 0: in F0E854D883317DB01318BF0CD9F208A70810050112BDA5D90000005492B55C37D5E76EB34B063C5EE3F9485E484369CEF3B40B2EB99936221332329200E1A68482151653E12C57EE467997DA4ADA CE7C2386DF19 ike 0: no established IKE SA for exchange-type Informational from 50.250.102.118:500->73.107.235.45 7 cookie f0e854d883317db0/1318bf0cd9f208a7, drop ike 0:TestToCisco: auto-negotiate connection ike 0:TestToCisco: created connection: 0x1835d5f0 7 73.107.235.45->50.250.102.118:500. ike 0:TestToCisco:8573: initiator: main mode is sending 1st message... ike 0:TestToCisco:8573: cookie 66aa5be8f78dfbef/0000000000000000 ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001000C00040001518080 0100058003000180020001800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C000000000000014 8299031757A36082C6A621DE00000000 ike 0:TestToCisco:8573: sent IKE msg (ident_i1send): 73.107.235.45:500->50.250.102.118:500, len=168, id=66aa5be8f78dfbef/0000000000000000 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=66aa5be8f78dfbef/1318bf0ccc64d6ee len=84 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0110020000000000000000540000003800000001000000010000002C01010001000000240101000080010005800200018004000280030001800B0001000C 000400015180 ike 0:TestToCisco:8573: initiator: main mode get 1st response... ike 0:TestToCisco:8573: negotiation result ike 0:TestToCisco:8573: proposal id = 1: ike 0:TestToCisco:8573: protocol id = ISAKMP: ike 0:TestToCisco:8573: trans_id = KEY_IKE. ike 0:TestToCisco:8573: encapsulation = IKE/none ike 0:TestToCisco:8573: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:TestToCisco:8573: type=OAKLEY_HASH_ALG, val=MD5. ike 0:TestToCisco:8573: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:TestToCisco:8573: type=OAKLEY_GROUP, val=MODP1024. ike 0:TestToCisco:8573: ISAKMP SA lifetime=86400 ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE0410020000000000000000B40A000084FB24F893C08A94E3B2053D7FA8F2FCD9BAAD6A36CE2FE8559800742A3AFDAE6451EDC4F53C 50A752147D66BB9E86455922AD8B83B199F7550293D349529F04B813285416674D72A4CBD5CFD4C221366CF6C33B231E3A89ADBC49EB6D8ADD4AD90886C63D67B56F3E60A989927E8FB3AFFB0D28B6A72945E7 01848F9D4ACF3B59000000144F0A3FE02844FDFF8BD7749115F04E13 ike 0:TestToCisco:8573: sent IKE msg (ident_i2send): 73.107.235.45:500->50.250.102.118:500, len=180, id=66aa5be8f78dfbef/1318bf0ccc64d6ee ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=66aa5be8f78dfbef/1318bf0ccc64d6ee len=256 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0410020000000000000001000A00008495ECFBAEE83CEB62757515D24E40D5E3D2FA3AAD9B176D53E9794B7DCB213C69EB2921D57933F20E4DF7A864E080 C4FB0D95B8EE999B0A5A27552199DC3F9BB2B0E2300503E527B9FEA9828A3D23946B97CD847CEE05D8639767D6169273ACCB1A90B179C21B80BAF267AABBBE8BE7CA2501C56F877F2D3E14BE8E03432BD0500D 000018887A54F5AD41F7471C5FDE11E78434464C1F22C40D00001412F5F28C457168A9702D9FE274CC01000D000014AFCAD71368A1F1C96B8696FC775701000D000014E6DF1811CC65D6EE3631E5E0BC1FA0E8 0000000C09002689DFD6B712 ike 0:TestToCisco:8573: initiator: main mode get 2nd response... ike 0:TestToCisco:8573: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 ike 0:TestToCisco:8573: peer supports UNITY ike 0:TestToCisco:8573: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:TestToCisco:8573: VID unknown (16): E6DF1811CC65D6EE3631E5E0BC1FA0E8 ike 0:TestToCisco:8573: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:TestToCisco:8573: nat unavailable ike 0:TestToCisco:8573: ISAKMP SA 66aa5be8f78dfbef/1318bf0ccc64d6ee key 24:2C0150064A4CD7322CE6E9448D1FFCA348ED98A81ABA30F8 ike 0:TestToCisco:8573: add INITIAL-CONTACT ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE0510020100000000000000580800000C01000000496BEB2D0B000014A5457FD19CDE7EB9C5207AAF9E3CA0BC0000001C0000000101 10600266AA5BE8F78DFBEF1318BF0CCC64D6EE ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE05100201000000000000005C102EB9943E16C2A68BCF5752B0FE347977E370A6EEBB5C14596EA11B1F54067AEC4045D678D73EFE0E 70A9505AFC765A2AE410AD99F35FD5E07495E91A9F76C0 ike 0:TestToCisco:8573: sent IKE msg (ident_i3send): 73.107.235.45:500->50.250.102.118:500, len=92, id=66aa5be8f78dfbef/1318bf0ccc64d6ee ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=66aa5be8f78dfbef/1318bf0ccc64d6ee len=68 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE051002010000000000000044A1E46C50AFF8188B38C5B2A80DC3D2CE371C0EFBB736FFEB3EC3582CCF257D2FBA5F998F506C9177 ike 0:TestToCisco:8573: initiator: main mode get 3rd response... ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE0510020100000000000000440800000C011101F432FA6676000000146D5B653C86477F31BB49A5207C7D36460000000000000000 ike 0:TestToCisco:8573: peer identifier IPV4_ADDR 50.250.102.118 ike 0:TestToCisco:8573: PSK authentication succeeded ike 0:TestToCisco:8573: authentication OK ike 0:TestToCisco:8573: established IKE SA 66aa5be8f78dfbef/1318bf0ccc64d6ee ike 0:TestToCisco: set oper up ike 0:TestToCisco: schedule auto-negotiate ike 0:TestToCisco:8573: no pending Quick-Mode negotiations ike 0:TestToCisco: carrier up ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8573: cookie 66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0:TestToCisco:8573:TestToCisco:3444: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D00000098010000145F0249249F9B99FE0CC26053C6EAB9DF0A0000340000000100000001000000280103040187 72CD710000001C0103000080010001000200040001518080040001800500010500001425C32DB712AD364452BACE4F0B650AF70500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271 C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363 193184E1 ike 0:TestToCisco:8573: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=66aa5be8f78dfbef/1318bf0ccc64d6ee:9552fa2c len=84 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005019552FA2C00000054D5085DE04D866D61E727FFFEB7B6E3BDFDC80DC3F60DD6B980F0895725D5598417F049DF9813F64DB933B2693AFE49EF7382 6706CD2C1AE6 ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005019552FA2C000000540B000014E08C9F1E788AEF438FFD1611DC1088540000001C000000010304000E8772CD710A00003400 000001000000010000000000000000 ike 0:TestToCisco:8573: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8573:TestToCisco:3444: IPsec SPI 8772cd71 match ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271 C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363 193184E1 ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=66aa5be8f78dfbef/1318bf0ccc64d6ee:c479cc59 len=372 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE08102001C479CC5900000174E8213487E8EF8B1A227AA9294C0EFBB89396EBA8F99D9D1F4313EE657B8EB96D52A3ABB9034DFF39C83231A98738C5EA51F9 78380FE274F71288E8649F7FE98B8129AAF2D6D17DB37FFE5379CA559DEE691A787919E1B80CBCF40433B3F51F29B6B73D7076FE18B1473FB22447A8AD81B9AE20E83467E63EBEA75BC7F867E7CE9790A6ABA8 D86D6DF7B3C25BA750BB6E0F6F46A785F72477F6650A0F610C0276E2C40253B3B2FEE8B05A178D3700029A168AB6BEA4CF8996460D8041CD8E95C14D492F0300EA7C3A64533A55B1D1DFA29E396451BF58486A D5002CB7AF0D69388F6BEF3185E0C05FE7E2B42E82B0C7D169B6A84E0B4E1D2C59AB2E9FA1A3458EAFA9D30B2A598043FF91A449A6D817EB19F5A61084E6F8CD5F31062DC9FA31003653ACD27997C8C47B17DE 0D6C22401FC3C9FB7141FC0EBD91DD4E058A0426228E3E46D04B468C008C4511192183F34D3CC789B58658044E ike 0:TestToCisco:8573:3445: responder received first quick-mode message ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE08102001C479CC590000017401000014BB99C78729A118469C38A4858FC63A300A00004000000001000000010000003401030401D4 DC82C20000002801030000800400018001000180020E1080010002000200040046500080050001800300050400001887269BAC709943C1DDFD3EE77CDCB237513E464A050000C4FEF76ECC4278965467DD8B28 874BF68B96C035AD58F3C231230CF70792EF3C2977B2EB6F1307E522FD309352027D578429776413AA993524C2FAFAAE4BC3E894C14E335C8FEDA43F4D739A8E3D371F8DD414485DEFC814995C47775A07B4C2 246DC4B7336BBA509AC791C648AED4AC2FB665960F6CF0798D800BFC1078B8BE7562109788944ED7D12E96721164879277DD4C29B449027596B0BBA7DBB6519E0AFCE83E1C7BC2762978B74AC24D6A39C53F53 932567DD455728CB876F694C95B705000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8573:3445: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8573:TestToCisco:3445: trying ike 0:TestToCisco:8573:TestToCisco:3445: matched phase2 ike 0:TestToCisco:8573:TestToCisco:3445: autokey ike 0:TestToCisco:8573:TestToCisco:3445: my proposal: ike 0:TestToCisco:8573:TestToCisco:3445: proposal id = 1: ike 0:TestToCisco:8573:TestToCisco:3445: protocol id = IPSEC_ESP: ike 0:TestToCisco:8573:TestToCisco:3445: trans_id = ESP_3DES ike 0:TestToCisco:8573:TestToCisco:3445: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8573:TestToCisco:3445: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8573:TestToCisco:3445: incoming proposal: ike 0:TestToCisco:8573:TestToCisco:3445: proposal id = 1: ike 0:TestToCisco:8573:TestToCisco:3445: protocol id = IPSEC_ESP: ike 0:TestToCisco:8573:TestToCisco:3445: PFS DH group = 5 ike 0:TestToCisco:8573:TestToCisco:3445: trans_id = ESP_3DES ike 0:TestToCisco:8573:TestToCisco:3445: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8573:TestToCisco:3445: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8573:TestToCisco:3445: did not expect PFS DH group, received DH group 5 ike 0:TestToCisco:8573:TestToCisco:3445: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8573:3445: no SA proposal chosen ike 0:TestToCisco:3445: info_send_n2, type 14, peer SPI d4dc82c2 ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501677915D4000000400B0000148DEAA2A2AFFC09DADEF9C80D68F0C55700000010000000010304000ED4DC82C2 ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501677915D40000004463FD36A88CCDCC143BDC2AAC9BB09A20C48A31C8E7B3D84A587FCF8B8F41DABB14C89823E8E2F730 ike 0:TestToCisco:8573: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:677915d4 ike 0:TestToCisco:8573: error processing quick-mode message from 50.250.102.118 as responder ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271 C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363 193184E1 ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271 C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363 193184E1 ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081020011392001D0000009C53174B4795466732814F7F8DFAE1E527137F160A70B0E2A5FF320591EF0EAFFDB2283751590D292271 C3794314E844481C7BA4E609E6A850279D6A3696519CD10F3F172B77661693D3CF2AEAB663B87B5DBDC8B852374B8C6DEE941621321286C6116C7A9E321B4F4F45BB6D46C4A42DB159604785B5A12D41960363 193184E1 ike 0:TestToCisco:8573: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1392001d ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=66aa5be8f78dfbef/1318bf0ccc64d6ee:21b5991f len=372 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0810200121B5991F00000174AB410BA7C054479484CBF91A8B63DA561AB7DE1D64E974C26CC483E34BD3D55BED6A04D6398E44CF69D66B4B531DD9E211B8 63D917E89D981AD281B96FCBC3EBED2DC35F019F2C0C9DB0AA4917CDC6CE8BE59B4E123C4904F5A057E390232BFAA6C9F5D4C1504CC67575B13F1E8E118B157AE183AE1939567FAD618487DD352BC8EDC0D9CF 48EEADA7767E5DBFB1D00493898BE72A78290CED356369A009CB59DA3792B67EDC3455BE61A23BC62F6D24BB0C04BA64A7C0C9C31BE6FB31D35E91BB9AC3E7B0134FF641DA60EE697DAE36DC29530473C15D0F B47C69DA51BC1B95AC2D6114659CD5A6E4A450E0F5EB2D44C9B4E4EF2E29DEE2F9396AEBD18248B8CC544AE089911B8712A2CC200255D7BED8F7F3B84A9C5D5D807E924DF6BBEFE38DBCD2B8C44648F5915B4B 03186E95B154321AF24130BFAC221921869499BBF4A5379C44D21FAB16C28E38684FAF03627C4475DD45BE058D ike 0:TestToCisco:8573:3447: responder received first quick-mode message ike 0:TestToCisco:8573: dec 66AA5BE8F78DFBEF1318BF0CCC64D6EE0810200121B5991F00000174010000145C7911332A81E2E1DD1397DEFD3E3E320A0000400000000100000001000000340103040190 9DF0950000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018F5A63B69A58EE2011AE4FA458EBF04D94445E94D050000C476A09A9E93915F3F619A9786 423E1E5CE3428DF1287635EA80708D903C76DABE21B6FA3FDC93F5095352469C86ACC84D84F38BB825FF294E9859639CF89D2D713FFFA92F66E9F88CA423BB8A23AEB18D3E9062B48A2A1FC733D9542271004B 33DE7DCC210995F1E9448B4F048C10F08D48D05A82353AD4C0E4EDFFD8A0234B537BDEE9F753849B939559623EF1B904C86600042C93CA4B5DC2D4253C361EBBAC59EAD08049EFEAAA749FA8E4BDC21D2F6A92 FD4CAD804DB7E921EAADE949049805000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8573:3447: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8573:TestToCisco:3447: trying ike 0:TestToCisco:8573:TestToCisco:3447: matched phase2 ike 0:TestToCisco:8573:TestToCisco:3447: autokey ike 0:TestToCisco:8573:TestToCisco:3447: my proposal: ike 0:TestToCisco:8573:TestToCisco:3447: proposal id = 1: ike 0:TestToCisco:8573:TestToCisco:3447: protocol id = IPSEC_ESP: ike 0:TestToCisco:8573:TestToCisco:3447: trans_id = ESP_3DES ike 0:TestToCisco:8573:TestToCisco:3447: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8573:TestToCisco:3447: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8573:TestToCisco:3447: incoming proposal: ike 0:TestToCisco:8573:TestToCisco:3447: proposal id = 1: ike 0:TestToCisco:8573:TestToCisco:3447: protocol id = IPSEC_ESP: ike 0:TestToCisco:8573:TestToCisco:3447: PFS DH group = 5 ike 0:TestToCisco:8573:TestToCisco:3447: trans_id = ESP_3DES ike 0:TestToCisco:8573:TestToCisco:3447: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8573:TestToCisco:3447: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8573:TestToCisco:3447: did not expect PFS DH group, received DH group 5 ike 0:TestToCisco:8573:TestToCisco:3447: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8573:3447: no SA proposal chosen ike 0:TestToCisco:3447: info_send_n2, type 14, peer SPI 909df095 ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005011240A962000000400B00001471115A746F4C2B42843CF9D72CA4A2C200000010000000010304000E909DF095 ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE081005011240A96200000044F99061C1B3FA83EA359824A8FE435074EDD91EB2BBA641BC259B457A2607E39DBD52D5BDC0564D74 ike 0:TestToCisco:8573: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:1240a962 ike 0:TestToCisco:8573: error processing quick-mode message from 50.250.102.118 as responder ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8573:TestToCisco:3444: quick-mode negotiation failed due to retry timeout ike 0:TestToCisco:8573: send IKE SA delete 66aa5be8f78dfbef/1318bf0ccc64d6ee ike 0:TestToCisco:8573: enc 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501CE3301E00000004C0C000014094B7E21C5269B2435A6D734AB9012C90000001C000000010110000166AA5BE8F78DFBEF13 18BF0CCC64D6EE ike 0:TestToCisco:8573: out 66AA5BE8F78DFBEF1318BF0CCC64D6EE08100501CE3301E0000000547054A36EDFF3CA6245B51A516843832D6002275769063E6E9E321CBE205540369B94560C47B459E401 D200DB26AE219C3E5F26EBB6BE086B ike 0:TestToCisco:8573: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 73.107.235.45:500->50.250.102.118:500, len=84, id=66aa5be8f78dfbef/1318bf0ccc64d6ee:ce3301e0 ike 0:TestToCisco: connection expiring due to phase1 down ike 0:TestToCisco: deleting ike 0:TestToCisco: deleted ike 0:TestToCisco: set oper down ike 0:TestToCisco: schedule auto-negotiate ike 0:TestToCisco: carrier down ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=66aa5be8f78dfbef/1318bf0ccc64d6ee:35e73c21 len=84 ike 0: in 66AA5BE8F78DFBEF1318BF0CCC64D6EE0810050135E73C2100000054DF4B3304C7C2434B5837EFCEDBF84F67E702455632DD195DB37B227B82CD644CDE9F9AF9FCE6FCAA9660F147273FD4930F35 57B113087728 ike 0: no established IKE SA for exchange-type Informational from 50.250.102.118:500->73.107.235.45 7 cookie 66aa5be8f78dfbef/1318bf0ccc64d6ee, drop ike 0:TestToCisco: auto-negotiate connection ike 0:TestToCisco: created connection: 0x1835d5f0 7 73.107.235.45->50.250.102.118:500. ike 0:TestToCisco:8574: initiator: main mode is sending 1st message... ike 0:TestToCisco:8574: cookie d93c289577b4b469/0000000000000000 ike 0:TestToCisco:8574: out D93C289577B4B46900000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001000C00040001518080 0100058003000180020001800400020D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C000000000000014 8299031757A36082C6A621DE00000000 ike 0:TestToCisco:8574: sent IKE msg (ident_i1send): 73.107.235.45:500->50.250.102.118:500, len=168, id=d93c289577b4b469/0000000000000000 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=d93c289577b4b469/1318bf0cc55043c8 len=84 ike 0: in D93C289577B4B4691318BF0CC55043C80110020000000000000000540000003800000001000000010000002C01010001000000240101000080010005800200018004000280030001800B0001000C 000400015180 ike 0:TestToCisco:8574: initiator: main mode get 1st response... ike 0:TestToCisco:8574: negotiation result ike 0:TestToCisco:8574: proposal id = 1: ike 0:TestToCisco:8574: protocol id = ISAKMP: ike 0:TestToCisco:8574: trans_id = KEY_IKE. ike 0:TestToCisco:8574: encapsulation = IKE/none ike 0:TestToCisco:8574: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:TestToCisco:8574: type=OAKLEY_HASH_ALG, val=MD5. ike 0:TestToCisco:8574: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:TestToCisco:8574: type=OAKLEY_GROUP, val=MODP1024. ike 0:TestToCisco:8574: ISAKMP SA lifetime=86400 ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80410020000000000000000B40A000084021E65EB3995D812BE5AB4CACDEBB31687628B17781089143A1781AC522D3CCB860CC05C87 8786A6966628A077BE7AF828031873FA6A10A5A2E3DCD893D1AF5B691680C03CFEB5A2DB51534C0549484631A8527A49F8DE607C9718BA6789F97E84A1D1E10677E4DD1E250FC6FFF895F49F215FF598D0877F 3582DC09B9A71A6C00000014F6E5E785ECD1390A7BB892051CE95CB3 ike 0:TestToCisco:8574: sent IKE msg (ident_i2send): 73.107.235.45:500->50.250.102.118:500, len=180, id=d93c289577b4b469/1318bf0cc55043c8 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=d93c289577b4b469/1318bf0cc55043c8 len=256 ike 0: in D93C289577B4B4691318BF0CC55043C80410020000000000000001000A000084C487AA6E4ED0D61928848C6539D96FB65B8497EF7CB9AC9F08F7A5C2E60816833BC5F8F7DE47EAFB2313C0778D6C F90EBFB4C55F644B76ED260C3172D49612D3F6F12B653508B93A65E7D49E136E614540B4965AFDF712627D0EBC9B98966D4043BBEB283CC0B316219151FFF2257182226284BFBC0EA7E1C8E651BBC7574EE10D 000018AFBAC2537E89DD472E99FC916DF2815986A8A0770D00001412F5F28C457168A9702D9FE274CC01000D000014AFCAD71368A1F1C96B8696FC775701000D000014E6DF1811C55143C8D36FAC24D2C348F6 0000000C09002689DFD6B712 ike 0:TestToCisco:8574: initiator: main mode get 2nd response... ike 0:TestToCisco:8574: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 ike 0:TestToCisco:8574: peer supports UNITY ike 0:TestToCisco:8574: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:TestToCisco:8574: VID unknown (16): E6DF1811C55143C8D36FAC24D2C348F6 ike 0:TestToCisco:8574: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:TestToCisco:8574: nat unavailable ike 0:TestToCisco:8574: ISAKMP SA d93c289577b4b469/1318bf0cc55043c8 key 24:84AC9D87C7D4074CE8C4E393FE66DED0340F58A168472F9E ike 0:TestToCisco:8574: add INITIAL-CONTACT ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C80510020100000000000000580800000C01000000496BEB2D0B000014384400BD711DEE00EC3202800D46F0A60000001C0000000101 106002D93C289577B4B4691318BF0CC55043C8 ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C805100201000000000000005CBC89E799A7A00BCE5AABAA5E6F041C4175344BA53557699F5A5ECAC6B10A0924B66C1E478323EDE80E 34C9D3DE9E742DC18B4E728EE286410D9510A8C5104E91 ike 0:TestToCisco:8574: sent IKE msg (ident_i3send): 73.107.235.45:500->50.250.102.118:500, len=92, id=d93c289577b4b469/1318bf0cc55043c8 ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Identity Protection id=d93c289577b4b469/1318bf0cc55043c8 len=68 ike 0: in D93C289577B4B4691318BF0CC55043C80510020100000000000000446857DF1F98793AFB9CE0D7BCC0E7B95079C6875DC6798DDCCB20221430D8DD3D6851C6A78917C4BE ike 0:TestToCisco:8574: initiator: main mode get 3rd response... ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C80510020100000000000000440800000C011101F432FA6676000000147A3D384D135D831E5E276BF5D709121B0000000000000000 ike 0:TestToCisco:8574: peer identifier IPV4_ADDR 50.250.102.118 ike 0:TestToCisco:8574: PSK authentication succeeded ike 0:TestToCisco:8574: authentication OK ike 0:TestToCisco:8574: established IKE SA d93c289577b4b469/1318bf0cc55043c8 ike 0:TestToCisco: set oper up ike 0:TestToCisco: schedule auto-negotiate ike 0:TestToCisco:8574: no pending Quick-Mode negotiations ike 0:TestToCisco: carrier up ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=d93c289577b4b469/1318bf0cc55043c8:96a5bc24 len=372 ike 0: in D93C289577B4B4691318BF0CC55043C80810200196A5BC240000017452C36F66D85C816EC34FE7B25D02AB4FCCDE13B234D92EED07C78B54F19C746C3D22890F9DAF95228015E4ECBAC5A45A1FFB 0E6FB9801932355E4D4FD1C51119C3410B0050DA44EA13EA00AABA6CA19EAF9D7A273186FCDB09055A0ADB82692908BC743CBAE2EA9E4C4C15326E91FAB7101E0702C6D4114FAA48DB304D4EC4329CFA861BA6 DE6504859868700F9F91D73A9DADEE2E1B87ADAD0D648F44792CEB92B973CFE8D9D1B6567193A14EEB04DB25A1BF182373E29AA01A20C62DA11F51C044489A381DBB11573A440285A26DC03CB43AC36784604D 1CDDDC7F6C79225211F67F77B3031F41649922AF7EBEB6F94972C04A0EF0D0A0011AABC8949AF93FDA0BE6A63FE3D36C2F90CAD8EA3728ED536A2D0B6A1E750F989645ECE052C5B25BF5C64D794AAD7C6F9F07 32D9B44DF92A98455D4E71403388086EB1F79880B202D49476EA3B068E36FADD3BDC9D9AFBC6B128D2FEDAB4A8 ike 0:TestToCisco:8574:3450: responder received first quick-mode message ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C80810200196A5BC2400000174010000149B76A5508F72291111B34F73C201E4DC0A0000400000000100000001000000340103040153 858A910000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018370676FEB284DB910AD5C577095297C41A9E8B64050000C4DDE36922B26EB54C972D4D2C DDED574F996F754ACF1A60DA9D79D7BA44B4146999F278A3A23AA0FD8776B8822D87F1519D044DC3F94EB584A69E492148C64BFC518F33E37C562CD76983F72DB2B0D993863E03B28C1D671686746B3613109A 65525A0DBFA4E7F9D3996DE6BD71C6248449E2E1E932D77503357C4E3E85E41E986316CD18E7BF42F3354696687C5C486CC73A16244E9CFE092D6CEFAC2F9EF8D1B18E80A21FD90C5A93031B0761A37F7C54D7 7FC50AEE95F822E57A5474869DBB05000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8574:3450: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8574:TestToCisco:3450: trying ike 0:TestToCisco:8574:TestToCisco:3450: matched phase2 ike 0:TestToCisco:8574:TestToCisco:3450: autokey ike 0:TestToCisco:8574:TestToCisco:3450: my proposal: ike 0:TestToCisco:8574:TestToCisco:3450: proposal id = 1: ike 0:TestToCisco:8574:TestToCisco:3450: protocol id = IPSEC_ESP: ike 0:TestToCisco:8574:TestToCisco:3450: trans_id = ESP_3DES ike 0:TestToCisco:8574:TestToCisco:3450: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8574:TestToCisco:3450: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8574:TestToCisco:3450: incoming proposal: ike 0:TestToCisco:8574:TestToCisco:3450: proposal id = 1: ike 0:TestToCisco:8574:TestToCisco:3450: protocol id = IPSEC_ESP: ike 0:TestToCisco:8574:TestToCisco:3450: PFS DH group = 5 ike 0:TestToCisco:8574:TestToCisco:3450: trans_id = ESP_3DES ike 0:TestToCisco:8574:TestToCisco:3450: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8574:TestToCisco:3450: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8574:TestToCisco:3450: did not expect PFS DH group, received DH group 5 ike 0:TestToCisco:8574:TestToCisco:3450: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8574:3450: no SA proposal chosen ike 0:TestToCisco:3450: info_send_n2, type 14, peer SPI 53858a91 ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C808100501654773E0000000400B000014DEB121223C139BA6C711F17BD8DE3D1900000010000000010304000E53858A91 ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C808100501654773E0000000440D77896871072EB246F5124A22C7E4CA4C2A3818552C9216A9D8DB0F9BAE4D1CD6C5DADAFE2D626D ike 0:TestToCisco:8574: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=d93c289577b4b469/1318bf0cc55043c8:654773e0 ike 0:TestToCisco:8574: error processing quick-mode message from 50.250.102.118 as responder ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:500 negotiating ike 0:TestToCisco:8574: cookie d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0:TestToCisco:8574:TestToCisco:3452: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0 ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C80810200163E0DE5F000000980100001412E2DA1F974566E666B4EF99226AF92A0A0000340000000100000001000000280103040187 72CD720000001C0103000080010001000200040001518080040001800500010500001460FD41AAA6586F1C39EAD374D5C18A420500001004000000000000000000000000000010040000000000000000000000 ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5 04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0 536D2E29 ike 0:TestToCisco:8574: sent IKE msg (quick_i1send): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Informational id=d93c289577b4b469/1318bf0cc55043c8:a15eece1 len=84 ike 0: in D93C289577B4B4691318BF0CC55043C808100501A15EECE1000000548C319BFB090223A806ED597CFF96BAEE6357B41B61DEB361954F9580B346F4D09C6D140BF363EA503C0D19A66BDED2FD77A0 F0A0C3C988E4 ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C808100501A15EECE1000000540B00001483A94DF8AFEB1722ECCDB01E1030D3620000001C000000010304000E8772CD720A00003400 000001000000010000000000000000 ike 0:TestToCisco:8574: notify msg received: NO-PROPOSAL-CHOSEN ike 0:TestToCisco:8574:TestToCisco:3452: IPsec SPI 8772cd72 match ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5 04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0 536D2E29 ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5 04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0 536D2E29 ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5 04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0 536D2E29 ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810200163E0DE5F0000009C159304D68394220401A702AFD1BB6B9E7138ACADCDFAC689EDD6D2BD86D16C89F73AC28668BD9ED0B5 04D58AD39EFFADCC3DAAEC1579564A9F52BBC8DEC3E578D076074529BCCEF4803148906240FA4D9DA46BAD6076A13703058602EE929E4074F2DF65F14CD41AC3A30232AD923972B1D72E60C0E46D90E0A158F0 536D2E29 ike 0:TestToCisco:8574: sent IKE msg (P2_RETRANSMIT): 73.107.235.45:500->50.250.102.118:500, len=156, id=d93c289577b4b469/1318bf0cc55043c8:63e0de5f ike 0:TestToCisco:TestToCisco: IPsec SA connect 7 73.107.235.45->50.250.102.118:0 ike 0:TestToCisco:TestToCisco: using existing connection ike 0:TestToCisco:TestToCisco: config found ike 0:TestToCisco: request is on the queue ike 0: comes 50.250.102.118:500->73.107.235.45:500,ifindex=7.... ike 0: IKEv1 exchange=Quick id=d93c289577b4b469/1318bf0cc55043c8:1563580e len=372 ike 0: in D93C289577B4B4691318BF0CC55043C8081020011563580E0000017402F4684E4D9F4757767A021DF28A811C955253736B0341024BF52604E25667F827283EEBDFE570F27E854CF2C10CF62D225E 7A249ADAC723259AC3596775E01DB3EB856BF8DB2AFFBBB575FDEC102D3F07EE86B63951ABB25E52CC533BD42D1D3AF3B24452D115084BD38725DD4F26071E46D21A9CFD7032A7688E24C0EB8D686ED0A058D4 F1F63EF62138ABE9C40A0BAEE1CA1D7260F0B0F6F0E567964016FF6517BCD1C051F50CE8DCFC98E14B4A2329BEFE6359F2569A1CD4D54DB226E5DCD7E5CA6B76162A41AA8B0AC0584732A93907F2B4490044A9 E1509DEC1568460D693D5FFD82BCBAE9A85E47D06A3BDE74F3498B1441A5DA06C62130D93DD6BA01EE57B1E905576F86FCA2983F9DAD01D9B49350D3BDA8D23868589344B8DDEA32A6410261B7B7DE700F59A4 C33214855B9027C4D3D87A846ABE9BABD5644CCFF08A1A3BD68BD2DB265F98D2ACD9472E78D40E650C8CA881F3 ike 0:TestToCisco:8574:3453: responder received first quick-mode message ike 0:TestToCisco:8574: dec D93C289577B4B4691318BF0CC55043C8081020011563580E0000017401000014BD1EE500686ADC3F8DB53ECA0E523DAD0A00004000000001000000010000003401030401E5 7BC5190000002801030000800400018001000180020E10800100020002000400465000800500018003000504000018957AEEFC4DD6620143FE2FE89EF8EF350A865A8D050000C4AF634A4AEF91C635109985CA 6E32289AC4951C1B146DE8D33713DBEC89A1B578409018F3E7631235A6C6B2BBCCE77F79F73C48C4E2C60811FBFA39F7A778EFC5E5DDA15C36F17377A923304E26B6176C5FC7624D4E502DFD7D13423A5D05AD CE84967DF37B5E572FC027FC45FAA9A4303D2DE7ECEA4C7A94430D99F0855BC394E882B99B7580D856E9127882F8E34CD2BF65DB8BDB8ED2EF9904BA7F9A2B0E2319DED5E67798CBEF3F7860A467C96DD8399F 6B1660919BE06465B6EC80855B7C05000010040000000000000000000000000000100400000000000000000000000000000000000000 ike 0:TestToCisco:8574:3453: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:TestToCisco:8574:TestToCisco:3453: trying ike 0:TestToCisco:8574:TestToCisco:3453: matched phase2 ike 0:TestToCisco:8574:TestToCisco:3453: autokey ike 0:TestToCisco:8574:TestToCisco:3453: my proposal: ike 0:TestToCisco:8574:TestToCisco:3453: proposal id = 1: ike 0:TestToCisco:8574:TestToCisco:3453: protocol id = IPSEC_ESP: ike 0:TestToCisco:8574:TestToCisco:3453: trans_id = ESP_3DES ike 0:TestToCisco:8574:TestToCisco:3453: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8574:TestToCisco:3453: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8574:TestToCisco:3453: incoming proposal: ike 0:TestToCisco:8574:TestToCisco:3453: proposal id = 1: ike 0:TestToCisco:8574:TestToCisco:3453: protocol id = IPSEC_ESP: ike 0:TestToCisco:8574:TestToCisco:3453: PFS DH group = 5 ike 0:TestToCisco:8574:TestToCisco:3453: trans_id = ESP_3DES ike 0:TestToCisco:8574:TestToCisco:3453: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:TestToCisco:8574:TestToCisco:3453: type = AUTH_ALG, val=MD5 ike 0:TestToCisco:8574:TestToCisco:3453: did not expect PFS DH group, received DH group 5 ike 0:TestToCisco:8574:TestToCisco:3453: negotiation failure ike Negotiate IPsec SA Error: ike 0:TestToCisco:8574:3453: no SA proposal chosen ike 0:TestToCisco:3453: info_send_n2, type 14, peer SPI e57bc519 ike 0:TestToCisco:8574: enc D93C289577B4B4691318BF0CC55043C80810050181F6B68E000000400B00001442E6AB3B156C5D2ABF37A7FD5C53B7CA00000010000000010304000EE57BC519 ike 0:TestToCisco:8574: out D93C289577B4B4691318BF0CC55043C80810050181F6B68E000000444A3316F97F61C40377D2CFC815D02EE5F1762F427008D84063C6ADA2247C867AE8F7B3FFA05C45AA ike 0:TestToCisco:8574: sent IKE msg (p2_notify_14): 73.107.235.45:500->50.250.102.118:500, len=68, id=d93c289577b4b469/1318bf0cc55043c8:81f6b68e ike 0:TestToCisco:8574: error processing quick-mode message from 50.250.102.118 as responder
Thank you for the help
Cisco still complaining about phase 2. here is latest debug on p1 errors
ISR4221#debug crypto isakmp error Crypto ISAKMP Error debugging is on ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# ISR4221# *Mar 26 17:49:40.105: ISAKMP-ERROR: (1332):deleting node 773216203 error TRUE reason "Delete Larva l" ISR4221# *Mar 26 17:50:06.187: ISAKMP-ERROR: (1333):IPSec policy invalidated proposal with error 1024 *Mar 26 17:50:06.188: ISAKMP-ERROR: (1333):phase 2 SA policy not acceptable! (local 50.250.102.118 remote 73.107.235.45) *Mar 26 17:50:06.188: ISAKMP-ERROR: (1333):deleting node 1257642978 error TRUE reason "QM rejected" ISR4221# *Mar 26 17:50:10.097: ISAKMP-ERROR: (1333):deleting node 921661237 error TRUE reason "Delete Larval" ISR4221# *Mar 26 17:50:40.530: ISAKMP-ERROR: (1333):deleting node 131420882 error TRUE reason "Delete Larval" ISR4221#
humor us.
enable pfs in your fortios
config vpn ipsec phase2-interface
edit < blah blah >
set pfs enable
set dhgrp 2 5
end
and then do a
diag vpn ike gateway flush < phase1 name >
# wait 10 sec
diag vpn ike gateway list
diag vpn tunnel list
Ken Felix
PCNSE
NSE
StrongSwan
Here it is
FORTIGATE # diag vpn ike gateway list
vd: root/0 name: TestToCisco version: 1 interface: wan1 7 addr: 73.107.235.45:500 -> 50.250.102.118:500 created: 25s ago IKE SA: created 1/1 established 1/1 time 100/100/100 ms IPsec SA: created 0/6
id/spi: 8607 bcc8b33115c5a0bc/1318bf0cdff3744c direction: initiator status: established 25-25s ago = 100ms proposal: 3des-md5 key: ebbb43f89ef9f987-bbffde5beb92dcf7-2b220ff7ec708a33 lifetime/rekey: 86400/86074 DPD sent/recv: 00000000/00000000
FORTIGATE # diag vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=TestToCisco ver=1 serial=2 73.107.235.45:0->50.250.102.118:0 dst_mtu=0 bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=9 ilast=55 olast=55 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=TestToCisco proto=0 sa=0 ref=2 serial=7 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 run_tally=1
Tunnel just came up! Don't know why?
So waspfs enabled or not ? What does your "show crypto ipsec sa" show?
Ken Felix
PCNSE
NSE
StrongSwan
Hello Ken
Yes it was, but I don't have the Cisco coded for pfs.
crypto ipsec transform-set TS esp-3des esp-md5-hmac mode tunnel ! crypto ipsec profile VTI set security-association lifetime seconds 86400 set transform-set TS
<I did have pfs here before> but I removed it
ISR4221#sh crypto ipsec sa
interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 50.250.102.118
protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 73.107.235.45 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 17433, #pkts encrypt: 17433, #pkts digest: 17433 #pkts decaps: 20661, #pkts decrypt: 20661, #pkts verify: 20661 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 50.250.102.118, remote crypto endpt.: 73.107.235.45 plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0 /0/0 current outbound spi: 0x8772CE32(2272448050) PFS (Y/N): Y, DH group: group5 <<<<<<<<<<<Shows on here though??? Weird
inbound esp sas: spi: 0x993F646F(2571068527) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2099, flow_id: ESG:99, sibling_flags FFFFFFFF80004048, crypto m ap: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4607971/2649) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0x8772CE32(2272448050) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2100, flow_id: ESG:100, sibling_flags FFFFFFFF80004048, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4607982/2649) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.