Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
journeyman
Contributor

ipsec tunnel was working, now "no matching IKEv1 phase1 configuration"

FGT1 internal1 is directly* connected to FGT2 wan1 and there is an ipsec interface vpn which was working fine but is now down.

I see the following debug at FGT1

diag deb app ike -1

diag deb en

ike 0: comes 172.a.b.122:500->172.a.b.121:500,ifindex=11...

[...]

ike 0: no IKEv1 phase1 configuration matching 172.a.b.122:500->172.a.b.121 11The full phase1-interface configurations have been verified to be correct and match. I don't know how to resolve ifindex to physical interface (I've seen ifindex mentioned somewhere in doco but can't find it now). The tunnel gateway on FGT1 is a secondary ip address.

I have also subsequently forced a psk mismatch with no change to the debug output.

FGT1 was recently updated from 4.1.4 to 4.3.18 with no known issues; another vpn is working fine. FGT2 is 4.3.14, update pending.

Any tips where to look next?

 

* "directly" is a digital radio link. There are no known issues with the link.

2 Solutions
emnoc
Esteemed Contributor III

Did you double check the  vpn1 interface settings? You can try to set the local-gw to the secondary address

 

 

config vpn ipsec phase1-interface

    set local-gw   172.x.x.x

end

 

 

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
ede_pfau
SuperUser
SuperUser

Maybe this can help:

gate # diagnose sys device list root
list virtual firewall root info:
ip4 route_cache: table_size=131072 max_depth=2 used=31 total=33
arp: table_size=4096 max_depth=1 used=6 total=6
proxy_arp: table_size=256 max_depth=0 used=0 total=0
arp6: table_size=4096 max_depth=1 used=3 total=3
proxy_arp6: table_size=256 max_depth=0 used=0 total=0
local table version=0000004e main table version=0011e696
vf=root dev=wan1 index=3
vf=root dev=ppp1 index=4
vf=root dev=modem index=5
vf=root dev=root index=6
vf=root dev=ssl.root index=7
vf=root dev=wan2 index=9
vf=root dev=dmz index=10
vf=root dev=internal index=11
vf=root dev=M175 index=12
...
ses=0/0 ses6=0/0 rt=0/0 rt6=0/0
This is in FOS v4.3.18.

Or this

gate # diagnose netlink interface list 

if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
ref=5 state=present flags=loopback

if=eth0 family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=3 state=start present flags=up broadcast run promsic multicast

if=wan1 family=00 type=1 index=3 mtu=1492 link=0 master=0
ref=6 state=start present flags=up broadcast run multicast

if=dummy0 family=00 type=1 index=4 mtu=1500 link=0 master=0
ref=1 state=present flags=broadcast noarp

if=modem family=00 type=512 index=5 mtu=1500 link=0 master=0
ref=3 state=present flags=p2p noarp multicast

if=root family=00 type=772 index=6 mtu=16436 link=0 master=0
ref=25 state=start present flags=up loopback run

if=ssl.root family=00 type=512 index=7 mtu=1500 link=0 master=0
ref=5 state=start present flags=up p2p run noarp multicast

if=wan2 family=00 type=1 index=9 mtu=1500 link=0 master=0
ref=5 state=start present tx_sched flags=up broadcast multicast

if=dmz family=00 type=1 index=10 mtu=1500 link=0 master=0
ref=10 state=start present flags=up broadcast run multicast

if=internal family=00 type=1 index=11 mtu=1500 link=0 master=0
ref=17 state=start present flags=up broadcast run multicast

if=M175 family=00 type=1 index=12 mtu=1500 link=0 master=0
ref=6 state=start present flags=up broadcast run multicast
...
if=vsys_ha family=00 type=772 index=28 mtu=16436 link=0 master=0
ref=16 state=start present flags=up loopback run

if=port_ha family=00 type=1 index=29 mtu=1496 link=0 master=0
ref=4 state=start present flags=up broadcast run multicast

if=vsys_fgfm family=00 type=772 index=30 mtu=16436 link=0 master=0
ref=12 state=start present flags=up loopback run

if=ppp1 family=00 type=512 index=68 mtu=1492 link=3 master=0
ref=32 state=start present flags=up p2p run noarp multicast
This will list even the virtual interfaces which are only used internally.

 

As for the VPN setup, do you redirect phase1 to the secondary IP address? (* emnoc was quicker :)

And in your post, is 'a.b.' identical for both gateways, in other words, are you trying to connect within the same LAN?


Ede


"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
4 REPLIES 4
emnoc
Esteemed Contributor III

Did you double check the  vpn1 interface settings? You can try to set the local-gw to the secondary address

 

 

config vpn ipsec phase1-interface

    set local-gw   172.x.x.x

end

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
SuperUser
SuperUser

Maybe this can help:

gate # diagnose sys device list root
list virtual firewall root info:
ip4 route_cache: table_size=131072 max_depth=2 used=31 total=33
arp: table_size=4096 max_depth=1 used=6 total=6
proxy_arp: table_size=256 max_depth=0 used=0 total=0
arp6: table_size=4096 max_depth=1 used=3 total=3
proxy_arp6: table_size=256 max_depth=0 used=0 total=0
local table version=0000004e main table version=0011e696
vf=root dev=wan1 index=3
vf=root dev=ppp1 index=4
vf=root dev=modem index=5
vf=root dev=root index=6
vf=root dev=ssl.root index=7
vf=root dev=wan2 index=9
vf=root dev=dmz index=10
vf=root dev=internal index=11
vf=root dev=M175 index=12
...
ses=0/0 ses6=0/0 rt=0/0 rt6=0/0
This is in FOS v4.3.18.

Or this

gate # diagnose netlink interface list 

if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
ref=5 state=present flags=loopback

if=eth0 family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=3 state=start present flags=up broadcast run promsic multicast

if=wan1 family=00 type=1 index=3 mtu=1492 link=0 master=0
ref=6 state=start present flags=up broadcast run multicast

if=dummy0 family=00 type=1 index=4 mtu=1500 link=0 master=0
ref=1 state=present flags=broadcast noarp

if=modem family=00 type=512 index=5 mtu=1500 link=0 master=0
ref=3 state=present flags=p2p noarp multicast

if=root family=00 type=772 index=6 mtu=16436 link=0 master=0
ref=25 state=start present flags=up loopback run

if=ssl.root family=00 type=512 index=7 mtu=1500 link=0 master=0
ref=5 state=start present flags=up p2p run noarp multicast

if=wan2 family=00 type=1 index=9 mtu=1500 link=0 master=0
ref=5 state=start present tx_sched flags=up broadcast multicast

if=dmz family=00 type=1 index=10 mtu=1500 link=0 master=0
ref=10 state=start present flags=up broadcast run multicast

if=internal family=00 type=1 index=11 mtu=1500 link=0 master=0
ref=17 state=start present flags=up broadcast run multicast

if=M175 family=00 type=1 index=12 mtu=1500 link=0 master=0
ref=6 state=start present flags=up broadcast run multicast
...
if=vsys_ha family=00 type=772 index=28 mtu=16436 link=0 master=0
ref=16 state=start present flags=up loopback run

if=port_ha family=00 type=1 index=29 mtu=1496 link=0 master=0
ref=4 state=start present flags=up broadcast run multicast

if=vsys_fgfm family=00 type=772 index=30 mtu=16436 link=0 master=0
ref=12 state=start present flags=up loopback run

if=ppp1 family=00 type=512 index=68 mtu=1492 link=3 master=0
ref=32 state=start present flags=up p2p run noarp multicast
This will list even the virtual interfaces which are only used internally.

 

As for the VPN setup, do you redirect phase1 to the secondary IP address? (* emnoc was quicker :)

And in your post, is 'a.b.' identical for both gateways, in other words, are you trying to connect within the same LAN?


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
journeyman
Contributor

Thanks emnoc and ede.Setting the local-gw caused the tunnel to come up immediately. (This thought also occurred to me after work, glad I was on the right track.)

Thanks also for the ifindex debug. We run in internal interface mode, plus vlans and vpns. With so many interfaces it's nice to know how to find their index.

Thanks again.

 

edit - strange that the tunnel came up when it was built without the local-gw setting..

emnoc
Esteemed Contributor III

FYI

 

If you have snmp enabled, you can query ifIndex  with snmpwalk and also the descriptions. In later   FortiOS, you can set the ifindex per interfaces

 

config sys interface

    edit wan1

        set snmp-index 1

    end

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors