Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: VPN Agressive mode - error processing quick-mo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Agressive mode - error processing quick-mode message
Hi, We are currently trying to establish a site to site VPN with a branch. The branch is using a Cisco router 2911. He sent us the configuration parameters which we configured, but the VPN tunnel is still not coming up. I think the phase 1 is ok, the problem is with phase2.
[Cisco Router] {Dynamic IP} ---------> (Internet) --------->{Static IP} [Fortigate Amazon] + Fortigate: HUB + Cisco Router: SPOKE
Fortigate Config
config vpn ipsec phase1-interface edit "HUB" set type dynamic set interface "port1" set dhgrp 2 set mode aggressive set peertype one set proposal aes256-sha1 set peerid "hub" set psksecret *** next end config vpn ipsec phase2-interface edit "VPN" set keepalive enable set phase1name "HUB" set proposal 3des-sha1 set dhgrp 2 set keylifeseconds 3600 next end config router static edit 1 set device "HUB" set dst 10.21.50.0 255.255.255.0 next end config firewall policy edit 1 set srcintf "HUB" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set srcintf "port1" set dstintf "HUB" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end Router 2911 config
crypto keyring KEYR1 pre-shared-key address 1.1.1.1 key *** ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 28800 crypto isakmp keepalive 10 5 crypto isakmp profile R2_ISAKMP_PROF keyring KEYR1 self-identity user-fqdn hub match identity address 1.1.1.1 255.255.255.255 initiate mode aggressive ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile R2_VTI set transform-set ESP-3DES-SHA set pfs group2 set isakmp-profile R2_ISAKMP_PROF interface Tunnel3 no ip address tunnel source GigabitEthernet0/1 tunnel mode ipsec ipv4 tunnel destination 1.1.1.1 tunnel protection ipsec profile R2_VTI
!
ip route 172.0.1.0 255.255.255.0 Tunnel3
Logs Fortigate
ike 0:HUB: cached as dynamic 'hub' ike 0: cache rebuild done ike 0: IKEv1 Aggressive, comes 201.91.58.58:500->172.0.1.100 3, peer-id=hub ike 0:f58d54ee1e06c362/0000000000000000:2638: negotiation result ike 0:f58d54ee1e06c362/0000000000000000:2638: proposal id = 1: ike 0:f58d54ee1e06c362/0000000000000000:2638: protocol id = ISAKMP: ike 0:f58d54ee1e06c362/0000000000000000:2638: trans_id = KEY_IKE. ike 0:f58d54ee1e06c362/0000000000000000:2638: encapsulation = IKE/none ike 0:f58d54ee1e06c362/0000000000000000:2638: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:f58d54ee1e06c362/0000000000000000:2638: type=OAKLEY_HASH_ALG, val=SHA. ike 0:f58d54ee1e06c362/0000000000000000:2638: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:f58d54ee1e06c362/0000000000000000:2638: type=OAKLEY_GROUP, val=1024. ike 0:f58d54ee1e06c362/0000000000000000:2638: ISAKMP SA lifetime=28800 ike 0:f58d54ee1e06c362/0000000000000000:2638: SA proposal chosen, matched gateway HUB ike 0:HUB:2638: DPD negotiated ike 0:HUB:2638: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07 ike 0:HUB:2638: selected NAT-T version: RFC 3947 ike 0:HUB:2638: cookie f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB:2638: ISAKMP SA f58d54ee1e06c362/6b13e0e54ab27d49 key 32:19C76885A298F7401E37786E14A170A990858529EA282D4475EC73BD20BD33F9 ike 0:HUB:2638: out F58D54EE1E06C3626B13E0E54AB27D4901100400000000000000017C0400003800000001000000010000002C01010001000000240101000080010007800E0100800200028004000280030001800B0001800C70800A000084F59DEEE670E28E33D3856A38200FDE2D420D3E54A4C25B44C00F6DD0A4AAA92F6038E695AD0EDDF5AE5B6B2A9283E5DCC71A37822294F3EC03203823828ED1D61DF7437BD0C7B0BCBD021F02C08BAE7C7E2360BCE12884DD0BFE386C640BBB7FCC9BA70B250731351666D4F86899ADDE7797D6BDECBD5E1C87B2ED26F23486350500001486D2663441318AC0C06EB8293D1D7ED80800000C01000000AC0001640D0000182FC4A07CD2333A8D5B262E0019F88AB7F1D65327140000144A131C81070358455C5728F20E95452F14000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50D0000183DD330997CEE0C51BF538B83E5A44D4509EDAEE10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00051F86 ike 0:HUB:2638: sent IKE msg (agg_r1send): 172.0.1.100:500->201.91.58.58:500, len=380, id=f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB:2638: out F58D54EE1E06C3626B13E0E54AB27D4901100400000000000000017C0400003800000001000000010000002C01010001000000240101000080010007800E0100800200028004000280030001800B0001800C70800A000084F59DEEE670E28E33D3856A38200FDE2D420D3E54A4C25B44C00F6DD0A4AAA92F6038E695AD0EDDF5AE5B6B2A9283E5DCC71A37822294F3EC03203823828ED1D61DF7437BD0C7B0BCBD021F02C08BAE7C7E2360BCE12884DD0BFE386C640BBB7FCC9BA70B250731351666D4F86899ADDE7797D6BDECBD5E1C87B2ED26F23486350500001486D2663441318AC0C06EB8293D1D7ED80800000C01000000AC0001640D0000182FC4A07CD2333A8D5B262E0019F88AB7F1D65327140000144A131C81070358455C5728F20E95452F14000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50D0000183DD330997CEE0C51BF538B83E5A44D4509EDAEE10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00051F86 ike 0:HUB:2638: sent IKE msg (P1_RETRANSMIT): 172.0.1.100:500->201.91.58.58:500, len=380, id=f58d54ee1e06c362/6b13e0e54ab27d49 ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Aggressive id=f58d54ee1e06c362/6b13e0e54ab27d49 len=140 ike 0: in F58D54EE1E06C3626B13E0E54AB27D4908100401000000000000008C637FE1155BA6DFDCC582F771715C7D9588AF4B6D0CE1DE97523351576A418A46E0ED65AC5E426DAFC1F9FDD84069A51BAF4DC3B70AF5A03A4DEEA11BCF872AEBF4C9B6ADB642C0AAB9C0EDE181467C496828DBD4F040E6F2D6F89E0A18136F08CACC89082F59A9CCBAE70F483E1D03E1 ike 0:HUB:2638: responder: aggressive mode get 2nd response... ike 0:HUB:2638: dec F58D54EE1E06C3626B13E0E54AB27D4908100401000000000000008C140000182C26EB5991002A24F17EF55CB9F5197796BC8F2B14000018F1977B1078CC25FD607CFA88C2181AD6CD3654780B000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50000001C0000000101106002F58D54EE1E06C3626B13E0E54AB27D49000000000000000000000000 ike 0:HUB:2638: received NAT-D payload type 20 ike 0:HUB:2638: received NAT-D payload type 20 ike 0:HUB:2638: received notify type 24578 ike 0:HUB:2638: PSK authentication succeeded ike 0:HUB:2638: authentication OK ike 0:HUB:2638: NAT detected: ME ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Quick id=f58d54ee1e06c362/6b13e0e54ab27d49:36da9bbe len=316 ike 0: in F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C97177F295E9C9E7527C1B5273DECE0F8DDCF27E411215280BDC09975F2153CB4FBBB193B61C08AE38C3750E02212CF251BB15E7EEFBBBD4BD97D095EDCAC217722453FF8A5BF73EF7DB1A112B108316FC3AEF67A9BEA66759ACE99529D38BE3427E1679F23FEB912096E428F311099699344328333E1139C47D4CEF8C086C35AAB1A22D0E3EB27CA872B80A2A77F11619456E07E9CA8370B6D8555B08508C96CFE55B7C1D91CA1EA542D58DBF8350DBDE1144FB8A89383C0372F1E36195090CEB00B65E3C3F2AAEF2B8B4357B5ED9DF51A8B6C52AFCB4C225B5D85ABFCA3F048B35A514711ACDE79F49A4DF8792AB6B6777175A6642922590AB60A2CFA705DA563D446E955BB0B596677880E6AF87237360AF07C1104638522A62031702198ED ike 0:HUB:2638: can not start the quick mode 00000000, waiting to establish ISAKMP SA f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB:2638: remote port change 500 -> 4500 ike 0:HUB:2638: established IKE SA f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB: adding new dynamic tunnel for 201.91.58.58:4500 ike 0:HUB_0: added new dynamic tunnel for 201.91.58.58:4500 ike 0:HUB_0:2638: processing INITIAL-CONTACT ike 0:HUB_0: flushing ike 0:HUB_0: flushed ike 0:HUB_0:2638: processed INITIAL-CONTACT ike 0:HUB_0:2638: no pending Quick-Mode negotiations ike 0:HUB_0: link is idle 3 172.0.1.100->201.91.58.58:4500 dpd=1 seqno=1 ike 0:HUB_0:2638: send IKEv1 DPD probe, seqno 1 ike 0:HUB_0:2638: enc F58D54EE1E06C3626B13E0E54AB27D49081005015E5A6479000000540B0000188287A6048F4AF1657D56B33040E778BF7FBEF234000000200000000101108D28F58D54EE1E06C3626B13E0E54AB27D4900000001 ike 0:HUB_0:2638: out F58D54EE1E06C3626B13E0E54AB27D49081005015E5A64790000005C607AFA57FFD6F456BAB5BB621DD11556CA5249327606B989396148BB3E8BD25CA7713C0F2E7F0B136FABD5285D56C3BD925A2D71F49F4589F43B703D15581101 ike 0:HUB_0:2638: sent IKE msg (R-U-THERE): 172.0.1.100:4500->201.91.58.58:4500, len=92, id=f58d54ee1e06c362/6b13e0e54ab27d49:5e5a6479 ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Informational id=f58d54ee1e06c362/6b13e0e54ab27d49:0ea3fd83 len=92 ike 0: in F58D54EE1E06C3626B13E0E54AB27D49081005010EA3FD830000005C26CE06723802F1D9FFFC24CF50230BEEB6EF01BC5FA0798437A0B8AD3C840039424E99BF9A15B36E9BFE71AF11DE05D0B8EE623578F65BF5E1156316351809EB ike 0:HUB_0:2638: dec F58D54EE1E06C3626B13E0E54AB27D49081005010EA3FD830000005C0B00001887EA8771C873A6C9870C973B9D778E6B0A6D46A4000000200000000101108D29F58D54EE1E06C3626B13E0E54AB27D49000000010000000000000000 ike 0:HUB_0:2638: notify msg received: R-U-THERE-ACK ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Quick id=f58d54ee1e06c362/6b13e0e54ab27d49:36da9bbe len=316 ike 0: in F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C97177F295E9C9E7527C1B5273DECE0F8DDCF27E411215280BDC09975F2153CB4FBBB193B61C08AE38C3750E02212CF251BB15E7EEFBBBD4BD97D095EDCAC217722453FF8A5BF73EF7DB1A112B108316FC3AEF67A9BEA66759ACE99529D38BE3427E1679F23FEB912096E428F311099699344328333E1139C47D4CEF8C086C35AAB1A22D0E3EB27CA872B80A2A77F11619456E07E9CA8370B6D8555B08508C96CFE55B7C1D91CA1EA542D58DBF8350DBDE1144FB8A89383C0372F1E36195090CEB00B65E3C3F2AAEF2B8B4357B5ED9DF51A8B6C52AFCB4C225B5D85ABFCA3F048B35A514711ACDE79F49A4DF8792AB6B6777175A6642922590AB60A2CFA705DA563D446E955BB0B596677880E6AF87237360AF07C1104638522A62031702198ED ike 0:HUB_0:2638:2704: responder received first quick-mode message ike 0:HUB_0:2638: dec F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C010000182C9DC576C496F47C219F5BBC359FC43B24BEFE250A000040000000010000000100000034010304015BBDE2740000002801030000800400038001000180020708800100020002000400465000800500028003000204000018651F2C23552FBCC9C9607C5B6BBB5178679DF42C050000845B44B28DACB93787F0A0B711E915932931991E8DD638B0D43875D87874FB1C54E0BBEE47B01E259B07224EFC36F1EEA1FD1E7FBB45836E4518E9122D1E84BC38E7AFEB077F06D1B1B3B6F2BE0FEF7DFFC13545DB63E584C31715F17980B7B40823CD92150D7115DE8BFDFC4CBC14194CBF1AF4122A8147ED2A5238808EEA0E6B0500001004000000000000000000000000000010040000000000000000000000000000000000000000000000 ike 0:HUB_0:2638:2704: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:HUB_0:2638:VPN:2704: trying ike 0:HUB_0:2638:2704: wildcard is not an acceptable destination subnet ike 0:HUB_0:2638:2704: no matching phase2 found ike 0:HUB_0:2638:2704: failed to get responder proposal ike 0:HUB_0:2638: error processing quick-mode message from 201.91.58.58 as responder ike 0:HUB_0: link is idle 3 172.0.1.100->201.91.58.58:4500 dpd=1 seqno=2 ike 0:HUB_0:2638: send IKEv1 DPD probe, seqno 2 ike 0:HUB_0:2638: enc F58D54EE1E06C3626B13E0E54AB27D49081005014CB3D819000000540B00
Can you help me please? Thanks
Anan Brito
Anan Brito
Labels:
- Labels:
-
5.0
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As the log says: "wildcard is not an acceptable destination subnet"
You cannot NOT configure the Quick Mode selectors in the FGT's phase2. Put in the correct network address for the protected and incoming (private) networks.
Wildcard QM selectors ("0.0.0.0/0") are a FortiOS speciality which only work FGT-to-FGT. Cisco equipment rightfully refuses this.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On a side note, but might be useful for someone. QM Selctors 0.0.0.0/0 also works fine FGT-to-Juniper SSG's
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doesn't Juniper have a common ancestry with FTNT (Ken Xie, NetScreen)?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, they certainly do! 
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeap, a FGT is a advanced Netscreen ;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Ken: that hurts!!
I just wasn't sure if the SSG line of firewalls stems from Netscreen or from Juniper.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,686 -
FortiClient
1,758 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
430 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
244 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1710 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.