Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vinceneil666
Contributor

VPN, phase one stuck.

hi all.

I have two Fortigates running 5.2 and 5.4 - the 5.4 (30E) is behind a NAT device - thus nat'ing its outbound traffic.

 

For some reason I am unable to get this vpn up n runnin. I have been trough all of google allready :) .. The thing is I keep getting this on the 5.2 (thats the device I am connecting to)

 

ke 2: cache dirty, wait for rebuild ike 2:1995709eec1ddf64/0000000000000000:13895: incoming proposal: ike 2:1995709eec1ddf64/0000000000000000:13895: proposal id = 0: ike 2:1995709eec1ddf64/0000000000000000:13895: protocol id = ISAKMP: ike 2:1995709eec1ddf64/0000000000000000:13895: trans_id = KEY_IKE. ike 2:1995709eec1ddf64/0000000000000000:13895: encapsulation = IKE/none ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_HASH_ALG, val=SHA. ike 2:1995709eec1ddf64/0000000000000000:13895: type=AUTH_METHOD, val=PRESHARED_KEY. ike 2:1995709eec1ddf64/0000000000000000:13895: type=OAKLEY_GROUP, val=MODP1024. ike 2:1995709eec1ddf64/0000000000000000:13895: ISAKMP SA lifetime=25000 ike 2:1995709eec1ddf64/0000000000000000:13895: negotiation failure ike Negotiate ISAKMP SA Error: ike 2:1995709eec1ddf64/0000000000000000:13895: no SA proposal chosen

 

And thats pretty much it.. I have tried tuning all kinds - but no way... I have made sure my policy is ok for traffik, NAT-t . routing.. PSK is checked and checked again, and again. I have made very - very - sure that proposals match on both phase1 and phase 2... and now I am stuck.

 

Note that I need to have this running over NAT, its not an option to not have this in place...

 

anyone ? :)

22 REPLIES 22
kurtli_FTNT

"packet sniffer tells me that the only traffic my 30e is sending..is the port 500"

--this means that the NAT-Discovery doesn't work. Neither of sites is aware of that NAT device exists. And also from your post, it sounds like you are trying to setup a site-to-site VPN with NAT-T, correct? If it's the case, then it is not possible. The NAT-T works with dialup--dynamic only. 

emnoc
Esteemed Contributor III

If it's the case, then it is not possible. The NAT-T works with dialup--dynamic only.

 

 

No not incorrect NAT-T should be enabled by default and site2site or dynamic can use it.

 

example

 

  set nattraversal {enable | disable | forced}   Enable/disable NAT traversal

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kurtli_FTNT

Technically, the tunnel might be up with some special configurations. However, I don't think it's a good idea for the following reasons.

1, after NAT, the src-IP is changed which is not the same with the remote-gw in ph1 setting on the other side. Thus, the tunnel can't be up. Yes, you might get it up by changing the remote-gw to the NATed IP, however, this is not a normal setup. And if NATed IP is changed, the tunnel turns down.

2, the NATed IP is usually shared by a lot of clients, not only for IPSEC. Therefore, this setting brings potential security   risks.  

 

emnoc
Esteemed Contributor III

Again not 100% correct, if it's a single NAT ( 1 to 1 )  and used in this case by the OP,  FG30E than  your statement is  not relevant . He would still need NAT-T btw since the  udp.port ( src ) will change. The IKE messages typically see in udp.port 500  originate from a udp.port 500.

 

With NAT-T is a designation udp.port 4500 { only } and the  src.port is any dynamic_range. This is because of the NAT device can and will change the origination address.

 

Since he mention DDNS,  I'm assuming he has a address for that FQDNS. He can set  a local.id type if so desired if  had numerous tunnel , but he has NOT made any indication of such.

 

Further, NAT-T and it's IKE-KA is again for reliability of nat-table   and ensure the ephemeral sessions at the NAT device ( in his example FG200D ),  does not close the session causing a stale  IKE tunnel.

 

BTW , I have  at least  12 or more tunnels from my FWF60D at home to  various  endpoints . My FWF60D sits behind a ISP nat cable-modem.  I also use DNS btw.

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vinceneil666

Hi guys ! :) 

 

Yeah I have DDNS, so my WAN nic on the 30E is registerd with a fqdn that matches the NAT ip of the 200D. I was sure that this would work fine with NAT-T, and as an addition I also have tried setting the peer-id on both nodes (30 and 90 node) - so that instead on "any peer id" I have chosen a specific one for remote and local, making sure it matches on both ends. I have tried this in combination with toggeling ikev1 and ikev2 - as you probably understand - this is a very tedious task..

 

For the 90 node, I have made several tries. I have in the 90 config made sure to define the 30 as both dialup, ddns and static... As of now I am testing with just setting the static ip of my 30E (the NAT address of the 200).. but still no go.

 

It is interesting, the bit about NAT.. I have not thougt about this at all. But I would probably be wise to go inn and kill of IKE sessions in that firewall before testing. I do see that they are not closed - but then again it might be so that I should kill of old sessions before testing again ? Would I really need to do that ? -- thinking of this issue, it has to have something to do with the 200D....

 

 

kumaran
New Contributor

COULD YOU PLEASE CHECK BY DISABLING THE NAT TRAVERSAL IN THE INITIATER END ( THAT IS SUBNET GETTING NATTED INBETWEEN)

 

I THINK THIS WILL SOLVE YOUR ISSUE.

 

vinceneil666

Nope - :( That didnt work.

 

kurtli_FTNT

"As of now I am testing with just setting the static ip of my 30E (the NAT address of the 200).. but still no go."

--Is this a 1v1 NAT in 200D? Try to add fixed port in firewall policy on 200D and then give a try on using/not using nat-t on both ends. Don't forget now the remote-gw on 90D to the NATed IP. If still no luck, post the output of 'diag debug application ike -1'

emnoc
Esteemed Contributor III

PM me and I  cn fix your issues. You been struggling with this for some time. If the  transient firewall is passing the IKE between the two and no other filtering devices, you should already been up with the config sent earlier FWIW

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vinceneil666

Thanks EMNOC, next time I'm in Austin Ill buy you a beer.....maybe even two :) , pm sent.

 

As of now, I have scrapped the 90D box that wont accept the IKE from my 30E. I reconfigured it to a 60D that I have on the internet, and then everything works fine. Same setup on the 30E site, ddns, nat and so on....

 

Why the 90D wont accept I don't know. It runs vdoms, uptime 415 days and firmware is 5.2.6.711... I have raised ticket to have that node updated with new-er firmware and get a boot. I hope and think this will resolve it.. If not I am taking money out of my own pocket, and will buy the customer a new cluster :)

 

I have also had a ticket with Fortinet - spent near 3 hours with them debugging yesterday. They also concluded that all config was fine. All good.. So I will be working with them today and have them look at the 90D thingy - maybe do some system debugging or something. I will post an update on this..

 

 

Top Kudoed Authors