Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alan_Brito
New Contributor

VPN Agressive mode - error processing quick-mode message

Hi, We are currently trying to establish a site to site VPN with a branch. The branch is using a Cisco router 2911. He sent us the configuration parameters which we configured, but the VPN tunnel is still not coming up. I think the phase 1 is ok, the problem is with phase2.

 

[Cisco Router] {Dynamic IP} ---------> (Internet) --------->{Static IP} [Fortigate Amazon] + Fortigate: HUB + Cisco Router: SPOKE

 

Fortigate Config

config vpn ipsec phase1-interface     edit "HUB"         set type dynamic         set interface "port1"         set dhgrp 2         set mode aggressive         set peertype one         set proposal aes256-sha1         set peerid "hub"         set psksecret ***     next end config vpn ipsec phase2-interface     edit "VPN"         set keepalive enable         set phase1name "HUB"         set proposal 3des-sha1         set dhgrp 2         set keylifeseconds 3600     next end config router static     edit 1         set device "HUB"         set dst 10.21.50.0 255.255.255.0     next end config firewall policy     edit 1         set srcintf "HUB"         set dstintf "port1"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"     next     edit 2         set srcintf "port1"         set dstintf "HUB"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"     next end Router 2911 config

crypto keyring KEYR1   pre-shared-key address 1.1.1.1 key *** ! crypto isakmp policy 10  encr aes 256  authentication pre-share  group 2  lifetime 28800 crypto isakmp keepalive 10 5 crypto isakmp profile R2_ISAKMP_PROF    keyring KEYR1    self-identity user-fqdn hub    match identity address 1.1.1.1 255.255.255.255    initiate mode aggressive ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile R2_VTI  set transform-set ESP-3DES-SHA  set pfs group2  set isakmp-profile R2_ISAKMP_PROF interface Tunnel3  no ip address  tunnel source GigabitEthernet0/1  tunnel mode ipsec ipv4  tunnel destination 1.1.1.1  tunnel protection ipsec profile R2_VTI

!

ip route 172.0.1.0 255.255.255.0 Tunnel3

 

 

Logs Fortigate

ike 0:HUB: cached as dynamic 'hub' ike 0: cache rebuild done ike 0: IKEv1 Aggressive, comes 201.91.58.58:500->172.0.1.100 3, peer-id=hub ike 0:f58d54ee1e06c362/0000000000000000:2638: negotiation result ike 0:f58d54ee1e06c362/0000000000000000:2638: proposal id = 1: ike 0:f58d54ee1e06c362/0000000000000000:2638:   protocol id = ISAKMP: ike 0:f58d54ee1e06c362/0000000000000000:2638:      trans_id = KEY_IKE. ike 0:f58d54ee1e06c362/0000000000000000:2638:      encapsulation = IKE/none ike 0:f58d54ee1e06c362/0000000000000000:2638:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:f58d54ee1e06c362/0000000000000000:2638:         type=OAKLEY_HASH_ALG, val=SHA. ike 0:f58d54ee1e06c362/0000000000000000:2638:         type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:f58d54ee1e06c362/0000000000000000:2638:         type=OAKLEY_GROUP, val=1024. ike 0:f58d54ee1e06c362/0000000000000000:2638: ISAKMP SA lifetime=28800 ike 0:f58d54ee1e06c362/0000000000000000:2638: SA proposal chosen, matched gateway HUB ike 0:HUB:2638: DPD negotiated ike 0:HUB:2638: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07 ike 0:HUB:2638: selected NAT-T version: RFC 3947 ike 0:HUB:2638: cookie f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB:2638: ISAKMP SA f58d54ee1e06c362/6b13e0e54ab27d49 key 32:19C76885A298F7401E37786E14A170A990858529EA282D4475EC73BD20BD33F9 ike 0:HUB:2638: out F58D54EE1E06C3626B13E0E54AB27D4901100400000000000000017C0400003800000001000000010000002C01010001000000240101000080010007800E0100800200028004000280030001800B0001800C70800A000084F59DEEE670E28E33D3856A38200FDE2D420D3E54A4C25B44C00F6DD0A4AAA92F6038E695AD0EDDF5AE5B6B2A9283E5DCC71A37822294F3EC03203823828ED1D61DF7437BD0C7B0BCBD021F02C08BAE7C7E2360BCE12884DD0BFE386C640BBB7FCC9BA70B250731351666D4F86899ADDE7797D6BDECBD5E1C87B2ED26F23486350500001486D2663441318AC0C06EB8293D1D7ED80800000C01000000AC0001640D0000182FC4A07CD2333A8D5B262E0019F88AB7F1D65327140000144A131C81070358455C5728F20E95452F14000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50D0000183DD330997CEE0C51BF538B83E5A44D4509EDAEE10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00051F86 ike 0:HUB:2638: sent IKE msg (agg_r1send): 172.0.1.100:500->201.91.58.58:500, len=380, id=f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB:2638: out F58D54EE1E06C3626B13E0E54AB27D4901100400000000000000017C0400003800000001000000010000002C01010001000000240101000080010007800E0100800200028004000280030001800B0001800C70800A000084F59DEEE670E28E33D3856A38200FDE2D420D3E54A4C25B44C00F6DD0A4AAA92F6038E695AD0EDDF5AE5B6B2A9283E5DCC71A37822294F3EC03203823828ED1D61DF7437BD0C7B0BCBD021F02C08BAE7C7E2360BCE12884DD0BFE386C640BBB7FCC9BA70B250731351666D4F86899ADDE7797D6BDECBD5E1C87B2ED26F23486350500001486D2663441318AC0C06EB8293D1D7ED80800000C01000000AC0001640D0000182FC4A07CD2333A8D5B262E0019F88AB7F1D65327140000144A131C81070358455C5728F20E95452F14000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50D0000183DD330997CEE0C51BF538B83E5A44D4509EDAEE10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00051F86 ike 0:HUB:2638: sent IKE msg (P1_RETRANSMIT): 172.0.1.100:500->201.91.58.58:500, len=380, id=f58d54ee1e06c362/6b13e0e54ab27d49 ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Aggressive id=f58d54ee1e06c362/6b13e0e54ab27d49 len=140 ike 0: in F58D54EE1E06C3626B13E0E54AB27D4908100401000000000000008C637FE1155BA6DFDCC582F771715C7D9588AF4B6D0CE1DE97523351576A418A46E0ED65AC5E426DAFC1F9FDD84069A51BAF4DC3B70AF5A03A4DEEA11BCF872AEBF4C9B6ADB642C0AAB9C0EDE181467C496828DBD4F040E6F2D6F89E0A18136F08CACC89082F59A9CCBAE70F483E1D03E1 ike 0:HUB:2638: responder: aggressive mode get 2nd response... ike 0:HUB:2638: dec F58D54EE1E06C3626B13E0E54AB27D4908100401000000000000008C140000182C26EB5991002A24F17EF55CB9F5197796BC8F2B14000018F1977B1078CC25FD607CFA88C2181AD6CD3654780B000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50000001C0000000101106002F58D54EE1E06C3626B13E0E54AB27D49000000000000000000000000 ike 0:HUB:2638: received NAT-D payload type 20 ike 0:HUB:2638: received NAT-D payload type 20 ike 0:HUB:2638: received notify type 24578 ike 0:HUB:2638: PSK authentication succeeded ike 0:HUB:2638: authentication OK ike 0:HUB:2638: NAT detected: ME ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Quick id=f58d54ee1e06c362/6b13e0e54ab27d49:36da9bbe len=316 ike 0: in F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C97177F295E9C9E7527C1B5273DECE0F8DDCF27E411215280BDC09975F2153CB4FBBB193B61C08AE38C3750E02212CF251BB15E7EEFBBBD4BD97D095EDCAC217722453FF8A5BF73EF7DB1A112B108316FC3AEF67A9BEA66759ACE99529D38BE3427E1679F23FEB912096E428F311099699344328333E1139C47D4CEF8C086C35AAB1A22D0E3EB27CA872B80A2A77F11619456E07E9CA8370B6D8555B08508C96CFE55B7C1D91CA1EA542D58DBF8350DBDE1144FB8A89383C0372F1E36195090CEB00B65E3C3F2AAEF2B8B4357B5ED9DF51A8B6C52AFCB4C225B5D85ABFCA3F048B35A514711ACDE79F49A4DF8792AB6B6777175A6642922590AB60A2CFA705DA563D446E955BB0B596677880E6AF87237360AF07C1104638522A62031702198ED ike 0:HUB:2638: can not start the quick mode 00000000, waiting to establish ISAKMP SA f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB:2638: remote port change 500 -> 4500 ike 0:HUB:2638: established IKE SA f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB: adding new dynamic tunnel for 201.91.58.58:4500 ike 0:HUB_0: added new dynamic tunnel for 201.91.58.58:4500 ike 0:HUB_0:2638: processing INITIAL-CONTACT ike 0:HUB_0: flushing ike 0:HUB_0: flushed ike 0:HUB_0:2638: processed INITIAL-CONTACT ike 0:HUB_0:2638: no pending Quick-Mode negotiations ike 0:HUB_0: link is idle 3 172.0.1.100->201.91.58.58:4500 dpd=1 seqno=1 ike 0:HUB_0:2638: send IKEv1 DPD probe, seqno 1 ike 0:HUB_0:2638: enc F58D54EE1E06C3626B13E0E54AB27D49081005015E5A6479000000540B0000188287A6048F4AF1657D56B33040E778BF7FBEF234000000200000000101108D28F58D54EE1E06C3626B13E0E54AB27D4900000001 ike 0:HUB_0:2638: out F58D54EE1E06C3626B13E0E54AB27D49081005015E5A64790000005C607AFA57FFD6F456BAB5BB621DD11556CA5249327606B989396148BB3E8BD25CA7713C0F2E7F0B136FABD5285D56C3BD925A2D71F49F4589F43B703D15581101 ike 0:HUB_0:2638: sent IKE msg (R-U-THERE): 172.0.1.100:4500->201.91.58.58:4500, len=92, id=f58d54ee1e06c362/6b13e0e54ab27d49:5e5a6479 ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Informational id=f58d54ee1e06c362/6b13e0e54ab27d49:0ea3fd83 len=92 ike 0: in F58D54EE1E06C3626B13E0E54AB27D49081005010EA3FD830000005C26CE06723802F1D9FFFC24CF50230BEEB6EF01BC5FA0798437A0B8AD3C840039424E99BF9A15B36E9BFE71AF11DE05D0B8EE623578F65BF5E1156316351809EB ike 0:HUB_0:2638: dec F58D54EE1E06C3626B13E0E54AB27D49081005010EA3FD830000005C0B00001887EA8771C873A6C9870C973B9D778E6B0A6D46A4000000200000000101108D29F58D54EE1E06C3626B13E0E54AB27D49000000010000000000000000 ike 0:HUB_0:2638: notify msg received: R-U-THERE-ACK ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Quick id=f58d54ee1e06c362/6b13e0e54ab27d49:36da9bbe len=316 ike 0: in F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C97177F295E9C9E7527C1B5273DECE0F8DDCF27E411215280BDC09975F2153CB4FBBB193B61C08AE38C3750E02212CF251BB15E7EEFBBBD4BD97D095EDCAC217722453FF8A5BF73EF7DB1A112B108316FC3AEF67A9BEA66759ACE99529D38BE3427E1679F23FEB912096E428F311099699344328333E1139C47D4CEF8C086C35AAB1A22D0E3EB27CA872B80A2A77F11619456E07E9CA8370B6D8555B08508C96CFE55B7C1D91CA1EA542D58DBF8350DBDE1144FB8A89383C0372F1E36195090CEB00B65E3C3F2AAEF2B8B4357B5ED9DF51A8B6C52AFCB4C225B5D85ABFCA3F048B35A514711ACDE79F49A4DF8792AB6B6777175A6642922590AB60A2CFA705DA563D446E955BB0B596677880E6AF87237360AF07C1104638522A62031702198ED ike 0:HUB_0:2638:2704: responder received first quick-mode message ike 0:HUB_0:2638: dec F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C010000182C9DC576C496F47C219F5BBC359FC43B24BEFE250A000040000000010000000100000034010304015BBDE2740000002801030000800400038001000180020708800100020002000400465000800500028003000204000018651F2C23552FBCC9C9607C5B6BBB5178679DF42C050000845B44B28DACB93787F0A0B711E915932931991E8DD638B0D43875D87874FB1C54E0BBEE47B01E259B07224EFC36F1EEA1FD1E7FBB45836E4518E9122D1E84BC38E7AFEB077F06D1B1B3B6F2BE0FEF7DFFC13545DB63E584C31715F17980B7B40823CD92150D7115DE8BFDFC4CBC14194CBF1AF4122A8147ED2A5238808EEA0E6B0500001004000000000000000000000000000010040000000000000000000000000000000000000000000000 ike 0:HUB_0:2638:2704: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:HUB_0:2638:VPN:2704: trying ike 0:HUB_0:2638:2704: wildcard is not an acceptable destination subnet ike 0:HUB_0:2638:2704: no matching phase2 found ike 0:HUB_0:2638:2704: failed to get responder proposal ike 0:HUB_0:2638: error processing quick-mode message from 201.91.58.58 as responder ike 0:HUB_0: link is idle 3 172.0.1.100->201.91.58.58:4500 dpd=1 seqno=2 ike 0:HUB_0:2638: send IKEv1 DPD probe, seqno 2 ike 0:HUB_0:2638: enc F58D54EE1E06C3626B13E0E54AB27D49081005014CB3D819000000540B00

 

 

Can you help me please? Thanks

Anan Brito
Anan Brito
6 REPLIES 6
ede_pfau
SuperUser
SuperUser

As the log says: "wildcard is not an acceptable destination subnet"

You cannot NOT configure the Quick Mode selectors in the FGT's phase2. Put in the correct network address for the protected and incoming (private) networks.

 

Wildcard QM selectors ("0.0.0.0/0") are a FortiOS speciality which only work FGT-to-FGT. Cisco equipment rightfully refuses this.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
ponder
New Contributor III

On a side note, but might be useful for someone.  QM Selctors 0.0.0.0/0 also works fine FGT-to-Juniper SSG's

ede_pfau

Doesn't Juniper have a common ancestry with FTNT (Ken Xie, NetScreen)?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
ponder
New Contributor III

Yes, they certainly do! 

emnoc
Esteemed Contributor III

yeap, a FGT is a advanced Netscreen ;)

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau

@Ken: that hurts!!

 

I just wasn't sure if the SSG line of firewalls stems from Netscreen or from Juniper.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors