Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JohnAgora
Contributor

VPN with Juniper

Hello,

 

We are trying to establish a VPN between a Fortigate 900D and a Juniper. It must be a DialUp VPN since the Juniper has PPPoE (not a static IP) and the version of JUNOS the device has don't support dynamicdns.

 

The Juniper has the following configuration:

security { ike { proposal ike-phase1-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 28800; } policy ike-phase1-policy { mode aggressive; proposals ike-phase1-proposal; pre-shared-key ascii-text "12345678"; } gateway gw-test { ike-policy ike-phase1-policy; address 189.1.1.1; local-identity hostname TEST; external-interface fe-0/0/0.0; } } ipsec { proposal ipsec-phase2-proposal { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy ipsec-phase2-policy { perfect-forward-secrecy { keys group2; } proposals ipsec-phase2-proposal; } vpn ike-vpn-test { bind-interface st0.0; ike { gateway gw-test; proxy-identity { local 10.10.10.0/0; remote 0.0.0.0/0; service any; } ipsec-policy ipsec-phase2-policy; } establish-tunnels immediately; } }

 

On the Fortigate I can do an good diagnose. The VPN gets stablished (phase 1 and phase 2 OK), but immediately it receives a package to take down the connection.

Here are some logs:

ike 0:test_0:285: recv ISAKMP SA delete eab487019033cffc/3a86ccc15b3ea1a5 ike 0:test_0: deleting ike 0:test_0: flushing ike 0:test_0:test: sending SNMP tunnel DOWN trap ike 0:test_0:241: del route 0.0.0.0/0.0.0.0 oif test_0(305) metric 15 priority 0 ike 0:test_0: flushed ike 0:test_0: delete dynamic ike 0:test_0: reset NAT-T ike 0:test_0: deleted

 

Any ideas?

Any commands so I can do a debug on the Juniper?

 

Thanks

2 Solutions
JohnAgora

Fortigate's logs (edited so they are easier to read):

ike 0:1f58e705dcb8c10b/0000000000000000:60877: negotiation result ike 0:1f58e705dcb8c10b/0000000000000000:60877: proposal id = 1: ike 0:1f58e705dcb8c10b/0000000000000000:60877: protocol id = ISAKMP: ike 0:1f58e705dcb8c10b/0000000000000000:60877: trans_id = KEY_IKE. ike 0:1f58e705dcb8c10b/0000000000000000:60877: encapsulation = IKE/none ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=OAKLEY_HASH_ALG, val=SHA. ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:1f58e705dcb8c10b/0000000000000000:60877: type=OAKLEY_GROUP, val=MODP1024. ike 0:1f58e705dcb8c10b/0000000000000000:60877: ISAKMP SA lifetime=28800 ike 0:1f58e705dcb8c10b/0000000000000000:60877: SA proposal chosen, matched gateway test ike 0:test:60877: received peer identifier FQDN 'test' ike 0:test:60877: DPD negotiated ike 0:test:60877: selected NAT-T version: RFC 3947 ike 0:test:60877: cookie 1f58e705dcb8c10b/964eafb1c899f729 ... ike 0: IKEv1 exchange=Aggressive id=1f58e705dcb8c10b/964eafb1c899f729 len=100 ... ike 0:test:60877: received NAT-D payload type 20 ike 0:test:60877: received NAT-D payload type 20 ike 0:test:60877: PSK authentication succeeded ike 0:test:60877: authentication OK ike 0:test:60877: NAT detected: PEER ike 0:test:60877: remote port change 61451 -> 60813 ike 0:test: adding new dynamic tunnel for 189.1.1.2:60813 ike 0:test_0: added new dynamic tunnel for 189.1.1.2:60813 ike 0:test_0:60877: established IKE SA 1f58e705dcb8c10b/964eafb1c899f729 ike 0:test_0:60877: no pending Quick-Mode negotiations ... ike 0:test_0:60877:85174: peer proposal is: peer:0:10.10.10.0-10.10.10.255:0, me:0:0.0.0.0-255.255.255.255:0 ike 0:test_0:60877:test:85174: trying ike 0:test_0:60877:test:85174: matched phase2 ike 0:test_0:60877:test:85174: dynamic client ike 0:test_0:60877:test:85174: my proposal: ike 0:test_0:60877:test:85174: proposal id = 1: ike 0:test_0:60877:test:85174: protocol id = IPSEC_ESP: ike 0:test_0:60877:test:85174: PFS DH group = 2 ike 0:test_0:60877:test:85174: trans_id = ESP_3DES ike 0:test_0:60877:test:85174: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:test_0:60877:test:85174: type = AUTH_ALG, val=SHA1 ike 0:test_0:60877:test:85174: incoming proposal: ike 0:test_0:60877:test:85174: proposal id = 1: ike 0:test_0:60877:test:85174: protocol id = IPSEC_ESP: ike 0:test_0:60877:test:85174: PFS DH group = 2 ike 0:test_0:60877:test:85174: trans_id = ESP_3DES ike 0:test_0:60877:test:85174: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947 ike 0:test_0:60877:test:85174: type = AUTH_ALG, val=SHA1 ike 0:test_0:60877:test:85174: negotiation result ike 0:test_0:60877:test:85174: proposal id = 1: ike 0:test_0:60877:test:85174: protocol id = IPSEC_ESP: ike 0:test_0:60877:test:85174: PFS DH group = 2 ike 0:test_0:60877:test:85174: trans_id = ESP_3DES ike 0:test_0:60877:test:85174: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:test_0:60877:test:85174: type = AUTH_ALG, val=SHA1 ike 0:test_0:60877:test:85174: set pfs=MODP1024 ike 0:test_0:60877:test:85174: using udp tunnel mode. ike 0:test_0:60877:test:85174: replay protection enabled ike 0:test_0:60877:test:85174: SA life soft seconds=3591. ike 0:test_0:60877:test:85174: SA life hard seconds=3600. ike 0:test_0:60877:test:85174: IPsec SA selectors #src=1 #dst=1 ike 0:test_0:60877:test:85174: src 0 7 0:0.0.0.0-255.255.255.255:0 ike 0:test_0:60877:test:85174: dst 0 7 0:10.10.10.0-10.10.10.255:0 ike 0:test_0:60877:test:85174: add dynamic IPsec SA selectors ike 0:test_0:85174: add route 10.10.10.0/255.255.255.0 oif test_0(53403) metric 15 priority 0 ike 0:test_0:60877:test:85174: tunnel 1 of VDOM limit 0/0 ike 0:test_0:60877:test:85174: add IPsec SA: SPIs=d4148620/8bf0c36a ... ike 0:test_0:60877:test:85174: sending SNMP tunnel UP trap ... ike 0:test_0:60877: sent IKE msg (quick_r1send): 189.1.1.1:4500->189.1.1.2:60813, len=300, id=1f58e705dcb8c10b/964eafb1c899f729:ba36efa2 ike 0: comes 189.1.1.2:60813->189.1.1.1:4500,ifindex=39.... ike 0: IKEv1 exchange=Informational id=1f58e705dcb8c10b/964eafb1c899f729:c2f1f199 len=84 ike 0: in 1F58E705DCB8C10B964EAFB1C899F72908100501C2F1F19900000054C17A3F6BC68CBA17CD4158A7B830C3770F42ABB4F10E2AD4DD0CBD8E56935D98E9E5B6B6EDD3553F426D976CFADC08C8A6E28949721CFFFB ike 0:test_0:60877: dec 1F58E705DCB8C10B964EAFB1C899F72908100501C2F1F199000000540C000018A570DF1920431447AE975EB46D500C8CB05F839C0000001C00000001011000011F58E705DCB8C10B964EAFB1C899F72900000000 ike 0:test_0:60877: recv ISAKMP SA delete 1f58e705dcb8c10b/964eafb1c899f729 ike 0:test_0: deleting ike 0:test_0: flushing

 

The line on bold is the one that send the tunnel down. Any ideas?

Thanks!!

 

View solution in original post

JohnAgora

I found out the problem. It was completly on Juniper.

Here are the logs:

Jan 19 13:37:24 ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID ID(type = keyid (11), len = 4, value = 74657374) to IKEv1 ID Jan 19 13:37:24 ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID key_id(any:0,[0..3]=74 65 73 74 ) Jan 19 13:37:24 iked_pm_id_validate called with id key_id(any:0,[0..3]=74 65 73 74 ) Jan 19 13:37:24 iked_pm_id_validate Use default id [ipv4(any:0,[0..3]=189.1.1.1)] Jan 19 13:37:24 iked_pm_id_validate id NOT matched. Jan 19 13:37:24 iked_pm_ike_sa_done ID validation fails

 

Basically the key was "test", but it didn't validate it (I don't know if it was fortinet sending it wrong or Juniper reading it wrong).

I put the following option on Juniper's VPN:

set gateway gw-test general-ikeid

and it was solved. :D

 

Thanks a lot for your help!

 

View solution in original post

10 REPLIES 10
JohnAgora

I found out the problem. It was completly on Juniper.

Here are the logs:

Jan 19 13:37:24 ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID ID(type = keyid (11), len = 4, value = 74657374) to IKEv1 ID Jan 19 13:37:24 ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID key_id(any:0,[0..3]=74 65 73 74 ) Jan 19 13:37:24 iked_pm_id_validate called with id key_id(any:0,[0..3]=74 65 73 74 ) Jan 19 13:37:24 iked_pm_id_validate Use default id [ipv4(any:0,[0..3]=189.1.1.1)] Jan 19 13:37:24 iked_pm_id_validate id NOT matched. Jan 19 13:37:24 iked_pm_ike_sa_done ID validation fails

 

Basically the key was "test", but it didn't validate it (I don't know if it was fortinet sending it wrong or Juniper reading it wrong).

I put the following option on Juniper's VPN:

set gateway gw-test general-ikeid

and it was solved. :D

 

Thanks a lot for your help!

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors