- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- VPN Agressive mode - error processing quick-mode m...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Agressive mode - error processing quick-mode message
Hi, We are currently trying to establish a site to site VPN with a branch. The branch is using a Cisco router 2911. He sent us the configuration parameters which we configured, but the VPN tunnel is still not coming up. I think the phase 1 is ok, the problem is with phase2.
[Cisco Router] {Dynamic IP} ---------> (Internet) --------->{Static IP} [Fortigate Amazon] + Fortigate: HUB + Cisco Router: SPOKE
Fortigate Config
config vpn ipsec phase1-interface edit "HUB" set type dynamic set interface "port1" set dhgrp 2 set mode aggressive set peertype one set proposal aes256-sha1 set peerid "hub" set psksecret *** next end config vpn ipsec phase2-interface edit "VPN" set keepalive enable set phase1name "HUB" set proposal 3des-sha1 set dhgrp 2 set keylifeseconds 3600 next end config router static edit 1 set device "HUB" set dst 10.21.50.0 255.255.255.0 next end config firewall policy edit 1 set srcintf "HUB" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set srcintf "port1" set dstintf "HUB" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end Router 2911 config
crypto keyring KEYR1 pre-shared-key address 1.1.1.1 key *** ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 28800 crypto isakmp keepalive 10 5 crypto isakmp profile R2_ISAKMP_PROF keyring KEYR1 self-identity user-fqdn hub match identity address 1.1.1.1 255.255.255.255 initiate mode aggressive ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile R2_VTI set transform-set ESP-3DES-SHA set pfs group2 set isakmp-profile R2_ISAKMP_PROF interface Tunnel3 no ip address tunnel source GigabitEthernet0/1 tunnel mode ipsec ipv4 tunnel destination 1.1.1.1 tunnel protection ipsec profile R2_VTI
!
ip route 172.0.1.0 255.255.255.0 Tunnel3
Logs Fortigate
ike 0:HUB: cached as dynamic 'hub' ike 0: cache rebuild done ike 0: IKEv1 Aggressive, comes 201.91.58.58:500->172.0.1.100 3, peer-id=hub ike 0:f58d54ee1e06c362/0000000000000000:2638: negotiation result ike 0:f58d54ee1e06c362/0000000000000000:2638: proposal id = 1: ike 0:f58d54ee1e06c362/0000000000000000:2638: protocol id = ISAKMP: ike 0:f58d54ee1e06c362/0000000000000000:2638: trans_id = KEY_IKE. ike 0:f58d54ee1e06c362/0000000000000000:2638: encapsulation = IKE/none ike 0:f58d54ee1e06c362/0000000000000000:2638: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:f58d54ee1e06c362/0000000000000000:2638: type=OAKLEY_HASH_ALG, val=SHA. ike 0:f58d54ee1e06c362/0000000000000000:2638: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:f58d54ee1e06c362/0000000000000000:2638: type=OAKLEY_GROUP, val=1024. ike 0:f58d54ee1e06c362/0000000000000000:2638: ISAKMP SA lifetime=28800 ike 0:f58d54ee1e06c362/0000000000000000:2638: SA proposal chosen, matched gateway HUB ike 0:HUB:2638: DPD negotiated ike 0:HUB:2638: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07 ike 0:HUB:2638: selected NAT-T version: RFC 3947 ike 0:HUB:2638: cookie f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB:2638: ISAKMP SA f58d54ee1e06c362/6b13e0e54ab27d49 key 32:19C76885A298F7401E37786E14A170A990858529EA282D4475EC73BD20BD33F9 ike 0:HUB:2638: out F58D54EE1E06C3626B13E0E54AB27D4901100400000000000000017C0400003800000001000000010000002C01010001000000240101000080010007800E0100800200028004000280030001800B0001800C70800A000084F59DEEE670E28E33D3856A38200FDE2D420D3E54A4C25B44C00F6DD0A4AAA92F6038E695AD0EDDF5AE5B6B2A9283E5DCC71A37822294F3EC03203823828ED1D61DF7437BD0C7B0BCBD021F02C08BAE7C7E2360BCE12884DD0BFE386C640BBB7FCC9BA70B250731351666D4F86899ADDE7797D6BDECBD5E1C87B2ED26F23486350500001486D2663441318AC0C06EB8293D1D7ED80800000C01000000AC0001640D0000182FC4A07CD2333A8D5B262E0019F88AB7F1D65327140000144A131C81070358455C5728F20E95452F14000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50D0000183DD330997CEE0C51BF538B83E5A44D4509EDAEE10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00051F86 ike 0:HUB:2638: sent IKE msg (agg_r1send): 172.0.1.100:500->201.91.58.58:500, len=380, id=f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB:2638: out F58D54EE1E06C3626B13E0E54AB27D4901100400000000000000017C0400003800000001000000010000002C01010001000000240101000080010007800E0100800200028004000280030001800B0001800C70800A000084F59DEEE670E28E33D3856A38200FDE2D420D3E54A4C25B44C00F6DD0A4AAA92F6038E695AD0EDDF5AE5B6B2A9283E5DCC71A37822294F3EC03203823828ED1D61DF7437BD0C7B0BCBD021F02C08BAE7C7E2360BCE12884DD0BFE386C640BBB7FCC9BA70B250731351666D4F86899ADDE7797D6BDECBD5E1C87B2ED26F23486350500001486D2663441318AC0C06EB8293D1D7ED80800000C01000000AC0001640D0000182FC4A07CD2333A8D5B262E0019F88AB7F1D65327140000144A131C81070358455C5728F20E95452F14000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50D0000183DD330997CEE0C51BF538B83E5A44D4509EDAEE10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00051F86 ike 0:HUB:2638: sent IKE msg (P1_RETRANSMIT): 172.0.1.100:500->201.91.58.58:500, len=380, id=f58d54ee1e06c362/6b13e0e54ab27d49 ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Aggressive id=f58d54ee1e06c362/6b13e0e54ab27d49 len=140 ike 0: in F58D54EE1E06C3626B13E0E54AB27D4908100401000000000000008C637FE1155BA6DFDCC582F771715C7D9588AF4B6D0CE1DE97523351576A418A46E0ED65AC5E426DAFC1F9FDD84069A51BAF4DC3B70AF5A03A4DEEA11BCF872AEBF4C9B6ADB642C0AAB9C0EDE181467C496828DBD4F040E6F2D6F89E0A18136F08CACC89082F59A9CCBAE70F483E1D03E1 ike 0:HUB:2638: responder: aggressive mode get 2nd response... ike 0:HUB:2638: dec F58D54EE1E06C3626B13E0E54AB27D4908100401000000000000008C140000182C26EB5991002A24F17EF55CB9F5197796BC8F2B14000018F1977B1078CC25FD607CFA88C2181AD6CD3654780B000018026FC51CE253396CFE87805DBAA02E91CC9D3DA50000001C0000000101106002F58D54EE1E06C3626B13E0E54AB27D49000000000000000000000000 ike 0:HUB:2638: received NAT-D payload type 20 ike 0:HUB:2638: received NAT-D payload type 20 ike 0:HUB:2638: received notify type 24578 ike 0:HUB:2638: PSK authentication succeeded ike 0:HUB:2638: authentication OK ike 0:HUB:2638: NAT detected: ME ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Quick id=f58d54ee1e06c362/6b13e0e54ab27d49:36da9bbe len=316 ike 0: in F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C97177F295E9C9E7527C1B5273DECE0F8DDCF27E411215280BDC09975F2153CB4FBBB193B61C08AE38C3750E02212CF251BB15E7EEFBBBD4BD97D095EDCAC217722453FF8A5BF73EF7DB1A112B108316FC3AEF67A9BEA66759ACE99529D38BE3427E1679F23FEB912096E428F311099699344328333E1139C47D4CEF8C086C35AAB1A22D0E3EB27CA872B80A2A77F11619456E07E9CA8370B6D8555B08508C96CFE55B7C1D91CA1EA542D58DBF8350DBDE1144FB8A89383C0372F1E36195090CEB00B65E3C3F2AAEF2B8B4357B5ED9DF51A8B6C52AFCB4C225B5D85ABFCA3F048B35A514711ACDE79F49A4DF8792AB6B6777175A6642922590AB60A2CFA705DA563D446E955BB0B596677880E6AF87237360AF07C1104638522A62031702198ED ike 0:HUB:2638: can not start the quick mode 00000000, waiting to establish ISAKMP SA f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB:2638: remote port change 500 -> 4500 ike 0:HUB:2638: established IKE SA f58d54ee1e06c362/6b13e0e54ab27d49 ike 0:HUB: adding new dynamic tunnel for 201.91.58.58:4500 ike 0:HUB_0: added new dynamic tunnel for 201.91.58.58:4500 ike 0:HUB_0:2638: processing INITIAL-CONTACT ike 0:HUB_0: flushing ike 0:HUB_0: flushed ike 0:HUB_0:2638: processed INITIAL-CONTACT ike 0:HUB_0:2638: no pending Quick-Mode negotiations ike 0:HUB_0: link is idle 3 172.0.1.100->201.91.58.58:4500 dpd=1 seqno=1 ike 0:HUB_0:2638: send IKEv1 DPD probe, seqno 1 ike 0:HUB_0:2638: enc F58D54EE1E06C3626B13E0E54AB27D49081005015E5A6479000000540B0000188287A6048F4AF1657D56B33040E778BF7FBEF234000000200000000101108D28F58D54EE1E06C3626B13E0E54AB27D4900000001 ike 0:HUB_0:2638: out F58D54EE1E06C3626B13E0E54AB27D49081005015E5A64790000005C607AFA57FFD6F456BAB5BB621DD11556CA5249327606B989396148BB3E8BD25CA7713C0F2E7F0B136FABD5285D56C3BD925A2D71F49F4589F43B703D15581101 ike 0:HUB_0:2638: sent IKE msg (R-U-THERE): 172.0.1.100:4500->201.91.58.58:4500, len=92, id=f58d54ee1e06c362/6b13e0e54ab27d49:5e5a6479 ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Informational id=f58d54ee1e06c362/6b13e0e54ab27d49:0ea3fd83 len=92 ike 0: in F58D54EE1E06C3626B13E0E54AB27D49081005010EA3FD830000005C26CE06723802F1D9FFFC24CF50230BEEB6EF01BC5FA0798437A0B8AD3C840039424E99BF9A15B36E9BFE71AF11DE05D0B8EE623578F65BF5E1156316351809EB ike 0:HUB_0:2638: dec F58D54EE1E06C3626B13E0E54AB27D49081005010EA3FD830000005C0B00001887EA8771C873A6C9870C973B9D778E6B0A6D46A4000000200000000101108D29F58D54EE1E06C3626B13E0E54AB27D49000000010000000000000000 ike 0:HUB_0:2638: notify msg received: R-U-THERE-ACK ike 0: comes 201.91.58.58:4500->172.0.1.100:4500,ifindex=3.... ike 0: IKEv1 exchange=Quick id=f58d54ee1e06c362/6b13e0e54ab27d49:36da9bbe len=316 ike 0: in F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C97177F295E9C9E7527C1B5273DECE0F8DDCF27E411215280BDC09975F2153CB4FBBB193B61C08AE38C3750E02212CF251BB15E7EEFBBBD4BD97D095EDCAC217722453FF8A5BF73EF7DB1A112B108316FC3AEF67A9BEA66759ACE99529D38BE3427E1679F23FEB912096E428F311099699344328333E1139C47D4CEF8C086C35AAB1A22D0E3EB27CA872B80A2A77F11619456E07E9CA8370B6D8555B08508C96CFE55B7C1D91CA1EA542D58DBF8350DBDE1144FB8A89383C0372F1E36195090CEB00B65E3C3F2AAEF2B8B4357B5ED9DF51A8B6C52AFCB4C225B5D85ABFCA3F048B35A514711ACDE79F49A4DF8792AB6B6777175A6642922590AB60A2CFA705DA563D446E955BB0B596677880E6AF87237360AF07C1104638522A62031702198ED ike 0:HUB_0:2638:2704: responder received first quick-mode message ike 0:HUB_0:2638: dec F58D54EE1E06C3626B13E0E54AB27D490810200136DA9BBE0000013C010000182C9DC576C496F47C219F5BBC359FC43B24BEFE250A000040000000010000000100000034010304015BBDE2740000002801030000800400038001000180020708800100020002000400465000800500028003000204000018651F2C23552FBCC9C9607C5B6BBB5178679DF42C050000845B44B28DACB93787F0A0B711E915932931991E8DD638B0D43875D87874FB1C54E0BBEE47B01E259B07224EFC36F1EEA1FD1E7FBB45836E4518E9122D1E84BC38E7AFEB077F06D1B1B3B6F2BE0FEF7DFFC13545DB63E584C31715F17980B7B40823CD92150D7115DE8BFDFC4CBC14194CBF1AF4122A8147ED2A5238808EEA0E6B0500001004000000000000000000000000000010040000000000000000000000000000000000000000000000 ike 0:HUB_0:2638:2704: peer proposal is: peer:0:0.0.0.0-255.255.255.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:HUB_0:2638:VPN:2704: trying ike 0:HUB_0:2638:2704: wildcard is not an acceptable destination subnet ike 0:HUB_0:2638:2704: no matching phase2 found ike 0:HUB_0:2638:2704: failed to get responder proposal ike 0:HUB_0:2638: error processing quick-mode message from 201.91.58.58 as responder ike 0:HUB_0: link is idle 3 172.0.1.100->201.91.58.58:4500 dpd=1 seqno=2 ike 0:HUB_0:2638: send IKEv1 DPD probe, seqno 2 ike 0:HUB_0:2638: enc F58D54EE1E06C3626B13E0E54AB27D49081005014CB3D819000000540B00
Can you help me please? Thanks
Anan Brito
Anan Brito
Labels:
- Labels:
-
5.0
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As the log says: "wildcard is not an acceptable destination subnet"
You cannot NOT configure the Quick Mode selectors in the FGT's phase2. Put in the correct network address for the protected and incoming (private) networks.
Wildcard QM selectors ("0.0.0.0/0") are a FortiOS speciality which only work FGT-to-FGT. Cisco equipment rightfully refuses this.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On a side note, but might be useful for someone. QM Selctors 0.0.0.0/0 also works fine FGT-to-Juniper SSG's
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doesn't Juniper have a common ancestry with FTNT (Ken Xie, NetScreen)?
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, they certainly do! 
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeap, a FGT is a advanced Netscreen ;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Ken: that hurts!!
I just wasn't sure if the SSG line of firewalls stems from Netscreen or from Juniper.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
-
FortiGate
6,574 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
569 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.