ipsec tunnel was working, now "no matching IKEv1 phase1 configuration"

journeyman · ‎12-16-2014

FGT1 internal1 is directly* connected to FGT2 wan1 and there is an ipsec interface vpn which was working fine but is now down.

I see the following debug at FGT1

diag deb app ike -1

diag deb en

ike 0: comes 172.a.b.122:500->172.a.b.121:500,ifindex=11...

[...]

ike 0: no IKEv1 phase1 configuration matching 172.a.b.122:500->172.a.b.121 11The full phase1-interface configurations have been verified to be correct and match. I don't know how to resolve ifindex to physical interface (I've seen ifindex mentioned somewhere in doco but can't find it now). The tunnel gateway on FGT1 is a secondary ip address.

I have also subsequently forced a psk mismatch with no change to the debug output.

FGT1 was recently updated from 4.1.4 to 4.3.18 with no known issues; another vpn is working fine. FGT2 is 4.3.14, update pending.

Any tips where to look next?

* "directly" is a digital radio link. There are no known issues with the link.

emnoc · ‎12-17-2014

Did you double check the vpn1 interface settings? You can try to set the local-gw to the secondary address

config vpn ipsec phase1-interface

set local-gw 172.x.x.x

end

PCNSE

NSE

StrongSwan

View solution in original post

ede_pfau · ‎12-17-2014

Maybe this can help:

gate # diagnose sys device list root
list virtual firewall root info:
ip4 route_cache: table_size=131072 max_depth=2 used=31 total=33
arp: table_size=4096 max_depth=1 used=6 total=6
proxy_arp: table_size=256 max_depth=0 used=0 total=0
arp6: table_size=4096 max_depth=1 used=3 total=3
proxy_arp6: table_size=256 max_depth=0 used=0 total=0
local table version=0000004e main table version=0011e696
vf=root dev=wan1 index=3
vf=root dev=ppp1 index=4
vf=root dev=modem index=5
vf=root dev=root index=6
vf=root dev=ssl.root index=7
vf=root dev=wan2 index=9
vf=root dev=dmz index=10
vf=root dev=internal index=11
vf=root dev=M175 index=12
...
ses=0/0 ses6=0/0 rt=0/0 rt6=0/0

This is in FOS v4.3.18.

Or this

gate # diagnose netlink interface list 

if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
ref=5 state=present flags=loopback 

if=eth0 family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=3 state=start present flags=up broadcast run promsic multicast 

if=wan1 family=00 type=1 index=3 mtu=1492 link=0 master=0
ref=6 state=start present flags=up broadcast run multicast 

if=dummy0 family=00 type=1 index=4 mtu=1500 link=0 master=0
ref=1 state=present flags=broadcast noarp 

if=modem family=00 type=512 index=5 mtu=1500 link=0 master=0
ref=3 state=present flags=p2p noarp multicast 

if=root family=00 type=772 index=6 mtu=16436 link=0 master=0
ref=25 state=start present flags=up loopback run 

if=ssl.root family=00 type=512 index=7 mtu=1500 link=0 master=0
ref=5 state=start present flags=up p2p run noarp multicast 

if=wan2 family=00 type=1 index=9 mtu=1500 link=0 master=0
ref=5 state=start present tx_sched flags=up broadcast multicast 

if=dmz family=00 type=1 index=10 mtu=1500 link=0 master=0
ref=10 state=start present flags=up broadcast run multicast 

if=internal family=00 type=1 index=11 mtu=1500 link=0 master=0
ref=17 state=start present flags=up broadcast run multicast 

if=M175 family=00 type=1 index=12 mtu=1500 link=0 master=0
ref=6 state=start present flags=up broadcast run multicast 
...
if=vsys_ha family=00 type=772 index=28 mtu=16436 link=0 master=0
ref=16 state=start present flags=up loopback run 

if=port_ha family=00 type=1 index=29 mtu=1496 link=0 master=0
ref=4 state=start present flags=up broadcast run multicast 

if=vsys_fgfm family=00 type=772 index=30 mtu=16436 link=0 master=0
ref=12 state=start present flags=up loopback run 

if=ppp1 family=00 type=512 index=68 mtu=1492 link=3 master=0
ref=32 state=start present flags=up p2p run noarp multicast

This will list even the virtual interfaces which are only used internally.

As for the VPN setup, do you redirect phase1 to the secondary IP address? (* emnoc was quicker :)

And in your post, is 'a.b.' identical for both gateways, in other words, are you trying to connect within the same LAN?

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

emnoc · ‎12-17-2014

Did you double check the vpn1 interface settings? You can try to set the local-gw to the secondary address

config vpn ipsec phase1-interface

set local-gw 172.x.x.x

end

PCNSE

NSE

StrongSwan

ede_pfau · ‎12-17-2014

Maybe this can help:

gate # diagnose sys device list root
list virtual firewall root info:
ip4 route_cache: table_size=131072 max_depth=2 used=31 total=33
arp: table_size=4096 max_depth=1 used=6 total=6
proxy_arp: table_size=256 max_depth=0 used=0 total=0
arp6: table_size=4096 max_depth=1 used=3 total=3
proxy_arp6: table_size=256 max_depth=0 used=0 total=0
local table version=0000004e main table version=0011e696
vf=root dev=wan1 index=3
vf=root dev=ppp1 index=4
vf=root dev=modem index=5
vf=root dev=root index=6
vf=root dev=ssl.root index=7
vf=root dev=wan2 index=9
vf=root dev=dmz index=10
vf=root dev=internal index=11
vf=root dev=M175 index=12
...
ses=0/0 ses6=0/0 rt=0/0 rt6=0/0

This is in FOS v4.3.18.

Or this

gate # diagnose netlink interface list 

if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
ref=5 state=present flags=loopback 

if=eth0 family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=3 state=start present flags=up broadcast run promsic multicast 

if=wan1 family=00 type=1 index=3 mtu=1492 link=0 master=0
ref=6 state=start present flags=up broadcast run multicast 

if=dummy0 family=00 type=1 index=4 mtu=1500 link=0 master=0
ref=1 state=present flags=broadcast noarp 

if=modem family=00 type=512 index=5 mtu=1500 link=0 master=0
ref=3 state=present flags=p2p noarp multicast 

if=root family=00 type=772 index=6 mtu=16436 link=0 master=0
ref=25 state=start present flags=up loopback run 

if=ssl.root family=00 type=512 index=7 mtu=1500 link=0 master=0
ref=5 state=start present flags=up p2p run noarp multicast 

if=wan2 family=00 type=1 index=9 mtu=1500 link=0 master=0
ref=5 state=start present tx_sched flags=up broadcast multicast 

if=dmz family=00 type=1 index=10 mtu=1500 link=0 master=0
ref=10 state=start present flags=up broadcast run multicast 

if=internal family=00 type=1 index=11 mtu=1500 link=0 master=0
ref=17 state=start present flags=up broadcast run multicast 

if=M175 family=00 type=1 index=12 mtu=1500 link=0 master=0
ref=6 state=start present flags=up broadcast run multicast 
...
if=vsys_ha family=00 type=772 index=28 mtu=16436 link=0 master=0
ref=16 state=start present flags=up loopback run 

if=port_ha family=00 type=1 index=29 mtu=1496 link=0 master=0
ref=4 state=start present flags=up broadcast run multicast 

if=vsys_fgfm family=00 type=772 index=30 mtu=16436 link=0 master=0
ref=12 state=start present flags=up loopback run 

if=ppp1 family=00 type=512 index=68 mtu=1492 link=3 master=0
ref=32 state=start present flags=up p2p run noarp multicast

This will list even the virtual interfaces which are only used internally.

As for the VPN setup, do you redirect phase1 to the secondary IP address? (* emnoc was quicker :)

And in your post, is 'a.b.' identical for both gateways, in other words, are you trying to connect within the same LAN?

Ede Kernel panic: Aiee, killing interrupt handler!

journeyman · ‎12-17-2014

Thanks emnoc and ede.Setting the local-gw caused the tunnel to come up immediately. (This thought also occurred to me after work, glad I was on the right track.)

Thanks also for the ifindex debug. We run in internal interface mode, plus vlans and vpns. With so many interfaces it's nice to know how to find their index.

Thanks again.

edit - strange that the tunnel came up when it was built without the local-gw setting..

emnoc · ‎12-17-2014

FYI

If you have snmp enabled, you can query ifIndex with snmpwalk and also the descriptions. In later FortiOS, you can set the ifindex per interfaces

config sys interface

edit wan1

set snmp-index 1

end

PCNSE

NSE

StrongSwan

ipsec tunnel was working, now "no matching IKEv1 phase1 configuration"

Nominate a Forum Post for Knowledge Article Creation