hi all.
I have two Fortigates running 5.2 and 5.4 - the 5.4 (30E) is behind a NAT device - thus nat'ing its outbound traffic.
For some reason I am unable to get this vpn up n runnin. I have been trough all of google allready :) .. The thing is I keep getting this on the 5.2 (thats the device I am connecting to)
ke 2: cache dirty, wait for rebuild ike 2:1995709eec1ddf64/0000000000000000:13895: incoming proposal: ike 2:1995709eec1ddf64/0000000000000000:13895: proposal id = 0: ike 2:1995709eec1ddf64/0000000000000000:13895: protocol id = ISAKMP: ike 2:1995709eec1ddf64/0000000000000000:13895: trans_id = KEY_IKE. ike 2:1995709eec1ddf64/0000000000000000:13895: encapsulation = IKE/none ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_HASH_ALG, val=SHA. ike 2:1995709eec1ddf64/0000000000000000:13895: type=AUTH_METHOD, val=PRESHARED_KEY. ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_GROUP, val=MODP1024. ike 2:1995709eec1ddf64/0000000000000000:13895: ISAKMP SA lifetime=25000 ike 2:1995709eec1ddf64/0000000000000000:13895: negotiation failure ike Negotiate ISAKMP SA Error: ike 2:1995709eec1ddf64/0000000000000000:13895: no SA proposal chosen
And thats pretty much it.. I have tried tuning all kinds - but no way... I have made sure my policy is ok for traffik, NAT-t . routing.. PSK is checked and checked again, and again. I have made very - very - sure that proposals match on both phase1 and phase 2... and now I am stuck.
Note that I need to have this running over NAT, its not an option to not have this in place...
anyone ? :)
"packet sniffer tells me that the only traffic my 30e is sending..is the port 500"
--this means that the NAT-Discovery doesn't work. Neither of sites is aware of that NAT device exists. And also from your post, it sounds like you are trying to setup a site-to-site VPN with NAT-T, correct? If it's the case, then it is not possible. The NAT-T works with dialup--dynamic only.
If it's the case, then it is not possible. The NAT-T works with dialup--dynamic only.
No not incorrect NAT-T should be enabled by default and site2site or dynamic can use it.
example
set nattraversal {enable | disable | forced} Enable/disable NAT traversal
PCNSE
NSE
StrongSwan
Technically, the tunnel might be up with some special configurations. However, I don't think it's a good idea for the following reasons.
1, after NAT, the src-IP is changed which is not the same with the remote-gw in ph1 setting on the other side. Thus, the tunnel can't be up. Yes, you might get it up by changing the remote-gw to the NATed IP, however, this is not a normal setup. And if NATed IP is changed, the tunnel turns down.
2, the NATed IP is usually shared by a lot of clients, not only for IPSEC. Therefore, this setting brings potential security risks.
Again not 100% correct, if it's a single NAT ( 1 to 1 ) and used in this case by the OP, FG30E than your statement is not relevant . He would still need NAT-T btw since the udp.port ( src ) will change. The IKE messages typically see in udp.port 500 originate from a udp.port 500.
With NAT-T is a designation udp.port 4500 { only } and the src.port is any dynamic_range. This is because of the NAT device can and will change the origination address.
Since he mention DDNS, I'm assuming he has a address for that FQDNS. He can set a local.id type if so desired if had numerous tunnel , but he has NOT made any indication of such.
Further, NAT-T and it's IKE-KA is again for reliability of nat-table and ensure the ephemeral sessions at the NAT device ( in his example FG200D ), does not close the session causing a stale IKE tunnel.
BTW , I have at least 12 or more tunnels from my FWF60D at home to various endpoints . My FWF60D sits behind a ISP nat cable-modem. I also use DNS btw.
Ken
PCNSE
NSE
StrongSwan
Hi guys ! :)
Yeah I have DDNS, so my WAN nic on the 30E is registerd with a fqdn that matches the NAT ip of the 200D. I was sure that this would work fine with NAT-T, and as an addition I also have tried setting the peer-id on both nodes (30 and 90 node) - so that instead on "any peer id" I have chosen a specific one for remote and local, making sure it matches on both ends. I have tried this in combination with toggeling ikev1 and ikev2 - as you probably understand - this is a very tedious task..
For the 90 node, I have made several tries. I have in the 90 config made sure to define the 30 as both dialup, ddns and static... As of now I am testing with just setting the static ip of my 30E (the NAT address of the 200).. but still no go.
It is interesting, the bit about NAT.. I have not thougt about this at all. But I would probably be wise to go inn and kill of IKE sessions in that firewall before testing. I do see that they are not closed - but then again it might be so that I should kill of old sessions before testing again ? Would I really need to do that ? -- thinking of this issue, it has to have something to do with the 200D....
COULD YOU PLEASE CHECK BY DISABLING THE NAT TRAVERSAL IN THE INITIATER END ( THAT IS SUBNET GETTING NATTED INBETWEEN)
I THINK THIS WILL SOLVE YOUR ISSUE.
Nope - :( That didnt work.
"As of now I am testing with just setting the static ip of my 30E (the NAT address of the 200).. but still no go."
--Is this a 1v1 NAT in 200D? Try to add fixed port in firewall policy on 200D and then give a try on using/not using nat-t on both ends. Don't forget now the remote-gw on 90D to the NATed IP. If still no luck, post the output of 'diag debug application ike -1'
PM me and I cn fix your issues. You been struggling with this for some time. If the transient firewall is passing the IKE between the two and no other filtering devices, you should already been up with the config sent earlier FWIW
PCNSE
NSE
StrongSwan
Thanks EMNOC, next time I'm in Austin Ill buy you a beer.....maybe even two :) , pm sent.
As of now, I have scrapped the 90D box that wont accept the IKE from my 30E. I reconfigured it to a 60D that I have on the internet, and then everything works fine. Same setup on the 30E site, ddns, nat and so on....
Why the 90D wont accept I don't know. It runs vdoms, uptime 415 days and firmware is 5.2.6.711... I have raised ticket to have that node updated with new-er firmware and get a boot. I hope and think this will resolve it.. If not I am taking money out of my own pocket, and will buy the customer a new cluster :)
I have also had a ticket with Fortinet - spent near 3 hours with them debugging yesterday. They also concluded that all config was fine. All good.. So I will be working with them today and have them look at the 90D thingy - maybe do some system debugging or something. I will post an update on this..
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.