Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arkavia
New Contributor

VPN IPsec issue

Friends, we need your help to see a problem related to the establishment of an IPsec VPN between Fortigate and Checkpoint, when negotiating a tunnel from the debug the following message is received:

 

018191425A021831EB8186F2EEE58DC2376AFE1C125
ike 0:vpnipsec:19335627: initiator: main mode get 2nd response...
ike 0:vpnipsec:19335627: nat unavailable
ike 0:vpnipsec:19335627: ISAKMP SA c77ee8b1d25f30ab/6672b5f075dca371 key 24:F4F17D09F8238BC137B36B9B4B52115151A6D7AB74EA2BD1
ike 0:vpnipsec:19335627: add INITIAL-CONTACT
ike 0:vpnipsec:19335627: enc C77EE8B1D25F30AB6672B5F075DCA37105100201000000000000005C0800000C01000000C81B94DA0B00001881BBA39E1DC0F00D142BA0350D25EDF3AE2EA4540000001C0000000101106002C77EE8B1D25F30AB6672B5F075DCA371
ike 0:vpnipsec:19335627: out C77EE8B1D25F30AB6672B5F075DCA3710510020100000000000000649A08CE8EBA45FB80075327CA8F9AA2242B3A0E93853DD33295759E4EC9A7D4F0D316AF3CE56F150CA0DF7B96C9E5DC846D0563996F72D221125AAE1F959D7DF53919F561BC67F8CD
ike 0:vpnipsec:19335627: sent IKE msg (ident_i3send): 1.1.1.1:500->2.2.2.2:500, len=100, id=c77ee8b1d25f30ab/6672b5f075dca371
ike 0: comes 2.2.2.2:500->1.1.1.1:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=c77ee8b1d25f30ab/6672b5f075dca371:a3049622 len=40
ike 0: in C77EE8B1D25F30AB6672B5F075DCA3710B100500A3049622000000280000000C0000000001000018
ike 0:vpnipsec:19335627: ignoring unencrypted AUTHENTICATION-FAILED message from 2.2.2.2:500.
ike 0:vpnipsec:19335627: out C77EE8B1D25F30AB6672B5F075DCA3710510020100000000000000649A08CE8EBA45FB80075327CA8F9AA2242B3A0E93853DD33295759E4EC9A7D4F0D316AF3CE56F150CA0DF7B96C9E5DC846D0563996F72D221125AAE1F959D7DF53919F561BC67F8CD
ike 0:vpnipsec:19335627: sent IKE msg (P1_RETRANSMIT): 1.1.1.1:500->2.2.2.2:500, len=100, id=c77ee8b1d25f30ab/6672b5f075dca371
ike 0:vpnipsec:vpnipsec: IPsec SA connect 5 1.1.1.1->2.2.2.2:0
ike 0:vpnipsec:vpnipsec: using existing connection
ike 0:vpnipsec:vpnipsec: config found

 

mainly the message ke 0:vpnipsec:19335627: ignoring unencrypted AUTHENTICATION-FAILED message from 2.2.2.2:500.

 

1 REPLY 1
sagha
Staff
Staff

Hi arkavia, 

 

This seems to be an issue with Phase1 authentication. Are you using preshared key or some other method? 

 

https://datatracker.ietf.org/doc/html/rfc7296

"All errors that occur in an IKE_AUTH exchange, causing the authentication to fail for whatever reason (invalid shared secret, invalid ID, untrusted certificate issuer, revoked or expired certificate, etc.) SHOULD result in an AUTHENTICATION_FAILED notification."

 

Please check all the settings on Checkpoint to make sure they match the FortiGate, and that they have the right policies and routes configured.

 

Thanks, 

Shahan