Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fox
New Contributor

ipsec problem

Hi,

 

I have created a dynamic type of ipsec, but it will not up with cisco router. 

 

FG conf:

config vpn ipsec phase1-interface
edit "vpn01"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal des-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set auto-discovery-shortcuts dependent
set nattraversal disable
set psksecret ENC 
set dpd-retryinterval 60
next
end

 

cisco error:

*Jan 3 05:42:57.312: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Jan 3 05:42:57.322: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.0.0.1:500/From 10.0.0.3:500/VRF i0:f0]
Initiator SPI : 6ACECDCABFA431B0 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Jan 3 05:42:57.343: IKEv2-ERROR:Address type 2147505494 not supported

*Jan 3 05:42:57.343: IKEv2-ERROR:Couldn't find matching SA: A supplied parameter is incorrect

*Jan 3 05:42:57.343: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 10.0.0.1:500/To 10.0.0.3:500/VRF i0:f0]
Initiator SPI : 6ACECDCABFA431B0 - Responder SPI : 737906E43A073588 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
*Jan 3 05:42:57.344: IKEv2-ERROR:Address type 1109088110 not supported

*Jan 3 05:42:57.344: IKEv2-ERROR:: A supplied parameter is incorrect
*Jan 3 05:42:59.295: IKEv2:% Getting preshared key from profile keyring MYKeyring
*Jan 3 05:42:59.295: IKEv2:% Matched peer block 'FG'
*Jan 3 05:42:59.295: IKEv2:(SESSION ID = 0,SA ID = 0):Searching Policy with fvrf 0, local address 10.0.0.3
*Jan 3 05:42:59.296: IKEv2:(SESSION ID = 0,SA ID = 0):Found Policy 'MY_Policy_fortigate'
*Jan 3 05:42:59.297: IKEv2-ERROR:Address type 2147516329 not supported

 

 

8 REPLIES 8
Toshi_Esumi
SuperUser
SuperUser

At a glance you're not specifying DH Group in the FGT's phase1 config. But I don't think that's the main issue. I think the problem is in Cisco's IKEv2 config but since this is FTNT's community/forum, If you want to get some comments, you should run IKE debug and post the result on the FGT side.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSEC-Tunnel-debugging-IKE/ta-p/1900...

But I have an wild guess you configured the VPN in cisco's VRF environment and something is wrong in that part. I suggest you post your Cisco side config at Cisco Community. Which should be a faster path to solve your issue.

 

Toshi

fox
New Contributor

I have found if set type to static, it will work. why this doesn't work at  dynamic type?

b34rded-1der
New Contributor II

The type "dynamic" is for dial-up IPsec, typically used for remote users as an alternative to SSL-VPN.

For site-to-site you'll usually use "static" or "ddns" type, to restrict the tunnel to the specific remote peer you want to communicate with. 

fox
New Contributor

Understand, But I think ADVPN also need this dynamic type VPN. I followed the manual to created it. 

hbac

Hi @fox,

 

Can you run debugs on FortiGate side? Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSEC-Tunnel-debugging-IKE/ta-p/1900...

 

 

Regard, 

fox
New Contributor

Please review below FortiGate side debug log;

 

ike 0: comes 10.0.0.3:500->10.0.0.1:500,ifindex=3,vrf=0....
ike 0: IKEv2 exchange=AUTH id=087b619f7a9bd703/4438ba8d41518db0:00000001 len=564
ike 0: in 087B619F7A9BD7034438BA8D41518DB02E20230800000001000002342B00021818ED42059FE1EA9D21D0FF524310A42F1327395FCD39F668FCA8E5F4878E8501C0A4A057C11365A995B45E23DBE0EEBE380FDCE0BA1AD3A5104118530027BCB4D5202A7E6818D80B41E9DDDA40B30A6228EBD04516277316DD8ADBFA41BA41EE9F7952AC834CAEFD44C387143CD73C15782753E8C0DB1245606FA29EFCF9BA6D69157C9D85A32298EE1FD8D51675BE3320C270EA16F5CD2D9EB0E39BCDA8DD9FFAEC658239FE4EC14C6057DDA697A093CECACFD069E80FED33C6A5529B549E88482C1747EAE705D5D805B0E2BA2796E7539ED888AF66E261EE548B94ED9D9084999F3F696A5A9B053893CEE21127949D40C3E51BE7735E548D3121F9D3492E8D5DCE08AC8B1A9112767A0ECD68B954C4F08AA5753644E09C8EF3FEA68A7BC1183542E1D9EA79087594385E9FD951A5899EEBEC3AE4805F4A9F4C8C4CDD637AF2DD11BAA77D87919767B7AEF0FD3AC1C8DBA4706146129918C97782927DC79BC2FDD3FEEA191D7EBAC67C0751267741A02DB2413F947A3F845EE1603F9453D294D666C2FAD76F2B82C1B9C7DF381113DCF5030BEC4F898637F7CA9B4903FE961065A501FAE9655EDC6CDBAF91A4C99FB8D3409969E34787527B3D5A8D1DDC16686ABD38A1C26ADF6271F439FFDA0004F545AE04A1F410789439832C141CD8359C8CCBD4D50192E7CC8CA57D436077DF4EE9031D2422544FE73A1B46215C8476BF03DA97E2101050C1DA23E412CF11C31917B78609
ike 0: invalid IKE request SPI 087b619f7a9bd703/4438ba8d41518db0:00000001
ike shrank heap by 159744 bytes
ike 0: comes 10.0.0.3:500->10.0.0.1:500,ifindex=3,vrf=0....
ike 0: IKEv2 exchange=SA_INIT id=ddc55c2f0bddfccb/0000000000000000 len=458
ike 0: in DDC55C2F0BDDFCCB00000000000000002120220800000000000001CA2200003400000030010100050300000801000002030000080200000203000008030000020300000804000005000000080400000E280000C8000500008A50728123F557CBBBDAB2FE9E7FF1C9C00F246440EA55B7364A5468CCC235B1A171384FD43C3338002F1EA7BA50BC1C249688CFE624DBCAACE90F67892EC777EEAFB722EFD1E35970797AE650CFC322181F0496E7AAD95A693864A609E5CAD21C9A5372AFE6CE334701B6D7AD0C52DAB9C49A72EF51A748D24D5F887506D55D559039088D18BA1D5241398687B1E0DCCA81725BEAC1DEB81343A390219327DAD61CE99199193F56EB2A675895DDDE187A2020D4089618B6229EF8F0ADA8956D2B000024F0D9DC143D225AA2621F7AE712D7523874DDE0324045511FFF4E57F57AF361B82B000017434953434F2D44454C4554452D524541534F4E2B000013434953434F56504E2D5245562D30322B000017434953434F2D44594E414D49432D524F55544529000015464C455856504E2D535550504F525445442900001C00004004CC34342299E1F76E2644D7869C2E834277CB62600000001C00004005E07CF83BB423FEC65C9154CD8F3AD5B45E22CD92
ike 0:ddc55c2f0bddfccb/0000000000000000:7: responder received SA_INIT msg
ike 0:ddc55c2f0bddfccb/0000000000000000:7: VID unknown (19): CISCO-DELETE-REASON
ike 0:ddc55c2f0bddfccb/0000000000000000:7: VID unknown (15): CISCOVPN-REV-02
ike 0:ddc55c2f0bddfccb/0000000000000000:7: VID unknown (19): CISCO-DYNAMIC-ROUTE
ike 0:ddc55c2f0bddfccb/0000000000000000:7: VID unknown (17): FLEXVPN-SUPPORTED
ike 0:ddc55c2f0bddfccb/0000000000000000:7: received notify type NAT_DETECTION_SOURCE_IP
ike 0:ddc55c2f0bddfccb/0000000000000000:7: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:ddc55c2f0bddfccb/0000000000000000:7: incoming proposal:
ike 0:ddc55c2f0bddfccb/0000000000000000:7: proposal id = 1:
ike 0:ddc55c2f0bddfccb/0000000000000000:7: protocol = IKEv2:
ike 0:ddc55c2f0bddfccb/0000000000000000:7: encapsulation = IKEv2/none
ike 0:ddc55c2f0bddfccb/0000000000000000:7: type=ENCR, val=DES_CBC
ike 0:ddc55c2f0bddfccb/0000000000000000:7: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:ddc55c2f0bddfccb/0000000000000000:7: type=PRF, val=PRF_HMAC_SHA
ike 0:ddc55c2f0bddfccb/0000000000000000:7: type=DH_GROUP, val=MODP2048.
ike 0:ddc55c2f0bddfccb/0000000000000000:7: type=DH_GROUP, val=MODP1536.
ike 0: cache rebuild start
ike 0:vpn01: cached as dynamic
ike 0: cache rebuild done
ike 0:ddc55c2f0bddfccb/0000000000000000:7: matched proposal id 1
ike 0:ddc55c2f0bddfccb/0000000000000000:7: proposal id = 1:
ike 0:ddc55c2f0bddfccb/0000000000000000:7: protocol = IKEv2:
ike 0:ddc55c2f0bddfccb/0000000000000000:7: encapsulation = IKEv2/none
ike 0:ddc55c2f0bddfccb/0000000000000000:7: type=ENCR, val=DES_CBC
ike 0:ddc55c2f0bddfccb/0000000000000000:7: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:ddc55c2f0bddfccb/0000000000000000:7: type=PRF, val=PRF_HMAC_SHA
ike 0:ddc55c2f0bddfccb/0000000000000000:7: type=DH_GROUP, val=MODP1536.
ike 0:ddc55c2f0bddfccb/0000000000000000:7: lifetime=86400
ike 0:ddc55c2f0bddfccb/0000000000000000:7: SA proposal chosen, matched gateway vpn01
ike 0:vpn01: created connection: 0xf7b28e0 3 10.0.0.1->10.0.0.3:500.
ike 0:vpn01:7: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:vpn01:7: ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
ike 0:vpn01:7: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:vpn01:7: ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
ike 0:vpn01:7: responder preparing SA_INIT msg
ike 0:vpn01:7: generate DH public value request queued
ike 0:vpn01:7: responder preparing SA_INIT msg
ike 0:vpn01:7: compute DH shared secret request queued
ike 0:vpn01:7: responder preparing SA_INIT msg
ike 0:vpn01:7: out DDC55C2F0BDDFCCB6BFC2F82DEB9A71F21202220000000000000012C2200002C00000028010100040300000801000002030000080200000203000008030000020000000804000005280000C8000500008088F4E09485BBC33B49BAE3A7BC62D8ABE1E82D678FB8C3F3B8353AFC3F817A44E0BB2BEF76566372F5994DD99E34A2E6A32F5EBADBBF6964ABB529F165CBB9D8EA93243F4A85B8AA64BB642F96AEE3D7DF4FA3116D2EFB852ED48976DE5475807469341556B88E3FFFF8B477B9831178767204BB24A24AAC1B8566D0545B9B7066F9ACEC0E17E8E15DE3523B15776F9A598116F646776B3ACA808B860054926722F5E88D75595090899D840D955C59F2604E3DEA00A9BCB63D678F5E2BF24729000014794DA3AC031C50B81FC4893E3F11C140000000080000F020
ike 0:vpn01:7: sent IKE msg (SA_INIT_RESPONSE): 10.0.0.1:500->10.0.0.3:500, len=300, vrf=0, id=ddc55c2f0bddfccb/6bfc2f82deb9a71f
ike 0:vpn01:7: IKE SA ddc55c2f0bddfccb/6bfc2f82deb9a71f SK_ei 8:4F71D3EA87B27E71
ike 0:vpn01:7: IKE SA ddc55c2f0bddfccb/6bfc2f82deb9a71f SK_er 8:C5071459F1728DB8
ike 0:vpn01:7: IKE SA ddc55c2f0bddfccb/6bfc2f82deb9a71f SK_ai 20:256AD2B67CBCC7ECEAC478286450D85BF70AEFF6
ike 0:vpn01:7: IKE SA ddc55c2f0bddfccb/6bfc2f82deb9a71f SK_ar 20:19BDBB88FC90535F68AFD9F03D412DBCAC5D9DF0
ike 0: comes 10.0.0.3:500->10.0.0.1:500,ifindex=3,vrf=0....
ike 0: IKEv2 exchange=AUTH id=ddc55c2f0bddfccb/6bfc2f82deb9a71f:00000001 len=564
ike 0: in DDC55C2F0BDDFCCB6BFC2F82DEB9A71F2E20230800000001000002342B000218970C452DB3EA081F8C31CA3D41B963863CF43C2FA4ED14FB1E8C0C4C4F9FBF70E7C6A6272D0145BE8EDC1EB3911DFE4B79BDA09A755D1D05AD590557AA75AF5D64DA8BABB26184E858B3C565C59FC81BF8BB645881A5F677C8015A84BD583B6D35E9B9922F4E32B88566265E951DBAD3F4FDFB24807371009C2DE5F60F7A54F88C4B8D4725CC335C9FD52F1F37CE73365E989D725F53770744E36EC4A0C1AFB87F1CFFD1F14F4BDA85CAB739DB6219689C5F0A8BCC5FA090E7CD50B2D552006901659F3DB4B556C7EFD93AA07E6F4F50418F0B4DEE7ABE2399998C55FBB0E96D3BFA5E3D62B7F86F324E88CFF73C62FFA990C131CA7E212A753E2AD9440950DB7AE3340390097E05E44A7D9184FC3A1C80990B844901500DB9ADE0BBE88976D7587F644565A02E25838BC1471636FB2FB2B10FD9B99437C3B95815C589F150176182E2F06D65B8A92DF79028ECD013AFCF9B275BC0EED9389E17FAA7E30A450A24AF47C627CE79D734014A65003B360388BAE6113C02862272CBBC7E4835CC7CD64488AC9B5EDF5B36F055EDD1C8DE08FBC8905AE685E9E8B0B95BE2755E2D231506A436F734B953BD8558ECA9A1D480F8E6A3739D4C94C5BB0EE82F04ACD5A3F88BAECD49867AA6EAFEE934F8BF9DABAB2C095B20398C5CF4BB7E1D76E313618AF6891B2B25928C3C569932123B977402983F973A2DBE8D07886DA58AEEB25BFDC12E9D6417A0E8675B608392788E00FB362AEE
ike 0:vpn01:7: dec DDC55C2F0BDDFCCB6BFC2F82DEB9A71F2E202308000000010000021A2B00000423000014DCC55D2F18EA0F8C911C40D225807D672700000C010000000A0000032F00001C020000009EFE5C7C4595ACB5E5B4BC7602756A08623E78A6210001420100000000030000000300000004000000040000000D0000000A0000000F000000070106436973636F20494F5320536F667477617265205B416D7374657264616D5D2C205669727475616C20584520536F66747761726520285838365F36345F4C494E55585F494F53442D554E4956455253414C4B392D4D292C2056657273696F6E2031372E332E362C2052454C4541534520534F4654574152452028666332290A546563686E6963616C20537570706F72743A20687474703A2F2F7777772E636973636F2E636F6D2F74656368737570706F72740A436F707972696768742028632920313938362D3230323220627920436973636F2053797374656D732C20496E632E0A436F6D70696C6564204672692031362D5365702D32322030323A3133206279206D6370726570030000700000007014000070090000700200002C00002800000024010304036D994BC90300000801000002030000080300000200000008050000002D00001801000000072F00100000FFFF0A0000030A0000032900001801000000072F00100000FFFF0A0000010A00000129000008000040002900000C0000400100000005290000080000400A000000080000400B
ike 0:vpn01:7: responder received AUTH msg
ike 0:vpn01:7: processing notify type INITIAL_CONTACT
ike 0:vpn01:7: processing notify type SET_WINDOW_SIZE
ike 0:vpn01:7: processing notify type ESP_TFC_PADDING_NOT_SUPPORTED
ike 0:vpn01:7: processing notify type NON_FIRST_FRAGMENTS_ALSO
ike 0:vpn01:7: peer identifier IPV4_ADDR 10.0.0.3
ike 0:vpn01:7: re-validate gw ID
ike 0:vpn01:7: gw validation OK
ike 0:vpn01:7: auth verify done
ike 0:vpn01:7: responder AUTH continuation
ike 0:vpn01:7: authentication succeeded
ike 0:vpn01:7: responder creating new child
ike 0:vpn01:7: mode-cfg not enabled, unable to respond to Configuration Payload
ike 0: comes 10.0.0.3:500->10.0.0.1:500,ifindex=3,vrf=0....
ike 0: IKEv2 exchange=AUTH id=ddc55c2f0bddfccb/6bfc2f82deb9a71f:00000001 len=564
ike 0: in DDC55C2F0BDDFCCB6BFC2F82DEB9A71F2E20230800000001000002342B000218970C452DB3EA081F8C31CA3D41B963863CF43C2FA4ED14FB1E8C0C4C4F9FBF70E7C6A6272D0145BE8EDC1EB3911DFE4B79BDA09A755D1D05AD590557AA75AF5D64DA8BABB26184E858B3C565C59FC81BF8BB645881A5F677C8015A84BD583B6D35E9B9922F4E32B88566265E951DBAD3F4FDFB24807371009C2DE5F60F7A54F88C4B8D4725CC335C9FD52F1F37CE73365E989D725F53770744E36EC4A0C1AFB87F1CFFD1F14F4BDA85CAB739DB6219689C5F0A8BCC5FA090E7CD50B2D552006901659F3DB4B556C7EFD93AA07E6F4F50418F0B4DEE7ABE2399998C55FBB0E96D3BFA5E3D62B7F86F324E88CFF73C62FFA990C131CA7E212A753E2AD9440950DB7AE3340390097E05E44A7D9184FC3A1C80990B844901500DB9ADE0BBE88976D7587F644565A02E25838BC1471636FB2FB2B10FD9B99437C3B95815C589F150176182E2F06D65B8A92DF79028ECD013AFCF9B275BC0EED9389E17FAA7E30A450A24AF47C627CE79D734014A65003B360388BAE6113C02862272CBBC7E4835CC7CD64488AC9B5EDF5B36F055EDD1C8DE08FBC8905AE685E9E8B0B95BE2755E2D231506A436F734B953BD8558ECA9A1D480F8E6A3739D4C94C5BB0EE82F04ACD5A3F88BAECD49867AA6EAFEE934F8BF9DABAB2C095B20398C5CF4BB7E1D76E313618AF6891B2B25928C3C569932123B977402983F973A2DBE8D07886DA58AEEB25BFDC12E9D6417A0E8675B608392788E00FB362AEE
ike 0:vpn01:7: detected retransmit
ike 0: comes 10.0.0.3:500->10.0.0.1:500,ifindex=3,vrf=0....
ike 0: IKEv2 exchange=AUTH id=ddc55c2f0bddfccb/6bfc2f82deb9a71f:00000001 len=564
ike 0: in DDC55C2F0BDDFCCB6BFC2F82DEB9A71F2E20230800000001000002342B000218970C452DB3EA081F8C31CA3D41B963863CF43C2FA4ED14FB1E8C0C4C4F9FBF70E7C6A6272D0145BE8EDC1EB3911DFE4B79BDA09A755D1D05AD590557AA75AF5D64DA8BABB26184E858B3C565C59FC81BF8BB645881A5F677C8015A84BD583B6D35E9B9922F4E32B88566265E951DBAD3F4FDFB24807371009C2DE5F60F7A54F88C4B8D4725CC335C9FD52F1F37CE73365E989D725F53770744E36EC4A0C1AFB87F1CFFD1F14F4BDA85CAB739DB6219689C5F0A8BCC5FA090E7CD50B2D552006901659F3DB4B556C7EFD93AA07E6F4F50418F0B4DEE7ABE2399998C55FBB0E96D3BFA5E3D62B7F86F324E88CFF73C62FFA990C131CA7E212A753E2AD9440950DB7AE3340390097E05E44A7D9184FC3A1C80990B844901500DB9ADE0BBE88976D7587F644565A02E25838BC1471636FB2FB2B10FD9B99437C3B95815C589F150176182E2F06D65B8A92DF79028ECD013AFCF9B275BC0EED9389E17FAA7E30A450A24AF47C627CE79D734014A65003B360388BAE6113C02862272CBBC7E4835CC7CD64488AC9B5EDF5B36F055EDD1C8DE08FBC8905AE685E9E8B0B95BE2755E2D231506A436F734B953BD8558ECA9A1D480F8E6A3739D4C94C5BB0EE82F04ACD5A3F88BAECD49867AA6EAFEE934F8BF9DABAB2C095B20398C5CF4BB7E1D76E313618AF6891B2B25928C3C569932123B977402983F973A2DBE8D07886DA58AEEB25BFDC12E9D6417A0E8675B608392788E00FB362AEE
ike 0:vpn01:7: detected retransmit
ike 0: comes 10.0.0.3:500->10.0.0.1:500,ifindex=3,vrf=0....
ike 0: IKEv2 exchange=AUTH id=ddc55c2f0bddfccb/6bfc2f82deb9a71f:00000001 len=564
ike 0: in DDC55C2F0BDDFCCB6BFC2F82DEB9A71F2E20230800000001000002342B000218970C452DB3EA081F8C31CA3D41B963863CF43C2FA4ED14FB1E8C0C4C4F9FBF70E7C6A6272D0145BE8EDC1EB3911DFE4B79BDA09A755D1D05AD590557AA75AF5D64DA8BABB26184E858B3C565C59FC81BF8BB645881A5F677C8015A84BD583B6D35E9B9922F4E32B88566265E951DBAD3F4FDFB24807371009C2DE5F60F7A54F88C4B8D4725CC335C9FD52F1F37CE73365E989D725F53770744E36EC4A0C1AFB87F1CFFD1F14F4BDA85CAB739DB6219689C5F0A8BCC5FA090E7CD50B2D552006901659F3DB4B556C7EFD93AA07E6F4F50418F0B4DEE7ABE2399998C55FBB0E96D3BFA5E3D62B7F86F324E88CFF73C62FFA990C131CA7E212A753E2AD9440950DB7AE3340390097E05E44A7D9184FC3A1C80990B844901500DB9ADE0BBE88976D7587F644565A02E25838BC1471636FB2FB2B10FD9B99437C3B95815C589F150176182E2F06D65B8A92DF79028ECD013AFCF9B275BC0EED9389E17FAA7E30A450A24AF47C627CE79D734014A65003B360388BAE6113C02862272CBBC7E4835CC7CD64488AC9B5EDF5B36F055EDD1C8DE08FBC8905AE685E9E8B0B95BE2755E2D231506A436F734B953BD8558ECA9A1D480F8E6A3739D4C94C5BB0EE82F04ACD5A3F88BAECD49867AA6EAFEE934F8BF9DABAB2C095B20398C5CF4BB7E1D76E313618AF6891B2B25928C3C569932123B977402983F973A2DBE8D07886DA58AEEB25BFDC12E9D6417A0E8675B608392788E00FB362AEE
ike 0:vpn01:7: detected retransmit
ike 0: comes 10.0.0.3:500->10.0.0.1:500,ifindex=3,vrf=0....
ike 0: IKEv2 exchange=AUTH id=ddc55c2f0bddfccb/6bfc2f82deb9a71f:00000001 len=564
ike 0: in DDC55C2F0BDDFCCB6BFC2F82DEB9A71F2E20230800000001000002342B000218970C452DB3EA081F8C31CA3D41B963863CF43C2FA4ED14FB1E8C0C4C4F9FBF70E7C6A6272D0145BE8EDC1EB3911DFE4B79BDA09A755D1D05AD590557AA75AF5D64DA8BABB26184E858B3C565C59FC81BF8BB645881A5F677C8015A84BD583B6D35E9B9922F4E32B88566265E951DBAD3F4FDFB24807371009C2DE5F60F7A54F88C4B8D4725CC335C9FD52F1F37CE73365E989D725F53770744E36EC4A0C1AFB87F1CFFD1F14F4BDA85CAB739DB6219689C5F0A8BCC5FA090E7CD50B2D552006901659F3DB4B556C7EFD93AA07E6F4F50418F0B4DEE7ABE2399998C55FBB0E96D3BFA5E3D62B7F86F324E88CFF73C62FFA990C131CA7E212A753E2AD9440950DB7AE3340390097E05E44A7D9184FC3A1C80990B844901500DB9ADE0BBE88976D7587F644565A02E25838BC1471636FB2FB2B10FD9B99437C3B95815C589F150176182E2F06D65B8A92DF79028ECD013AFCF9B275BC0EED9389E17FAA7E30A450A24AF47C627CE79D734014A65003B360388BAE6113C02862272CBBC7E4835CC7CD64488AC9B5EDF5B36F055EDD1C8DE08FBC8905AE685E9E8B0B95BE2755E2D231506A436F734B953BD8558ECA9A1D480F8E6A3739D4C94C5BB0EE82F04ACD5A3F88BAECD49867AA6EAFEE934F8BF9DABAB2C095B20398C5CF4BB7E1D76E313618AF6891B2B25928C3C569932123B977402983F973A2DBE8D07886DA58AEEB25BFDC12E9D6417A0E8675B608392788E00FB362AEE
ike 0:vpn01:7: detected retransmit
ike 0:vpn01:7: negotiation timeout, deleting
ike 0:vpn01: connection expiring due to phase1 down
ike 0:vpn01: deleting
ike 0:vpn01: deleted

rarumugam

Based on the logs, there seems to be a config-request (IP assignment request) coming from the Remote VPN device. Since mode-cfg (the feature responsible for leasing IP addresses) is disabled under the Phase1 settings of FortiGate, the FW was unable to respond to the request, resulting in the Peer unit re-transmitting the IKE message, and eventually, the negotiation timed out.

ike 0:vpn01:7: responder received AUTH msg
ike 0:vpn01:7: processing notify type INITIAL_CONTACT
ike 0:vpn01:7: processing notify type SET_WINDOW_SIZE
ike 0:vpn01:7: processing notify type ESP_TFC_PADDING_NOT_SUPPORTED
ike 0:vpn01:7: processing notify type NON_FIRST_FRAGMENTS_ALSO
ike 0:vpn01:7: peer identifier IPV4_ADDR 10.0.0.3
ike 0:vpn01:7: re-validate gw ID
ike 0:vpn01:7: gw validation OK
ike 0:vpn01:7: auth verify done
ike 0:vpn01:7: responder AUTH continuation
ike 0:vpn01:7: authentication succeeded
ike 0:vpn01:7: responder creating new child
ike 0:vpn01:7: mode-cfg not enabled, unable to respond to Configuration Payload

ike 0: comes 10.0.0.3:500->10.0.0.1:500,ifindex=3,vrf=0....
ike 0: IKEv2 exchange=AUTH id=ddc55c2f0bddfccb/6bfc2f82deb9a71f:00000001 len=564
ike 0:vpn01:7: detected retransmit


ike 0:vpn01:7: detected retransmit
ike 0:vpn01:7: negotiation timeout, deleting

 

image.png


I would recommend either disable cfg-request/mode-cfg on the Peer end or enable mode-cfg at the FortiGate end as per your requirement.

Rambharathi Arumugam
fox
New Contributor

thanks for the detail analysis, after enable mode-cfg at the FortiGate, the tunnel was up.

but when I cannot ping from the peer;

 

dia vpn ike gateway

vd: root/0
name: vpn01_0
version: 2
interface: port1 3
addr: 10.0.0.1:500 -> 10.0.0.3:500
tun_id: 172.16.0.1/::10.0.0.2
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 172.16.0.1 -> 0.0.0.0
created: 1173s ago
peer-id: 10.0.0.3
peer-id-auth: no
assigned IPv4 address: 172.16.0.1/0.0.0.0
PPK: no
IKE SA: created 1/1 established 1/1 time 20/20/20 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 233 8cb0b1c235ffe77c/00abb34ca05d39ba
direction: responder
status: established 1173-1173s ago = 20ms
proposal: des-sha1
child: no
SK_ei: 11e6e70333801cc3
SK_er: d877a4ab153e34d3
SK_ai: a4127122475d6616-61998138ff52819e-2ad4f6ba
SK_ar: 7c8b0f42089f86e7-faa7a609e20eefd6-126f4eb2
PPK: no
message-id sent/recv: 5/2
lifetime/rekey: 86400/84956
DPD sent/recv: 00000006/00000006
peer-id: 10.0.0.3

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors