Hello
Im trying to use my internal DHCP-Server for VPN users. But im only get the Ips from the Client Address Range in the VPN Config. I changed also the internal interface to this config:
DHCP Server Enable Advanced... Mode Server Relay DHCP Server IP Type Regular IPsec But it dosent work. Did i forgot something? Kind Regards
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As a shot in the dark, I want to say that Mode Config is enabled in the Phase 1 settings, and should be disabled. Just a quick idea...
I'll let others weigh in here.
Regards, Chris McMullan Fortinet Ottawa
Hello
Thanks for your response. I changed it to disable. The Result was, Connection Failed.
Config looks at the moment like this:
config vpn ipsec phase1-interface
edit "Du-CISCO" set type dynamic set interface "wan1" set mode-cfg enable set proposal aes256-md5 aes256-sha1 set comments "VPN: Du-CISCO (Created by VPN wizard)" set dhgrp 2 set wizard-type dialup-cisco set xauthtype auto set authusrgrp "VPN-Users" set ipv4-start-ip 192.168.222.210 set ipv4-end-ip 192.168.222.215 set dns-mode auto set psksecret ENC xxxx next end
Kind Regards
At the moment, meaning that is the way the configuration looked after disabling mode-cfg, or after turning it back on?
If connections fail when mode-cfg is turned off, we're facing a couple theoretical possibilities:
(1) Clients need mode-cfg or fairly advanced configuration to successfully connect, and disabling mode-cfg is impossible
-or-
(2) The failure is happening due to some other setting, even though the DHCP-over-IPSec scope now works
Are there any log entries documenting the reason for the failure? Otherwise, run the IKE diagnostic below:
diag debug reset
diag debug enable
diag debug application ike -1
<attempt to connect after disabling mode-cfg, then...>
diag debug reset
diag debug disable
Regards, Chris McMullan Fortinet Ottawa
Hello Christopher
Here is the debug output:
FGT70D # ike 0: comes 194.230.155.139:57487->84.73.193.80:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=5520c60f557c4781/0000000000000000 len=596
ike 0: in 5520C60F557C478100000000000000000110020000000000000002540D000124000000010000000100000118010100080300002401010000800B0001800C0E1080010007800E01008003FDE980020002800400020300002402010000800B0001800C0E1080010007800E00808003FDE980020002800400020300002403010000800B0001800C0E1080010007800E01008003FDE980020001800400020300002404010000800B0001800C0E1080010007800E00808003FDE980020001800400020300002005010000800B0001800C0E10800100058003FDE980020002800400020300002006010000800B0001800C0E10800100058003FDE980020001800400020300002007010000800B0001800C0E10800100018003FDE980020002800400020000002008010000800B0001800C0E10800100018003FDE980020001800400020D0000144A131C81070358455C5728F20E95452F0D0000144DF37928E9FC4FD1B3262170D515C6620D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC01000D0000184048B7D56EBCE88525E7DE7F00D6C2D38000000000000014AFCAD71368A1F1C96B8696FC77570100
ike 0:5520c60f557c4781/0000000000000000:24: responder: main mode get 1st message...
ike 0:5520c60f557c4781/0000000000000000:24: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:5520c60f557c4781/0000000000000000:24: VID unknown (16): 4DF37928E9FC4FD1B3262170D515C662
ike 0:5520c60f557c4781/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
ike 0:5520c60f557c4781/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
ike 0:5520c60f557c4781/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
ike 0:5520c60f557c4781/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
ike 0:5520c60f557c4781/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
ike 0:5520c60f557c4781/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:5520c60f557c4781/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:5520c60f557c4781/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:5520c60f557c4781/0000000000000000:24: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:5520c60f557c4781/0000000000000000:24: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:5520c60f557c4781/0000000000000000:24: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:5520c60f557c4781/0000000000000000:24: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:5520c60f557c4781/0000000000000000:24: negotiation result
ike 0:5520c60f557c4781/0000000000000000:24: proposal id = 1:
ike 0:5520c60f557c4781/0000000000000000:24: protocol id = ISAKMP:
ike 0:5520c60f557c4781/0000000000000000:24: trans_id = KEY_IKE.
ike 0:5520c60f557c4781/0000000000000000:24: encapsulation = IKE/none
ike 0:5520c60f557c4781/0000000000000000:24: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:5520c60f557c4781/0000000000000000:24: type=OAKLEY_HASH_ALG, val=MD5.
ike 0:5520c60f557c4781/0000000000000000:24: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:5520c60f557c4781/0000000000000000:24: type=OAKLEY_GROUP, val=MODP1024.
ike 0:5520c60f557c4781/0000000000000000:24: ISAKMP SA lifetime=86400
ike 0:5520c60f557c4781/0000000000000000:24: SA proposal chosen, matched gateway Du-CISCO
ike 0:Du-CISCO:24: DPD negotiated
ike 0:Du-CISCO:24: XAUTHv6 negotiated
ike 0:Du-CISCO:24: peer supports UNITY
ike 0:Du-CISCO:24: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-04
ike 0:Du-CISCO:24: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-05
ike 0:Du-CISCO:24: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-06
ike 0:Du-CISCO:24: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07
ike 0:Du-CISCO:24: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-08
ike 0:Du-CISCO:24: selected NAT-T version: RFC 3947
ike 0:Du-CISCO:24: cookie 5520c60f557c4781/b7d2f49c5c739bf8
ike 0:Du-CISCO:24: out 5520C60F557C4781B7D2F49C5C739BF80110020000000000000000DC0D00003800000001000000010000002C010100010000002403010000800B0001800C0E1080010007800E01008003FDE980020001800400020D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000148299031757A36082C6A621DE0005029E0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:Du-CISCO:24: sent IKE msg (ident_r1send): 84.73.193.80:500->194.230.155.139:57487, len=220, id=5520c60f557c4781/b7d2f49c5c739bf8
ike 0: comes 194.230.155.139:57487->84.73.193.80:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=5520c60f557c4781/b7d2f49c5c739bf8 len=220
ike 0: in 5520C60F557C4781B7D2F49C5C739BF80410020000000000000000DC0A000084658D6FD8EA39C24919061E3D48D7C475F7A265D88601D8863B596327657B19DFF2BB899E652DECF6653F4FE0D834DF28A4512DDE96478AF45C67E834384B519DAD7DAA4A897B1131AEFCB81CA01755041D6B4E393CD48A648461B2B2CF5262DCF1182E3303AD999372A5A9A76D947CB0228532A6563684CCEAA2D49F30C587FE140000149AC3138B821FB53C79712256E687A17D140000140B01BE6EAB75D85E3377FD1B64A440070000001491ABADE6D6F8DAE8D8FADC3C918A8780
ike 0:Du-CISCO:24: responder:main mode get 2nd message...
ike 0:Du-CISCO:24: NAT detected: PEER
ike 0:Du-CISCO:24: out 5520C60F557C4781B7D2F49C5C739BF80410020000000000000000DC0A000084B077FCA059FD234FB48223624A0985CFE41A097F4894AD1FBEF29EA5C475C7EA04D1443FE62D6A8884D0BD407B72C3B9AA83CD1555F5700E90AB29C1A9A1C0D1DBB4681EEE2D8F0DA4FF29B83E115AC96DCD20640622498A6EE1490C20CB9ED226503F131087F155CCC593163F020AA64EEFB4B4A8042E37FCA3BABE91392696140000144DCC433524CB349308FA01083CA98FE914000014C24A3F558423B9A5DC7C0C6943B36916000000140B01BE6EAB75D85E3377FD1B64A44007
ike 0:Du-CISCO:24: sent IKE msg (ident_r2send): 84.73.193.80:500->194.230.155.139:57487, len=220, id=5520c60f557c4781/b7d2f49c5c739bf8
ike 0:Du-CISCO:24: ISAKMP SA 5520c60f557c4781/b7d2f49c5c739bf8 key 32:59A5024A9AFE60485B4D4DE11040973264758E70F29C0F9A0FCE67A9AB51C799
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=5520c60f557c4781/b7d2f49c5c739bf8 len=92
ike 0: in 5520C60F557C4781B7D2F49C5C739BF805100201000000000000005C8458BE56C204B81C222E2634AD0CC0724B70AE8EE159153238575A1779B49F277F8ED0DA864F6F26F3677581AA647DE1ACCF21C245E3BDBF102E63851F9056FC
ike 0:Du-CISCO:24: responder: main mode get 3rd message...
ike 0:Du-CISCO:24: dec 5520C60F557C4781B7D2F49C5C739BF805100201000000000000005C0800000C011101F40A97169E0B00001476DDBB6383ED2C4E0CF9731A365BC90C0000001C00000001011060025520C60F557C4781B7D2F49C5C739BF800000004
ike 0:Du-CISCO:24: received p1 notify type INITIAL-CONTACT
ike 0:Du-CISCO:24: peer identifier IPV4_ADDR 10.151.22.158
ike 0:Du-CISCO:24: PSK authentication succeeded
ike 0:Du-CISCO:24: authentication OK
ike 0:Du-CISCO:24: enc 5520C60F557C4781B7D2F49C5C739BF805100201000000000000003C0800000C010000005449C1500000001404122DA17B6F85EA7A69BF999BA5E4B0
ike 0:Du-CISCO:24: remote port change 57487 -> 45214
ike 0:Du-CISCO:24: out 5520C60F557C4781B7D2F49C5C739BF805100201000000000000004CBDD3530DB8009F5AD5C6CBCAA56E0772A5B3955B054AAB5F62E51F5A1888C34B4E4CFE53FF0D233F49436C45DFA41026
ike 0:Du-CISCO:24: sent IKE msg (ident_r3send): 84.73.193.80:4500->194.230.155.139:45214, len=76, id=5520c60f557c4781/b7d2f49c5c739bf8
ike 0:Du-CISCO: adding new dynamic tunnel for 194.230.155.139:45214
ike 0:Du-CISCO_0: added new dynamic tunnel for 194.230.155.139:45214
ike 0:Du-CISCO_0:24: established IKE SA 5520c60f557c4781/b7d2f49c5c739bf8
ike 0:Du-CISCO_0:24: processing INITIAL-CONTACT
ike 0:Du-CISCO_0: flushing
ike 0:Du-CISCO_0: flushed
ike 0:Du-CISCO_0:24: processed INITIAL-CONTACT
ike 0:Du-CISCO_0:24: initiating XAUTH.
ike 0:Du-CISCO_0:24: sending XAUTH request
ike 0:Du-CISCO_0:24: enc 5520C60F557C4781B7D2F49C5C739BF808100601F8026354000000440E00001403F47AE5A68C52F110784306B7A1209200000014010031C6C088000040890000408A0000
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF808100601F80263540000004C93099FD0C837E1BC40330D68B3733E226E18B2F222ED98EE7FC8DA14A448E1FFB20FD0E3385056FDDBB58DB0D95CFADE
ike 0:Du-CISCO_0:24: sent IKE msg (cfg_send): 84.73.193.80:4500->194.230.155.139:45214, len=76, id=5520c60f557c4781/b7d2f49c5c739bf8:f8026354
ike 0:Du-CISCO_0:24: peer has not completed XAUTH exchange
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF808100601F80263540000004C93099FD0C837E1BC40330D68B3733E226E18B2F222ED98EE7FC8DA14A448E1FFB20FD0E3385056FDDBB58DB0D95CFADE
ike 0:Du-CISCO_0:24: sent IKE msg (CFG_RETRANS): 84.73.193.80:4500->194.230.155.139:45214, len=76, id=5520c60f557c4781/b7d2f49c5c739bf8:f8026354
ike 0:Du-CISCO_0: link is idle 5 84.73.193.80->194.230.155.139:45214 dpd=1 seqno=1
ike 0:Du-CISCO_0:24: send IKEv1 DPD probe, seqno 1
ike 0:Du-CISCO_0:24: enc 5520C60F557C4781B7D2F49C5C739BF808100501C9925E90000000500B000014AA9C24B62DD81492F836AF6A07A37406000000200000000101108D285520C60F557C4781B7D2F49C5C739BF800000001
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF808100501C9925E900000005C09B59C9FB370D80A3EDAA7E60B9093E607BB5E669D15FCCFCE8B2B4F2402C1C584F141FAA1DF7B2118655ADA82E2CBF14FC55DB2758654B090485634CDA54542
ike 0:Du-CISCO_0:24: sent IKE msg (R-U-THERE): 84.73.193.80:4500->194.230.155.139:45214, len=92, id=5520c60f557c4781/b7d2f49c5c739bf8:c9925e90
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=5520c60f557c4781/b7d2f49c5c739bf8:3efb5831 len=92
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081005013EFB58310000005CDE96392BC028278F2094DC7345C585E124EC30142B8A52595ACDDA0331D21FAEF824E52A595A2974056DA09F524366005FA95A8240DA82D11952F49FA760EA42
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081005013EFB58310000005C0B000014FE092335920A691AC44E6F722CC8FD08000000200000000101108D295520C60F557C4781B7D2F49C5C739BF80000000100000000000000000000000C
ike 0:Du-CISCO_0:24: notify msg received: R-U-THERE-ACK
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF808100601F80263540000004C93099FD0C837E1BC40330D68B3733E226E18B2F222ED98EE7FC8DA14A448E1FFB20FD0E3385056FDDBB58DB0D95CFADE
ike 0:Du-CISCO_0:24: sent IKE msg (CFG_RETRANS): 84.73.193.80:4500->194.230.155.139:45214, len=76, id=5520c60f557c4781/b7d2f49c5c739bf8:f8026354
ike 0:Du-CISCO_0: link is idle 5 84.73.193.80->194.230.155.139:45214 dpd=1 seqno=2
ike 0:Du-CISCO_0:24: send IKEv1 DPD probe, seqno 2
ike 0:Du-CISCO_0:24: enc 5520C60F557C4781B7D2F49C5C739BF8081005010FF43332000000500B0000146BEACA379BF95DB828BECCAF6E00B229000000200000000101108D285520C60F557C4781B7D2F49C5C739BF800000002
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF8081005010FF433320000005C95AD32E2E3E1DB5C8B4CC285DF71948613658CB97B350DCC7E4C89ED58C52451D530739AEC0194194E1EABA6C38608681118BB53B93541EB3FE262184F6144AF
ike 0:Du-CISCO_0:24: sent IKE msg (R-U-THERE): 84.73.193.80:4500->194.230.155.139:45214, len=92, id=5520c60f557c4781/b7d2f49c5c739bf8:0ff43332
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=5520c60f557c4781/b7d2f49c5c739bf8:f54a94ac len=92
ike 0: in 5520C60F557C4781B7D2F49C5C739BF808100501F54A94AC0000005CD66A7ABBB0CEE746BFEC34771EE4D54060B1E1713583EC64B682FE4A7F6919BD56398ECA880D87833B682AC69336BA1DC1D05EDCC6762672B2BFE2B777929CF8
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF808100501F54A94AC0000005C0B000014C4F5D370AFE6F23D92AB9AE14AD6531F000000200000000101108D295520C60F557C4781B7D2F49C5C739BF80000000200000000000000000000000C
ike 0:Du-CISCO_0:24: notify msg received: R-U-THERE-ACK
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:f8026354 len=92
ike 0: in 5520C60F557C4781B7D2F49C5C739BF808100601F80263540000005CB8F97BD5BDC44060ED84B63831E32CAD89AC66E14377DCA2BD1C5D9174C502F90748149FC8A45BF998F5E7E9F5F52B0B113C7924E68277A5E2072DDA8388D2FA
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF808100601F80263540000005C0E0000140F7DD6E231BF58834F3AFAC402BC686B000000200200310040890008636872696869747A408A00085369743168656C6C00000000000000000000000C
ike 0:Du-CISCO_0:24: received XAUTH_USER_NAME 'chrihitz' length 8
ike 0:Du-CISCO_0:24: received XAUTH_USER_PASSWORD length 8
ike 0:Du-CISCO_0: XAUTH user "chrihitz"
ike 0:Du-CISCO: auth group VPN-Users
ike 0:Du-CISCO_0: XAUTH succeeded for user "chrihitz" group "VPN-Users"
ike 0:Du-CISCO_0:24: enc 5520C60F557C4781B7D2F49C5C739BF8081006012846CAC90000003C0E000014FA3299279FC3BB0073F1253CEE75AAFA0000000C03003000C08F0001
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF8081006012846CAC90000004C30A9A3C9420C38985C62A78FBA9C501C34DEAEDA313D0765FEF5E85DAC9335087D04BC7A196B0AA02CA4CBDB09745CD4
ike 0:Du-CISCO_0:24: sent IKE msg (cfg_send): 84.73.193.80:4500->194.230.155.139:45214, len=76, id=5520c60f557c4781/b7d2f49c5c739bf8:2846cac9
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:2846cac9 len=76
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081006012846CAC90000004C26B578C8487881BC599E111F5C0CDCA48B705A9E1EAA7FC9AEA5C8DE3D81B231B2F58AB0E53C70C791FF96E85A8F2E23
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081006012846CAC90000004C0E000014C5C43D588D61564F1F450CEBACBA574D0000000C04003000C08F000000000000000000000000000000000010
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:5609cb44 len=172
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC9445F35215B41B8C4A061373BF4D0E0C9C19C3ADA1424E9772F8AF794E7EC2469903DA793438C3576C79179CE89FC8D5EE55E09D9D020FEAF60F19FCE44F9DAD000940676EA2703D6980754B7ECADE42B8648D54BC36AFB95802B5FD032CB3C1F8D8E29D5020D7C3850637F5E8652383F99864D39506A923BB15A4F26F7977E6E8A0A10DCC4E1E8A8F5894A577634FB2
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC0E00001449B5BE76F04B4144E38AB72A9214FCD90000006E0100DC51000100000002000000030000000400000005000000070026436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53700000007002000070030000700400007006000070070000700100007008000070090000700B0000000000000000000000000000000E
ike 0:Du-CISCO_0:24: mode-cfg type 1 request 0:''
ike 0:Du-CISCO_0:24: mode-cfg not enabled, ignoring Configuration Method Request
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:5609cb44 len=172
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC9445F35215B41B8C4A061373BF4D0E0C9C19C3ADA1424E9772F8AF794E7EC2469903DA793438C3576C79179CE89FC8D5EE55E09D9D020FEAF60F19FCE44F9DAD000940676EA2703D6980754B7ECADE42B8648D54BC36AFB95802B5FD032CB3C1F8D8E29D5020D7C3850637F5E8652383F99864D39506A923BB15A4F26F7977E6E8A0A10DCC4E1E8A8F5894A577634FB2
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC0E00001449B5BE76F04B4144E38AB72A9214FCD90000006E0100DC51000100000002000000030000000400000005000000070026436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53700000007002000070030000700400007006000070070000700100007008000070090000700B0000000000000000000000000000000E
ike 0:Du-CISCO_0:24: mode-cfg type 1 request 0:''
ike 0:Du-CISCO_0:24: mode-cfg not enabled, ignoring Configuration Method Request
ike 0:Du-CISCO_0: link is idle 5 84.73.193.80->194.230.155.139:45214 dpd=1 seqno=9
ike 0:Du-CISCO_0:24: send IKEv1 DPD probe, seqno 9
ike 0:Du-CISCO_0:24: enc 5520C60F557C4781B7D2F49C5C739BF80810050122449324000000500B000014FE72F93D6ADAEAB503B9AB5159E57E6C000000200000000101108D285520C60F557C4781B7D2F49C5C739BF800000009
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF808100501224493240000005C16E23CA23D773823CF245FA2C6E2F7D514A411B56B2F2E599772A7D717F260AE5778802C3B2613363C6F632E7653D7EC84C72F6C53FEF2654A9B861300035D13
ike 0:Du-CISCO_0:24: sent IKE msg (R-U-THERE): 84.73.193.80:4500->194.230.155.139:45214, len=92, id=5520c60f557c4781/b7d2f49c5c739bf8:22449324
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=5520c60f557c4781/b7d2f49c5c739bf8:7c03e57c len=92
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081005017C03E57C0000005C9C87CBB7B7F4628ED9570FDCB32D0DEAF1229BAAF7C2BE6B55AE3B96BE9B50228E4D6240B35909158F1A4641B9C965ADFAAF9D45EB694DA20A02FE2C4D370FF0
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081005017C03E57C0000005C0B000014EBE0ECC8CE0CF75C3298553B603A68BA000000200000000101108D295520C60F557C4781B7D2F49C5C739BF80000000900000000000000000000000C
ike 0:Du-CISCO_0:24: notify msg received: R-U-THERE-ACK
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:5609cb44 len=172
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC9445F35215B41B8C4A061373BF4D0E0C9C19C3ADA1424E9772F8AF794E7EC2469903DA793438C3576C79179CE89FC8D5EE55E09D9D020FEAF60F19FCE44F9DAD000940676EA2703D6980754B7ECADE42B8648D54BC36AFB95802B5FD032CB3C1F8D8E29D5020D7C3850637F5E8652383F99864D39506A923BB15A4F26F7977E6E8A0A10DCC4E1E8A8F5894A577634FB2
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC0E00001449B5BE76F04B4144E38AB72A9214FCD90000006E0100DC51000100000002000000030000000400000005000000070026436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53700000007002000070030000700400007006000070070000700100007008000070090000700B0000000000000000000000000000000E
ike 0:Du-CISCO_0:24: mode-cfg type 1 request 0:''
ike 0:Du-CISCO_0:24: mode-cfg not enabled, ignoring Configuration Method Request
ike 0:Du-CISCO_0: link is idle 5 84.73.193.80->194.230.155.139:45214 dpd=1 seqno=a
ike 0:Du-CISCO_0:24: send IKEv1 DPD probe, seqno 10
ike 0:Du-CISCO_0:24: enc 5520C60F557C4781B7D2F49C5C739BF808100501CD19C732000000500B0000142C4A25D15EEEB8710028295F30365FDF000000200000000101108D285520C60F557C4781B7D2F49C5C739BF80000000A
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF808100501CD19C7320000005C90610DF05C857FEC93DF02E5E55EE6F4914A2FEE937E2C0445323384528243266DCAE87208822AE29A968913F6F7754564BF171E1114CED3DA8E90C13F1B6DC2
ike 0:Du-CISCO_0:24: sent IKE msg (R-U-THERE): 84.73.193.80:4500->194.230.155.139:45214, len=92, id=5520c60f557c4781/b7d2f49c5c739bf8:cd19c732
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=5520c60f557c4781/b7d2f49c5c739bf8:b10946cd len=92
ike 0: in 5520C60F557C4781B7D2F49C5C739BF808100501B10946CD0000005C6FA676ED1F3275AF57432AC0CD0D7EE286BFCAE741960E8B8DD22F35B4462F0441B600F52E8B6EEA82A997F44AD503B259AA7586BA783C43075FE829C6F76F67
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF808100501B10946CD0000005C0B0000148343825E08AF4B2F79F5938040E66DE4000000200000000101108D295520C60F557C4781B7D2F49C5C739BF80000000A00000000000000000000000C
ike 0:Du-CISCO_0:24: notify msg received: R-U-THERE-ACK
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:5609cb44 len=172
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC9445F35215B41B8C4A061373BF4D0E0C9C19C3ADA1424E9772F8AF794E7EC2469903DA793438C3576C79179CE89FC8D5EE55E09D9D020FEAF60F19FCE44F9DAD000940676EA2703D6980754B7ECADE42B8648D54BC36AFB95802B5FD032CB3C1F8D8E29D5020D7C3850637F5E8652383F99864D39506A923BB15A4F26F7977E6E8A0A10DCC4E1E8A8F5894A577634FB2
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC0E00001449B5BE76F04B4144E38AB72A9214FCD90000006E0100DC51000100000002000000030000000400000005000000070026436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53700000007002000070030000700400007006000070070000700100007008000070090000700B0000000000000000000000000000000E
ike 0:Du-CISCO_0:24: mode-cfg type 1 request 0:''
ike 0:Du-CISCO_0:24: mode-cfg not enabled, ignoring Configuration Method Request
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:5609cb44 len=172
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC9445F35215B41B8C4A061373BF4D0E0C9C19C3ADA1424E9772F8AF794E7EC2469903DA793438C3576C79179CE89FC8D5EE55E09D9D020FEAF60F19FCE44F9DAD000940676EA2703D6980754B7ECADE42B8648D54BC36AFB95802B5FD032CB3C1F8D8E29D5020D7C3850637F5E8652383F99864D39506A923BB15A4F26F7977E6E8A0A10DCC4E1E8A8F5894A577634FB2
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC0E00001449B5BE76F04B4144E38AB72A9214FCD90000006E0100DC51000100000002000000030000000400000005000000070026436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53700000007002000070030000700400007006000070070000700100007008000070090000700B0000000000000000000000000000000E
ike 0:Du-CISCO_0:24: mode-cfg type 1 request 0:''
ike 0:Du-CISCO_0:24: mode-cfg not enabled, ignoring Configuration Method Request
ike 0:Du-CISCO_0: link is idle 5 84.73.193.80->194.230.155.139:45214 dpd=1 seqno=b
ike 0:Du-CISCO_0:24: send IKEv1 DPD probe, seqno 11
ike 0:Du-CISCO_0:24: enc 5520C60F557C4781B7D2F49C5C739BF808100501C99C1A75000000500B000014A64F3379C88DB9F5425ADA61A9A0CA7A000000200000000101108D285520C60F557C4781B7D2F49C5C739BF80000000B
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF808100501C99C1A750000005C49B43A8847FBECB2751C50D7870065444DD773F9020B697892639B5C0A93CD9E84D1BE96753E598B014112B4CFE78523BA662EE53C21146AA35CE9C306A402C2
ike 0:Du-CISCO_0:24: sent IKE msg (R-U-THERE): 84.73.193.80:4500->194.230.155.139:45214, len=92, id=5520c60f557c4781/b7d2f49c5c739bf8:c99c1a75
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=5520c60f557c4781/b7d2f49c5c739bf8:3483e55b len=92
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081005013483E55B0000005CC465EA4448EB9107E17EFB917387661D403E16C7D9A9DFFF582C0D29E73BDA07DC189781026C1E1473AB0E7835294D14360B1FAA0A6B9FB9A6F014B2E128E091
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081005013483E55B0000005C0B000014F22D5238B8BB3B635D3D7EC497EED2EB000000200000000101108D295520C60F557C4781B7D2F49C5C739BF80000000B00000000000000000000000C
ike 0:Du-CISCO_0:24: notify msg received: R-U-THERE-ACK
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:5609cb44 len=172
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC9445F35215B41B8C4A061373BF4D0E0C9C19C3ADA1424E9772F8AF794E7EC2469903DA793438C3576C79179CE89FC8D5EE55E09D9D020FEAF60F19FCE44F9DAD000940676EA2703D6980754B7ECADE42B8648D54BC36AFB95802B5FD032CB3C1F8D8E29D5020D7C3850637F5E8652383F99864D39506A923BB15A4F26F7977E6E8A0A10DCC4E1E8A8F5894A577634FB2
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC0E00001449B5BE76F04B4144E38AB72A9214FCD90000006E0100DC51000100000002000000030000000400000005000000070026436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53700000007002000070030000700400007006000070070000700100007008000070090000700B0000000000000000000000000000000E
ike 0:Du-CISCO_0:24: mode-cfg type 1 request 0:''
ike 0:Du-CISCO_0:24: mode-cfg not enabled, ignoring Configuration Method Request
ike 0:Du-CISCO_0: link is idle 5 84.73.193.80->194.230.155.139:45214 dpd=1 seqno=c
ike 0:Du-CISCO_0:24: send IKEv1 DPD probe, seqno 12
ike 0:Du-CISCO_0:24: enc 5520C60F557C4781B7D2F49C5C739BF808100501ED79814C000000500B000014A23E32C6FB4DE6A6372290FEF1E51B39000000200000000101108D285520C60F557C4781B7D2F49C5C739BF80000000C
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF808100501ED79814C0000005C0EDF44ABCCCCEFBB78BE47012C3136306C65F4BEE204DF83CB82983BE1D84C90E17F01D7624A81CF55ED54B1E5B5A98186E2A69077008935F9036B9247B94737
ike 0:Du-CISCO_0:24: sent IKE msg (R-U-THERE): 84.73.193.80:4500->194.230.155.139:45214, len=92, id=5520c60f557c4781/b7d2f49c5c739bf8:ed79814c
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=5520c60f557c4781/b7d2f49c5c739bf8:525c7816 len=92
ike 0: in 5520C60F557C4781B7D2F49C5C739BF808100501525C78160000005CC9357B3AE203F18F6024582A23686F7B9F687F4321536D18DFC422CA68F8C1DCC1EDB425BA9CAF114261797813832B6D44454AFC17926BF5AA7FE3DFA01267FA
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF808100501525C78160000005C0B000014A973513918E59874C4334750116EFB61000000200000000101108D295520C60F557C4781B7D2F49C5C739BF80000000C00000000000000000000000C
ike 0:Du-CISCO_0:24: notify msg received: R-U-THERE-ACK
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:5609cb44 len=172
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC9445F35215B41B8C4A061373BF4D0E0C9C19C3ADA1424E9772F8AF794E7EC2469903DA793438C3576C79179CE89FC8D5EE55E09D9D020FEAF60F19FCE44F9DAD000940676EA2703D6980754B7ECADE42B8648D54BC36AFB95802B5FD032CB3C1F8D8E29D5020D7C3850637F5E8652383F99864D39506A923BB15A4F26F7977E6E8A0A10DCC4E1E8A8F5894A577634FB2
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC0E00001449B5BE76F04B4144E38AB72A9214FCD90000006E0100DC51000100000002000000030000000400000005000000070026436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53700000007002000070030000700400007006000070070000700100007008000070090000700B0000000000000000000000000000000E
ike 0:Du-CISCO_0:24: mode-cfg type 1 request 0:''
ike 0:Du-CISCO_0:24: mode-cfg not enabled, ignoring Configuration Method Request
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:5609cb44 len=172
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC9445F35215B41B8C4A061373BF4D0E0C9C19C3ADA1424E9772F8AF794E7EC2469903DA793438C3576C79179CE89FC8D5EE55E09D9D020FEAF60F19FCE44F9DAD000940676EA2703D6980754B7ECADE42B8648D54BC36AFB95802B5FD032CB3C1F8D8E29D5020D7C3850637F5E8652383F99864D39506A923BB15A4F26F7977E6E8A0A10DCC4E1E8A8F5894A577634FB2
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC0E00001449B5BE76F04B4144E38AB72A9214FCD90000006E0100DC51000100000002000000030000000400000005000000070026436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53700000007002000070030000700400007006000070070000700100007008000070090000700B0000000000000000000000000000000E
ike 0:Du-CISCO_0:24: mode-cfg type 1 request 0:''
ike 0:Du-CISCO_0:24: mode-cfg not enabled, ignoring Configuration Method Request
ike 0:Du-CISCO_0: link is idle 5 84.73.193.80->194.230.155.139:45214 dpd=1 seqno=d
ike 0:Du-CISCO_0:24: send IKEv1 DPD probe, seqno 13
ike 0:Du-CISCO_0:24: enc 5520C60F557C4781B7D2F49C5C739BF80810050106ED664F000000500B000014A7B2E76AF50AFF547746BC360AC1B986000000200000000101108D285520C60F557C4781B7D2F49C5C739BF80000000D
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF80810050106ED664F0000005C79BF967FA642672E671D075B91ACFFDAEAED73EDD59888DE5626A48E0697956AFC94B912C27AAA9BAE25C89E94735DA1B053118C3EE159F5D77C04D3A51641BF
ike 0:Du-CISCO_0:24: sent IKE msg (R-U-THERE): 84.73.193.80:4500->194.230.155.139:45214, len=92, id=5520c60f557c4781/b7d2f49c5c739bf8:06ed664f
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=5520c60f557c4781/b7d2f49c5c739bf8:e0c489d0 len=92
ike 0: in 5520C60F557C4781B7D2F49C5C739BF808100501E0C489D00000005C685F64BFC1BFA8530B2F77C0CF0E41E59D0B1B23ED6746D64B3F17A4344F68A19E83FB7118DCB9109F86FA0FCE3A4E0B9EDD6E558ECD60688EAAE6C7DA2E4441
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF808100501E0C489D00000005C0B0000144EEFDE6F193D06F1C010ECF700E33BD7000000200000000101108D295520C60F557C4781B7D2F49C5C739BF80000000D00000000000000000000000C
ike 0:Du-CISCO_0:24: notify msg received: R-U-THERE-ACK
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:5609cb44 len=172
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC9445F35215B41B8C4A061373BF4D0E0C9C19C3ADA1424E9772F8AF794E7EC2469903DA793438C3576C79179CE89FC8D5EE55E09D9D020FEAF60F19FCE44F9DAD000940676EA2703D6980754B7ECADE42B8648D54BC36AFB95802B5FD032CB3C1F8D8E29D5020D7C3850637F5E8652383F99864D39506A923BB15A4F26F7977E6E8A0A10DCC4E1E8A8F5894A577634FB2
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC0E00001449B5BE76F04B4144E38AB72A9214FCD90000006E0100DC51000100000002000000030000000400000005000000070026436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53700000007002000070030000700400007006000070070000700100007008000070090000700B0000000000000000000000000000000E
ike 0:Du-CISCO_0:24: mode-cfg type 1 request 0:''
ike 0:Du-CISCO_0:24: mode-cfg not enabled, ignoring Configuration Method Request
ike 0:Du-CISCO_0: link is idle 5 84.73.193.80->194.230.155.139:45214 dpd=1 seqno=e
ike 0:Du-CISCO_0:24: send IKEv1 DPD probe, seqno 14
ike 0:Du-CISCO_0:24: enc 5520C60F557C4781B7D2F49C5C739BF808100501BDADD1A2000000500B000014BD7E61F722E9BC4CC2E60957913D98B9000000200000000101108D285520C60F557C4781B7D2F49C5C739BF80000000E
ike 0:Du-CISCO_0:24: out 5520C60F557C4781B7D2F49C5C739BF808100501BDADD1A20000005C47CD0749E9C7F1E9005EF2636E01C05CD2CC64A85BB1C351367E4F4E1625497A00F2CC361F2B6A327F139049874E745539B07DB319E6EEAB20E058B5FD8D1EF7
ike 0:Du-CISCO_0:24: sent IKE msg (R-U-THERE): 84.73.193.80:4500->194.230.155.139:45214, len=92, id=5520c60f557c4781/b7d2f49c5c739bf8:bdadd1a2
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=5520c60f557c4781/b7d2f49c5c739bf8:5609cb44 len=172
ike 0: in 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC9445F35215B41B8C4A061373BF4D0E0C9C19C3ADA1424E9772F8AF794E7EC2469903DA793438C3576C79179CE89FC8D5EE55E09D9D020FEAF60F19FCE44F9DAD000940676EA2703D6980754B7ECADE42B8648D54BC36AFB95802B5FD032CB3C1F8D8E29D5020D7C3850637F5E8652383F99864D39506A923BB15A4F26F7977E6E8A0A10DCC4E1E8A8F5894A577634FB2
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF8081006015609CB44000000AC0E00001449B5BE76F04B4144E38AB72A9214FCD90000006E0100DC51000100000002000000030000000400000005000000070026436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53700000007002000070030000700400007006000070070000700100007008000070090000700B0000000000000000000000000000000E
ike 0:Du-CISCO_0:24: mode-cfg type 1 request 0:''
ike 0:Du-CISCO_0:24: mode-cfg not enabled, ignoring Configuration Method Request
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=5520c60f557c4781/b7d2f49c5c739bf8:cd6e76d4 len=92
ike 0: in 5520C60F557C4781B7D2F49C5C739BF808100501CD6E76D40000005CD0490CB9500C66EE1D320D9BFD0E7142C20CDB5CD537D3AB8F0FDC7F743635E65EBFB9EE89D250452B62E8DCAFEF1A03D2329144EA93F9181C8E613834DA5914
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF808100501CD6E76D40000005C0B0000143BAEA139CF6C3F75B10E1AEE8A49A03D000000200000000101108D295520C60F557C4781B7D2F49C5C739BF80000000E00000000000000000000000C
ike 0:Du-CISCO_0:24: notify msg received: R-U-THERE-ACK
ike 0: comes 194.230.155.139:45214->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=5520c60f557c4781/b7d2f49c5c739bf8:f7c97743 len=92
ike 0: in 5520C60F557C4781B7D2F49C5C739BF808100501F7C977430000005C4F992CC42DD1F8850FBF92D7F4E86A73E635D588239E6A8B3E79EC7585D27380454CD6901B058349979AA11F576A12B2920452F5A88ECD92B22329D7948E84BC
ike 0:Du-CISCO_0:24: dec 5520C60F557C4781B7D2F49C5C739BF808100501F7C977430000005C0C000014C3D202F6E351D901F1A2B568A80EAC1C0000001C00000001011000015520C60F557C4781B7D2F49C5C739BF800000000000000000000000000000010
ike 0:Du-CISCO_0:24: recv ISAKMP SA delete 5520c60f557c4781/b7d2f49c5c739bf8
ike 0:Du-CISCO_0: deleting
ike 0:Du-CISCO_0: flushing
ike 0:Du-CISCO_0: sending SNMP tunnel DOWN trap
ike 0:Du-CISCO_0: flushed
ike 0:Du-CISCO_0: delete dynamic
ike 0:Du-CISCO_0: reset NAT-T
ike 0:Du-CISCO_0: deleted
Can you see there something?
Kind regards
Another approach would be to capture or debug the ipsec client. 1> does the IPSEC client recognized dhcp request ? or 2> does it support the RFC isakmp modecfg only?
If its the former, than no way could you relay a DHCP request ( none exist )
Just speaking on top of my mind, maybe you can run the fortigate dhcpd in debug mode and see if any clients initialize a dhcp request.
PCNSE
NSE
StrongSwan
ike 0:Du-CISCO_0:24: mode-cfg not enabled, ignoring Configuration Method Request
The client is asking for mode-cfg. You may need it after all. Either disable mode-cfg on the client, or else you might want to consider creating multiple aggressive-mode dial-up tunnels for each address range you want to assign, and differentiate between the tunnels based on setting local and peer IDs respectively: a peer ID that the FortiGate will accept for that specific tunnel, and a local ID on the client.
Regards, Chris McMullan Fortinet Ottawa
Here is the Output with mode config enable
FGT70 # ike 0: comes 194.230.155.139:57932->84.73.193.80:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=52b01269d36c2da2/0000000000000000 len=596
ike 0: in 52B01269D36C2DA200000000000000000110020000000000000002540D000124000000010000000100000118010100080300002401010000800B0001800C0E1080010007800E01008003FDE980020002800400020300002402010000800B0001800C0E1080010007800E00808003FDE980020002800400020300002403010000800B0001800C0E1080010007800E01008003FDE980020001800400020300002404010000800B0001800C0E1080010007800E00808003FDE980020001800400020300002005010000800B0001800C0E10800100058003FDE980020002800400020300002006010000800B0001800C0E10800100058003FDE980020001800400020300002007010000800B0001800C0E10800100018003FDE980020002800400020000002008010000800B0001800C0E10800100018003FDE980020001800400020D0000144A131C81070358455C5728F20E95452F0D0000144DF37928E9FC4FD1B3262170D515C6620D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC01000D0000184048B7D56EBCE88525E7DE7F00D6C2D38000000000000014AFCAD71368A1F1C96B8696FC77570100
ike 0:52b01269d36c2da2/0000000000000000:27: responder: main mode get 1st message...
ike 0:52b01269d36c2da2/0000000000000000:27: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:52b01269d36c2da2/0000000000000000:27: VID unknown (16): 4DF37928E9FC4FD1B3262170D515C662
ike 0:52b01269d36c2da2/0000000000000000:27: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
ike 0:52b01269d36c2da2/0000000000000000:27: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
ike 0:52b01269d36c2da2/0000000000000000:27: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
ike 0:52b01269d36c2da2/0000000000000000:27: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
ike 0:52b01269d36c2da2/0000000000000000:27: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
ike 0:52b01269d36c2da2/0000000000000000:27: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:52b01269d36c2da2/0000000000000000:27: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:52b01269d36c2da2/0000000000000000:27: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:52b01269d36c2da2/0000000000000000:27: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:52b01269d36c2da2/0000000000000000:27: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:52b01269d36c2da2/0000000000000000:27: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:52b01269d36c2da2/0000000000000000:27: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:52b01269d36c2da2/0000000000000000:27: negotiation result
ike 0:52b01269d36c2da2/0000000000000000:27: proposal id = 1:
ike 0:52b01269d36c2da2/0000000000000000:27: protocol id = ISAKMP:
ike 0:52b01269d36c2da2/0000000000000000:27: trans_id = KEY_IKE.
ike 0:52b01269d36c2da2/0000000000000000:27: encapsulation = IKE/none
ike 0:52b01269d36c2da2/0000000000000000:27: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:52b01269d36c2da2/0000000000000000:27: type=OAKLEY_HASH_ALG, val=MD5.
ike 0:52b01269d36c2da2/0000000000000000:27: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:52b01269d36c2da2/0000000000000000:27: type=OAKLEY_GROUP, val=MODP1024.
ike 0:52b01269d36c2da2/0000000000000000:27: ISAKMP SA lifetime=86400
ike 0:52b01269d36c2da2/0000000000000000:27: SA proposal chosen, matched gateway Du-CISCO
ike 0:Du-CISCO:27: DPD negotiated
ike 0:Du-CISCO:27: XAUTHv6 negotiated
ike 0:Du-CISCO:27: peer supports UNITY
ike 0:Du-CISCO:27: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-04
ike 0:Du-CISCO:27: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-05
ike 0:Du-CISCO:27: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-06
ike 0:Du-CISCO:27: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07
ike 0:Du-CISCO:27: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-08
ike 0:Du-CISCO:27: selected NAT-T version: RFC 3947
ike 0:Du-CISCO:27: cookie 52b01269d36c2da2/de3cc6dd7a483dad
ike 0:Du-CISCO:27: out 52B01269D36C2DA2DE3CC6DD7A483DAD0110020000000000000000DC0D00003800000001000000010000002C010100010000002403010000800B0001800C0E1080010007800E01008003FDE980020001800400020D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000148299031757A36082C6A621DE0005029E0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:Du-CISCO:27: sent IKE msg (ident_r1send): 84.73.193.80:500->194.230.155.139:57932, len=220, id=52b01269d36c2da2/de3cc6dd7a483dad
ike 0: comes 194.230.155.139:57932->84.73.193.80:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=52b01269d36c2da2/de3cc6dd7a483dad len=220
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD0410020000000000000000DC0A000084440EED71F15897E3D90CFA42087F43086426FA0B56BF8EB13E8346B15319FEB096EBACF466F752D8D58CC9E8A6A1C20D498D51536D4443BE7F2839DD8D19B0895D0A5BE518A06CC00BA73887C587536F6D1F070EE54DB5CD38C4B73BAE0C47AB0D204A6FA0BC92C686733578FA8134FCD4ADB490F9EE1B3A77CB4D29FDA2FEBB14000014D4AFBE57A7BF1E3D4652B590FE12ABBF140000143615074B71B7833D37FBBE0C1BF4750E0000001446F7B49F6C8BEE979EFC9CD10B40FE08
ike 0:Du-CISCO:27: responder:main mode get 2nd message...
ike 0:Du-CISCO:27: NAT detected: PEER
ike 0:Du-CISCO:27: out 52B01269D36C2DA2DE3CC6DD7A483DAD0410020000000000000000DC0A0000847223C9E3BE711532DAC2AE4CD45F4ED42C468F44752C9E7582EF255D7392951B2734D40D3A19911989705A8B7A2840EE34CCDEC3820A837A065492A9971DBDBA3CD3704AF00F454EFEA6FC8E1B156A9C7B1857AB400230AEA49A3F5508714EEEBEC7BBBE5444B28F312943EFE225EBB93D07661F52EF9A75F1348539C2EC5724140000149FB446524142A69B93F545E30342B1FE14000014F0B26E69E78636732155AD8B6D2E7EB1000000143615074B71B7833D37FBBE0C1BF4750E
ike 0:Du-CISCO:27: sent IKE msg (ident_r2send): 84.73.193.80:500->194.230.155.139:57932, len=220, id=52b01269d36c2da2/de3cc6dd7a483dad
ike 0:Du-CISCO:27: ISAKMP SA 52b01269d36c2da2/de3cc6dd7a483dad key 32:98A7D6E64A8AE5454AC0796A93A945832D8761DAB034C4801859ADA9A5B71D79
ike 0: comes 194.230.155.139:45695->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=52b01269d36c2da2/de3cc6dd7a483dad len=92
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD05100201000000000000005C9AB0365BCA961CEF2A9C15AA7C340CCE7CD68442D525E5444BF64581AB319C28A119AE5D6ED8E61A357769E55CB005765E312E17B8FA68D3A942687E2EA1412A
ike 0:Du-CISCO:27: responder: main mode get 3rd message...
ike 0:Du-CISCO:27: dec 52B01269D36C2DA2DE3CC6DD7A483DAD05100201000000000000005C0800000C011101F40A97169E0B000014407D38CE1F0BA881664D15C77858EB210000001C000000010110600252B01269D36C2DA2DE3CC6DD7A483DAD00000004
ike 0:Du-CISCO:27: received p1 notify type INITIAL-CONTACT
ike 0:Du-CISCO:27: peer identifier IPV4_ADDR 10.151.22.158
ike 0:Du-CISCO:27: PSK authentication succeeded
ike 0:Du-CISCO:27: authentication OK
ike 0:Du-CISCO:27: enc 52B01269D36C2DA2DE3CC6DD7A483DAD05100201000000000000003C0800000C010000005449C150000000142C0FE58B55F1B24559BC2A046382636A
ike 0:Du-CISCO:27: remote port change 57932 -> 45695
ike 0:Du-CISCO:27: out 52B01269D36C2DA2DE3CC6DD7A483DAD05100201000000000000004C6A866A3B1B40B7A6BAE54593344109FC9B4027601ABA6C1611E4091519499A8A08275DE7DB5980D798A45980A43A0F80
ike 0:Du-CISCO:27: sent IKE msg (ident_r3send): 84.73.193.80:4500->194.230.155.139:45695, len=76, id=52b01269d36c2da2/de3cc6dd7a483dad
ike 0:Du-CISCO: adding new dynamic tunnel for 194.230.155.139:45695
ike 0:Du-CISCO_0: added new dynamic tunnel for 194.230.155.139:45695
ike 0:Du-CISCO_0:27: established IKE SA 52b01269d36c2da2/de3cc6dd7a483dad
ike 0:Du-CISCO_0:27: processing INITIAL-CONTACT
ike 0:Du-CISCO_0: flushing
ike 0:Du-CISCO_0: flushed
ike 0:Du-CISCO_0:27: processed INITIAL-CONTACT
ike 0:Du-CISCO_0:27: initiating XAUTH.
ike 0:Du-CISCO_0:27: sending XAUTH request
ike 0:Du-CISCO_0:27: enc 52B01269D36C2DA2DE3CC6DD7A483DAD08100601ECF0F366000000440E0000146135C9F78E1F381D3A8B9FFFF2189D5D00000014010028AEC088000040890000408A0000
ike 0:Du-CISCO_0:27: out 52B01269D36C2DA2DE3CC6DD7A483DAD08100601ECF0F3660000004C831E7D8F3F35B0A4B780A50AED68D7030E13F684F7EDF42739C1E61C4DE8E69CB953D79FF975526D7CAEB490E6B2B5BE
ike 0:Du-CISCO_0:27: sent IKE msg (cfg_send): 84.73.193.80:4500->194.230.155.139:45695, len=76, id=52b01269d36c2da2/de3cc6dd7a483dad:ecf0f366
ike 0:Du-CISCO_0:27: peer has not completed XAUTH exchange
ike 0:Du-CISCO_0:27: out 52B01269D36C2DA2DE3CC6DD7A483DAD08100601ECF0F3660000004C831E7D8F3F35B0A4B780A50AED68D7030E13F684F7EDF42739C1E61C4DE8E69CB953D79FF975526D7CAEB490E6B2B5BE
ike 0:Du-CISCO_0:27: sent IKE msg (CFG_RETRANS): 84.73.193.80:4500->194.230.155.139:45695, len=76, id=52b01269d36c2da2/de3cc6dd7a483dad:ecf0f366
ike 0:Du-CISCO_0: link is idle 5 84.73.193.80->194.230.155.139:45695 dpd=1 seqno=1
ike 0:Du-CISCO_0:27: send IKEv1 DPD probe, seqno 1
ike 0:Du-CISCO_0:27: enc 52B01269D36C2DA2DE3CC6DD7A483DAD081005011F9B31C8000000500B0000147A481789167E577915BDE41F658F1001000000200000000101108D2852B01269D36C2DA2DE3CC6DD7A483DAD00000001
ike 0:Du-CISCO_0:27: out 52B01269D36C2DA2DE3CC6DD7A483DAD081005011F9B31C80000005C63EAE1DF5C7102FED83D0FD84E4445A0C4328815491727A008D8CC5C8F27B52B8AE52196FF1306E4B113D55100004F0CE42FF3379214D619A44D1A5B0A9A82EB
ike 0:Du-CISCO_0:27: sent IKE msg (R-U-THERE): 84.73.193.80:4500->194.230.155.139:45695, len=92, id=52b01269d36c2da2/de3cc6dd7a483dad:1f9b31c8
ike 0: comes 194.230.155.139:45695->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=52b01269d36c2da2/de3cc6dd7a483dad:d15bd8fe len=92
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD08100501D15BD8FE0000005CCD7010C1B5E287725079BBE4E639743CA0025C0EE61490614D22571C98050FC6D25154E5846F63AE47EC5F1D8AB0DBF9B9E9A1D357254A2D4A9862C4C4A77528
ike 0:Du-CISCO_0:27: dec 52B01269D36C2DA2DE3CC6DD7A483DAD08100501D15BD8FE0000005C0B000014126170797D30140F7FBFC02FC9F2AA6C000000200000000101108D2952B01269D36C2DA2DE3CC6DD7A483DAD0000000100000000000000000000000C
ike 0:Du-CISCO_0:27: notify msg received: R-U-THERE-ACK
ike 0:Du-CISCO_0:27: out 52B01269D36C2DA2DE3CC6DD7A483DAD08100601ECF0F3660000004C831E7D8F3F35B0A4B780A50AED68D7030E13F684F7EDF42739C1E61C4DE8E69CB953D79FF975526D7CAEB490E6B2B5BE
ike 0:Du-CISCO_0:27: sent IKE msg (CFG_RETRANS): 84.73.193.80:4500->194.230.155.139:45695, len=76, id=52b01269d36c2da2/de3cc6dd7a483dad:ecf0f366
ike shrank heap by 122880 bytes
ike 0: comes 194.230.155.139:45695->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=52b01269d36c2da2/de3cc6dd7a483dad:ecf0f366 len=92
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD08100601ECF0F3660000005CFF694EAA1AF17598250E51C97A6E6AF033B895A47946EE992AED314585A36DDD94866458134B07E1A388CB7A48EDA1A086166A72A1A8B16B9F67B9DF0853DA79
ike 0:Du-CISCO_0:27: dec 52B01269D36C2DA2DE3CC6DD7A483DAD08100601ECF0F3660000005C0E0000146A3135696C384CECB5C8E9D462D0CFA0000000200200280040890008636872696869747A408A00085369723168656C6C00000000000000000000000C
ike 0:Du-CISCO_0:27: received XAUTH_USER_NAME 'chrihitz' length 8
ike 0:Du-CISCO_0:27: received XAUTH_USER_PASSWORD length 8
ike 0:Du-CISCO_0: XAUTH user "chrihitz"
ike 0:Du-CISCO: auth group VPN-Users
ike 0:Du-CISCO_0: XAUTH succeeded for user "chrihitz" group "VPN-Users"
ike 0:Du-CISCO_0:27: enc 52B01269D36C2DA2DE3CC6DD7A483DAD08100601B02317850000003C0E000014CE407E67CA49B38C916EE73B890805FF0000000C03002800C08F0001
ike 0:Du-CISCO_0:27: out 52B01269D36C2DA2DE3CC6DD7A483DAD08100601B02317850000004C67AF99CFF0E108C143796DAE80C70BA8D76B63159A7E31F249DC6B274F5CB5217797DD3847F53B450AE792BEAE1FADCC
ike 0:Du-CISCO_0:27: sent IKE msg (cfg_send): 84.73.193.80:4500->194.230.155.139:45695, len=76, id=52b01269d36c2da2/de3cc6dd7a483dad:b0231785
ike 0: comes 194.230.155.139:45695->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=52b01269d36c2da2/de3cc6dd7a483dad:b0231785 len=76
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD08100601B02317850000004C09125A48CE8953DEDA05637B52D7BFE5236E30C7DF18CD7D8D734DC4A50536E0BB20FBA70110970C6E2EA15E9AF9DA66
ike 0:Du-CISCO_0:27: dec 52B01269D36C2DA2DE3CC6DD7A483DAD08100601B02317850000004C0E0000141872B18E728E80CC6FBD31F5228653280000000C04002800C08F000000000000000000000000000000000010
ike 0:Du-CISCO_0: link is idle 5 84.73.193.80->194.230.155.139:45695 dpd=1 seqno=2
ike 0:Du-CISCO_0:27: send IKEv1 DPD probe, seqno 2
ike 0:Du-CISCO_0:27: enc 52B01269D36C2DA2DE3CC6DD7A483DAD08100501A85A487A000000500B00001435824B9F2B1007FFC7B855310497FE0A000000200000000101108D2852B01269D36C2DA2DE3CC6DD7A483DAD00000002
ike 0:Du-CISCO_0:27: out 52B01269D36C2DA2DE3CC6DD7A483DAD08100501A85A487A0000005C24075946EA264803A45932E8A178701B2B40EC6E6C54D5C6729FC8F7ABC05B3D25493FD67A01F868862E563C06BA50999B189F92E18CEBF35C4C5899B2D7D36C
ike 0:Du-CISCO_0:27: sent IKE msg (R-U-THERE): 84.73.193.80:4500->194.230.155.139:45695, len=92, id=52b01269d36c2da2/de3cc6dd7a483dad:a85a487a
ike 0: comes 194.230.155.139:45695->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=52b01269d36c2da2/de3cc6dd7a483dad:57e487db len=172
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD0810060157E487DB000000AC58C4DE310B003750612DBFFDCB87F4B30731C33427AFD11675E76CA13961EB0B8818152A84084F3B5F295626B4F0AF0C2D632CEE7C4D2217497ACE00B34FA97B49355E7710F451E1ED5E2D82BE5F6DF376568A106F7B0D547FCD2E505A28EEA3541A7724E336225097D2D6DDCCC9BA9E4BD43BDAD0B2498C29F643AD87E2013343AE3A8A50810CF59E0D48D99602AB23
ike 0:Du-CISCO_0:27: dec 52B01269D36C2DA2DE3CC6DD7A483DAD0810060157E487DB000000AC0E00001480009B54C588C3496D49DA15D8E7B2F00000006E01004328000100000002000000030000000400000005000000070026436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53700000007002000070030000700400007006000070070000700100007008000070090000700B0000000000000000000000000000000E
ike 0:Du-CISCO_0:27: mode-cfg type 1 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg using allocated IPv4 192.168.222.210
ike 0:Du-CISCO_0:27: mode-cfg type 2 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg type 3 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg type 4 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg WINS ignored, no WINS servers configured
ike 0:Du-CISCO_0:27: mode-cfg type 5 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg type 7 request 38:'436973636F2053797374656D732056504E20436C69656E7420382E333A6950686F6E65204F53'
ike 0:Du-CISCO_0:27: mode-cfg received APPLICATION_VERSION Cisco Systems VPN Client 8.3:iPhone OSp
ike 0:Du-CISCO_0:27: mode-cfg type 28672 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg UNITY type 28672 requested
ike 0:Du-CISCO_0:27: mode-cfg no banner configured, ignoring
ike 0:Du-CISCO_0:27: mode-cfg type 28674 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg UNITY type 28674 requested
ike 0:Du-CISCO_0:27: mode-cfg no domain configured, ignoring
ike 0:Du-CISCO_0:27: mode-cfg type 28675 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg UNITY type 28675 requested
ike 0:Du-CISCO_0:27: mode-cfg UNITY type 28675 not supported, ignoring
ike 0:Du-CISCO_0:27: mode-cfg type 28676 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg UNITY type 28676 requested
ike 0:Du-CISCO_0:27: mode-cfg type 28678 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg UNITY type 28678 requested
ike 0:Du-CISCO_0:27: mode-cfg type 28679 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg UNITY type 28679 requested
ike 0:Du-CISCO_0:27: mode-cfg type 28673 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg UNITY type 28673 requested
ike 0:Du-CISCO_0:27: mode-cfg type 28680 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg UNITY type 28680 requested
ike 0:Du-CISCO_0:27: mode-cfg UNITY type 28680 not supported, ignoring
ike 0:Du-CISCO_0:27: mode-cfg type 28681 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg UNITY type 28681 requested
ike 0:Du-CISCO_0:27: mode-cfg no backup-gateway configured, ignoring
ike 0:Du-CISCO_0:27: mode-cfg type 28683 request 0:''
ike 0:Du-CISCO_0:27: mode-cfg attribute type 28683 not supported, ignoring
ike 0:Du-CISCO_0:27: mode-cfg assigned (1) IPv4 address 192.168.222.210
ike 0:Du-CISCO_0:27: mode-cfg assigned (2) IPv4 netmask 255.255.255.255
ike 0:Du-CISCO_0:27: mode-cfg send (3) IPv4 DNS(1) 192.168.222.13
ike 0:Du-CISCO_0:27: PFS is disabled
ike 0:Du-CISCO_0:27: mode-cfg send APPLICATION_VERSION 'FortiGate-70D v5.2.3,build0670b670,150318 (GA)'
ike 0:Du-CISCO_0:27: mode-cfg INTERNAL_ADDRESS_EXPIRY ignored, address does not expire
ike 0:Du-CISCO_0:27: include-local-lan is disabled
ike 0:Du-CISCO_0:27: client save-password is disabled
ike 0:Du-CISCO_0:27: enc 52B01269D36C2DA2DE3CC6DD7A483DAD0810060157E487DB000000820E000014C78B97F0352D8B7D4A8603A132FE1501000000520200432800010004C0A8DED200020004FFFFFFFF00030004C0A8DE0D0007002E466F727469476174652D3730442076352E322E332C6275696C6430363730623637302C3135303331382028474129
ike 0:Du-CISCO_0:27: out 52B01269D36C2DA2DE3CC6DD7A483DAD0810060157E487DB0000008C2BB6625DF92D4560AB5BDD0C8C979A21F30C6BBAC46E479ED13314D160DE30944BCBD26FBABB4DF0A2253859A0B21C2C3D6444B4107324FD7ADF2A93A7B9C638D1E9A59E51D812C4ED561D5C812FF4FACBA5D17E40ADEBC0A8BF1799C4781E25CCFD1F119BF01B5C7A116D0BD716D273
ike 0:Du-CISCO_0:27: sent IKE msg (cfg_send): 84.73.193.80:4500->194.230.155.139:45695, len=140, id=52b01269d36c2da2/de3cc6dd7a483dad:57e487db
ike 0: comes 194.230.155.139:45695->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=52b01269d36c2da2/de3cc6dd7a483dad:3d30726c len=92
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD081005013D30726C0000005CF701D2A1737509DF5B135BFA840F3CBCEA45D873D0840976DF39C715B1C3537A85B215564C62DC0E6366EBEDA41B0329CA68DDA941552322DD8B46E4C29E0088
ike 0:Du-CISCO_0:27: dec 52B01269D36C2DA2DE3CC6DD7A483DAD081005013D30726C0000005C0B0000144C8607077C4760EAF2B809DDCED922F2000000200000000101108D2952B01269D36C2DA2DE3CC6DD7A483DAD0000000200000000000000000000000C
ike 0:Du-CISCO_0:27: notify msg received: R-U-THERE-ACK
ike 0: comes 194.230.155.139:45695->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Quick id=52b01269d36c2da2/de3cc6dd7a483dad:4b3eea32 len=284
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD081020014B3EEA320000011CE53F941E30F7DC78AC4EEF4E34BE63CF8320718CFD9F11450976EF5F4A9472A84F4A94B27C3A87E9F938A3E16E6CDC64D089A2FA11518AD8844D51F6092CF580DE10606565782F21F9E7DBD2EDDED9594DB8C063379E85C566B5A123D4499865E800175320BF2EB0B95BF244A55B4DF316C7261BE3E4DF7AE2D4ABD7B5630D3E6724E8B93B1F038AF04E0ADC20CEF68A6E3F425B601E216D74939A43F4F1E52D0FB97716C4A4109D507A604236AF150EB2F2004329D7666F8D3B6277F1A6D7B4CF5B449F5E20966C3CBB34706C3D4B39796FCAFAA459B738847C4F7A568D437D215C0DED6D41C9F5381538B7DDEB633C0F0BD5F927A8AFBCD98B2D3E098E36AC
ike 0:Du-CISCO_0:27:3158: responder received first quick-mode message
ike 0:Du-CISCO_0:27: dec 52B01269D36C2DA2DE3CC6DD7A483DAD081020014B3EEA320000011C01000014256CBBA04EF13C1E6884168C133F77650A0000B80000000100000001000000AC010304060B9631960300001C010C00008001000180020E108004000380060100800500020300001C020C00008001000180020E108004000380060100800500010300001C030C00008001000180020E108004000380060080800500020300001C040C00008001000180020E1080040003800600808005000103000018050300008001000180020E10800400038005000200000018060300008001000180020E10800400038005000105000014DE5C44BB53B20F7B3EBFDE3DF38A548B0500000C01000000C0A8DED20000001004000000000000000000000000000004
ike 0:Du-CISCO_0:27:3158: peer proposal is: peer:0:192.168.222.210-192.168.222.210:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:Du-CISCO_0:27:Du-CISCO:3158: trying
ike 0:Du-CISCO_0:27:Du-CISCO:3158: matched phase2
ike 0:Du-CISCO_0:27:Du-CISCO:3158: dynamic client
ike 0:Du-CISCO_0:27:Du-CISCO:3158: my proposal:
ike 0:Du-CISCO_0:27:Du-CISCO:3158: proposal id = 1:
ike 0:Du-CISCO_0:27:Du-CISCO:3158: protocol id = IPSEC_ESP:
ike 0:Du-CISCO_0:27:Du-CISCO:3158: trans_id = ESP_AES (key_len = 256)
ike 0:Du-CISCO_0:27:Du-CISCO:3158: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:Du-CISCO_0:27:Du-CISCO:3158: type = AUTH_ALG, val=MD5
ike 0:Du-CISCO_0:27:Du-CISCO:3158: trans_id = ESP_AES (key_len = 256)
ike 0:Du-CISCO_0:27:Du-CISCO:3158: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:Du-CISCO_0:27:Du-CISCO:3158: type = AUTH_ALG, val=SHA1
ike 0:Du-CISCO_0:27:Du-CISCO:3158: incoming proposal:
ike 0:Du-CISCO_0:27:Du-CISCO:3158: proposal id = 1:
ike 0:Du-CISCO_0:27:Du-CISCO:3158: protocol id = IPSEC_ESP:
ike 0:Du-CISCO_0:27:Du-CISCO:3158: trans_id = ESP_AES (key_len = 256)
ike 0:Du-CISCO_0:27:Du-CISCO:3158: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:Du-CISCO_0:27:Du-CISCO:3158: type = AUTH_ALG, val=SHA1
ike 0:Du-CISCO_0:27:Du-CISCO:3158: trans_id = ESP_AES (key_len = 256)
ike 0:Du-CISCO_0:27:Du-CISCO:3158: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:Du-CISCO_0:27:Du-CISCO:3158: type = AUTH_ALG, val=MD5
ike 0:Du-CISCO_0:27:Du-CISCO:3158: trans_id = ESP_AES (key_len = 128)
ike 0:Du-CISCO_0:27:Du-CISCO:3158: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:Du-CISCO_0:27:Du-CISCO:3158: type = AUTH_ALG, val=SHA1
ike 0:Du-CISCO_0:27:Du-CISCO:3158: trans_id = ESP_AES (key_len = 128)
ike 0:Du-CISCO_0:27:Du-CISCO:3158: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:Du-CISCO_0:27:Du-CISCO:3158: type = AUTH_ALG, val=MD5
ike 0:Du-CISCO_0:27:Du-CISCO:3158: trans_id = ESP_3DES
ike 0:Du-CISCO_0:27:Du-CISCO:3158: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:Du-CISCO_0:27:Du-CISCO:3158: type = AUTH_ALG, val=SHA1
ike 0:Du-CISCO_0:27:Du-CISCO:3158: trans_id = ESP_3DES
ike 0:Du-CISCO_0:27:Du-CISCO:3158: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:Du-CISCO_0:27:Du-CISCO:3158: type = AUTH_ALG, val=MD5
ike 0:Du-CISCO_0:27:Du-CISCO:3158: negotiation result
ike 0:Du-CISCO_0:27:Du-CISCO:3158: proposal id = 1:
ike 0:Du-CISCO_0:27:Du-CISCO:3158: protocol id = IPSEC_ESP:
ike 0:Du-CISCO_0:27:Du-CISCO:3158: trans_id = ESP_AES (key_len = 256)
ike 0:Du-CISCO_0:27:Du-CISCO:3158: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:Du-CISCO_0:27:Du-CISCO:3158: type = AUTH_ALG, val=SHA1
ike 0:Du-CISCO_0:27:Du-CISCO:3158: using udp tunnel mode.
ike 0:Du-CISCO_0:27:Du-CISCO:3158: replay protection enabled
ike 0:Du-CISCO_0:27:Du-CISCO:3158: SA life soft seconds=3589.
ike 0:Du-CISCO_0:27:Du-CISCO:3158: SA life hard seconds=3600.
ike 0:Du-CISCO_0:27:Du-CISCO:3158: IPsec SA selectors #src=1 #dst=1
ike 0:Du-CISCO_0:27:Du-CISCO:3158: src 0 7 0:0.0.0.0-255.255.255.255:0
ike 0:Du-CISCO_0:27:Du-CISCO:3158: dst 0 7 0:192.168.222.210-192.168.222.210:0
ike 0:Du-CISCO_0:27:Du-CISCO:3158: add dynamic IPsec SA selectors
ike 0:Du-CISCO_0:3158: enable proxy ARP for 192.168.222.210 on 28
ike 0:Du-CISCO_0:3158: add route 192.168.222.210/255.255.255.255 oif Du-CISCO_0(55) metric 15 priority 0
ike 0:Du-CISCO_0:27:Du-CISCO:3158: tunnel 1 of VDOM limit 0/0
ike 0:Du-CISCO_0:27:Du-CISCO:3158: add IPsec SA: SPIs=d24c2112/0b963196
ike 0:Du-CISCO_0:27:Du-CISCO:3158: IPsec SA dec spi d24c2112 key 32:920732800291DA71DEA7FAA050C46E29D46B5E3A921F11AFB5A5B4E1971BCA2A auth 20:8D6309A02EC872B61BE8A5F0532ED07B84B31738
ike 0:Du-CISCO_0:27:Du-CISCO:3158: IPsec SA enc spi 0b963196 key 32:4E8985BFA50F019CCCFB05A11B257DC688B3399861265812CC261EEE0998B265 auth 20:DB55221F157EB6E9CA809CE8695EB0F3A688E58A
ike 0:Du-CISCO_0:27:Du-CISCO:3158: added IPsec SA: SPIs=d24c2112/0b963196
ike 0:Du-CISCO_0:27:Du-CISCO:3158: sending SNMP tunnel UP trap
ike 0:Du-CISCO_0:27: enc 52B01269D36C2DA2DE3CC6DD7A483DAD081020014B3EEA320000009401000014ABF7193DBDF187BCADF8D2B1AB31DBAF0A00003400000001000000010000002801030401D24C21120000001C010C00008001000180020E10800400038006010080050002050000143C3D96BB89D07295929B7DA2B290300A0500000C01000000C0A8DED200000010040000000000000000000000
ike 0:Du-CISCO_0:27: out 52B01269D36C2DA2DE3CC6DD7A483DAD081020014B3EEA320000009C49740287E6E397257F8B13BE24DC4D9A45829615D076F18B68EB899F547EC98E19156C8EC63CC0A9290832D8ADC889A17A9EDE97C04C4AC5C32E66C8F71EDCA09D222FD3D91987B19B25CB961661B5BCD952A8315BC1FAD274D5BAB6FB6CFCED02A5D7799F4D8706A86BA5FF5DF12327DD11743AACFE25ADCE838A21F65884E8
ike 0:Du-CISCO_0:27: sent IKE msg (quick_r1send): 84.73.193.80:4500->194.230.155.139:45695, len=156, id=52b01269d36c2da2/de3cc6dd7a483dad:4b3eea32
ike 0: comes 194.230.155.139:45695->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Quick id=52b01269d36c2da2/de3cc6dd7a483dad:4b3eea32 len=60
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD081020014B3EEA320000003C4EB0C8DDB39E8D257C1166489735E356549BCD0A609031D742018C845F4365B6
ike 0:Du-CISCO_0:27: dec 52B01269D36C2DA2DE3CC6DD7A483DAD081020014B3EEA320000003C00000014A525456084FCA5588FF63BD93A8573E700000000000000000000000C
ike 0:Du-CISCO_0:Du-CISCO:3158: send SA_DONE SPI 0xb963196
ike 0: comes 194.230.155.139:45695->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Quick id=52b01269d36c2da2/de3cc6dd7a483dad:4b3eea32 len=60
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD081020014B3EEA320000003C4EB0C8DDB39E8D257C1166489735E356549BCD0A609031D742018C845F4365B6
ike 0:Du-CISCO_0:27:Du-CISCO:3158: retransmission, ignored since still generating response
ike 0: comes 194.230.155.139:45695->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=52b01269d36c2da2/de3cc6dd7a483dad:83d48a34 len=76
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD0810050183D48A340000004C83BC63397C5059C956E6000ABB9E0706B8404445A05C85E93DEB4A445C47BE0972EAE987A511975C59E15BE80D02674A
ike 0:Du-CISCO_0:27: dec 52B01269D36C2DA2DE3CC6DD7A483DAD0810050183D48A340000004C0C0000140E0968A3529F7308BF1A4473DF9174230000001000000001030400010B96319600000000000000000000000C
ike 0:Du-CISCO_0:27: recv IPsec SA delete, spi count 1
ike 0:Du-CISCO_0: deleting IPsec SA with SPI 0b963196
ike 0:Du-CISCO_0:Du-CISCO: deleted IPsec SA with SPI 0b963196, SA count: 0
ike 0:Du-CISCO_0: sending SNMP tunnel DOWN trap for Du-CISCO
ike 0:Du-CISCO_0:3158: disable proxy ARP for 192.168.222.210 on 28
ike 0:Du-CISCO_0:3158: del route 192.168.222.210/255.255.255.255 oif Du-CISCO_0(55) metric 15 priority 0
ike 0:Du-CISCO_0:Du-CISCO: delete
ike 0: comes 194.230.155.139:45695->84.73.193.80:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=52b01269d36c2da2/de3cc6dd7a483dad:34cc99f1 len=92
ike 0: in 52B01269D36C2DA2DE3CC6DD7A483DAD0810050134CC99F10000005C96016F4F93A4C8521E3D47D5C00D38E824054A389C4AB246631B0B1533AB458C57ADA697A0FD7A8B4E9B18B3653DFFD384958D3800EACB48E249F3E29B17816A
ike 0:Du-CISCO_0:27: dec 52B01269D36C2DA2DE3CC6DD7A483DAD0810050134CC99F10000005C0C000014ECBEB99D0ACCAD6C9AF31E631C178DA20000001C000000010110000152B01269D36C2DA2DE3CC6DD7A483DAD00000000000000000000000000000010
ike 0:Du-CISCO_0:27: recv ISAKMP SA delete 52b01269d36c2da2/de3cc6dd7a483dad
ike 0:Du-CISCO_0: deleting
ike 0:Du-CISCO_0: flushing
ike 0:Du-CISCO_0: sending SNMP tunnel DOWN trap
ike 0:Du-CISCO_0: flushed
ike 0:Du-CISCO_0: mode-cfg release 192.168.222.210/255.255.255.255
ike 0:Du-CISCO_0: delete dynamic
ike 0:Du-CISCO_0: reset NAT-T
ike 0:Du-CISCO_0: deleted
ike shrank heap by 139264 bytes
I dont see any DHCP requests :(
Exactly...
(more or less) mode-cfg = address range
no mode-cfg = DHCP-over-IPSec
From what I've seen, anyway.
If anyone has tailored this to work in the field between mode-cfg clients and VPN servers with multiple scopes, I'll defer to them.
Regards, Chris McMullan Fortinet Ottawa
hmmm....
is there some guide or how to for this?
But until now many thanks for your input :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.