SCR-F0-FGT100C-1 # diagnose vpn ike config vd: root/0 name: SCR-REMOTEVPN serial: 7 version: 1 type: dynamic mode: aggressive dpd: enable retry-count 3 interval 5000ms auth: psk dhgrp: 2 xauth: server-auto xauth-group: VPN-group interface: wan1 distance: 1 priority: 0 phase2s: SCR-REMOTEVPN-PH2 proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0 dhgrp 5 replay keep-alive dhcp policies: none
config vpn ipsec phase1-interface edit " SCR-REMOTEVPN" set type dynamic set interface " wan1" set dhgrp 2 set xauthtype auto set mode aggressive set proposal aes256-sha1 aes256-md5 set authusrgrp " VPN-group" set psksecret ENC xxx next config vpn ipsec phase2-interface edit " SCR-REMOTEVPN-PH2" set keepalive enable set phase1name " SCR-REMOTEVPN" set proposal aes256-sha1 aes256-md5 set dhcp-ipsec enable next endHere is the error:
2012-07-20 13:08:51 log_id=0101037124 type=event subtype=ipsec pri=error vd=" root" msg=" IPsec phase 1 error" action=" negotiate" rem_ip=xxx loc_ip=xxx rem_port=1049 loc_port=500 out_intf=" wan1" cookies=" xxx" user=" N/A" group=" N/A" xauth_user=" N/A" xauth_group=" N/A" vpn_tunnel=" N/A" status=negotiate_error error_reason=no matching gateway for new request peer_notif=INITIAL-CONTACTI' ve searched for HOURS, without success. I' m connecting from an Android Phone, the fortinet is a Fortiwifi 60C with 4.0 MR3 Patch 8 (The last available build) Using L2TP does the same problem, Using PPTP is working but not really secure so I would like to avoid it. Please help us. Thank you
ke 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trying ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: matched phase2 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: dynamic client ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: my proposal: ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: proposal id = 1: ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: protocol id = IPSEC_ESP: ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trans_id = ESP_AES (key_len = 256) ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: type = AUTH_ALG, val=SHA1 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trans_id = ESP_AES (key_len = 128) ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: type = AUTH_ALG, val=SHA1 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: incoming proposal: ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: proposal id = 1: ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: protocol id = IPSEC_ESP: ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trans_id = ESP_AES (key_len = 256) ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: type = AUTH_ALG, val=SHA1 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trans_id = ESP_AES (key_len = 256) ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: type = AUTH_ALG, val=MD5 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trans_id = ESP_AES (key_len = 128) ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: type = AUTH_ALG, val=SHA1 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trans_id = ESP_AES (key_len = 128) ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: type = AUTH_ALG, val=MD5 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trans_id = ESP_3DES ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: type = AUTH_ALG, val=SHA1 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trans_id = ESP_3DES ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: type = AUTH_ALG, val=MD5 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trans_id = ESP_DES ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: type = AUTH_ALG, val=SHA1 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trans_id = ESP_DES ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: type = AUTH_ALG, val=MD5 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: negotiation failure ike Negotiate IPsec SA Error: ike 0:SCR-RVPN-PH1_0:82:309: no SA proposal chosenLooks like it want a " Transport mode" and not a " Tunnel mode" but how to configure this ? Is this the same thing than the non interface mode ? (Never used it). And here is the pure IPSEC proposal with XAUTH disabled :
ike 0: IKEv1 Aggressive, comes **:1049->** 5, peer-id=remote. ike 0:SCR-RVPN-PH1:84: responder: aggressive mode get 1st message... ike 0:SCR-RVPN-PH1:84: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000 ike 0:SCR-RVPN-PH1:84: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:SCR-RVPN-PH1:84: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448 ike 0:SCR-RVPN-PH1:84: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F ike 0:SCR-RVPN-PH1:84: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC ike 0:SCR-RVPN-PH1:84: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:SCR-RVPN-PH1:84: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 ike 0:SCR-RVPN-PH1:84: peer supports UNITY ike 0:SCR-RVPN-PH1:84: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:SCR-RVPN-PH1:84: DPD negotiated ike 0:SCR-RVPN-PH1:84: incoming proposal: ike 0:SCR-RVPN-PH1:84: proposal id = 0: ike 0:SCR-RVPN-PH1:84: protocol id = ISAKMP: ike 0:SCR-RVPN-PH1:84: trans_id = KEY_IKE. ike 0:SCR-RVPN-PH1:84: encapsulation = IKE/none ike 0:SCR-RVPN-PH1:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:SCR-RVPN-PH1:84: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_GROUP, val=1024. ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800 ike 0:SCR-RVPN-PH1:84: proposal id = 0: ike 0:SCR-RVPN-PH1:84: protocol id = ISAKMP: ike 0:SCR-RVPN-PH1:84: trans_id = KEY_IKE. ike 0:SCR-RVPN-PH1:84: encapsulation = IKE/none ike 0:SCR-RVPN-PH1:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_HASH_ALG, val=MD5. ike 0:SCR-RVPN-PH1:84: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_GROUP, val=1024. ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800 ike 0:SCR-RVPN-PH1:84: proposal id = 0: ike 0:SCR-RVPN-PH1:84: protocol id = ISAKMP: ike 0:SCR-RVPN-PH1:84: trans_id = KEY_IKE. ike 0:SCR-RVPN-PH1:84: encapsulation = IKE/none ike 0:SCR-RVPN-PH1:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:SCR-RVPN-PH1:84: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_GROUP, val=1024. ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800 ike 0:SCR-RVPN-PH1:84: proposal id = 0: ike 0:SCR-RVPN-PH1:84: protocol id = ISAKMP: ike 0:SCR-RVPN-PH1:84: trans_id = KEY_IKE. ike 0:SCR-RVPN-PH1:84: encapsulation = IKE/none ike 0:SCR-RVPN-PH1:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_HASH_ALG, val=MD5. ike 0:SCR-RVPN-PH1:84: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_GROUP, val=1024. ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800 ike 0:SCR-RVPN-PH1:84: proposal id = 0: ike 0:SCR-RVPN-PH1:84: protocol id = ISAKMP: ike 0:SCR-RVPN-PH1:84: trans_id = KEY_IKE. ike 0:SCR-RVPN-PH1:84: encapsulation = IKE/none ike 0:SCR-RVPN-PH1:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:SCR-RVPN-PH1:84: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_GROUP, val=1024. ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800 ike 0:SCR-RVPN-PH1:84: proposal id = 0: ike 0:SCR-RVPN-PH1:84: protocol id = ISAKMP: ike 0:SCR-RVPN-PH1:84: trans_id = KEY_IKE. ike 0:SCR-RVPN-PH1:84: encapsulation = IKE/none ike 0:SCR-RVPN-PH1:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_HASH_ALG, val=MD5. ike 0:SCR-RVPN-PH1:84: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_GROUP, val=1024. ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800 ike 0:SCR-RVPN-PH1:84: proposal id = 0: ike 0:SCR-RVPN-PH1:84: protocol id = ISAKMP: ike 0:SCR-RVPN-PH1:84: trans_id = KEY_IKE. ike 0:SCR-RVPN-PH1:84: encapsulation = IKE/none ike 0:SCR-RVPN-PH1:84: type=OAKLEY_ENCRYPT_ALG, val=DES_CBC. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:SCR-RVPN-PH1:84: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_GROUP, val=1024. ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800 ike 0:SCR-RVPN-PH1:84: proposal id = 0: ike 0:SCR-RVPN-PH1:84: protocol id = ISAKMP: ike 0:SCR-RVPN-PH1:84: trans_id = KEY_IKE. ike 0:SCR-RVPN-PH1:84: encapsulation = IKE/none ike 0:SCR-RVPN-PH1:84: type=OAKLEY_ENCRYPT_ALG, val=DES_CBC. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_HASH_ALG, val=MD5. ike 0:SCR-RVPN-PH1:84: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_GROUP, val=1024. ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800 ike 0:SCR-RVPN-PH1:84: my proposal: ike 0:SCR-RVPN-PH1:84: proposal id = 1: ike 0:SCR-RVPN-PH1:84: protocol id = ISAKMP: ike 0:SCR-RVPN-PH1:84: trans_id = KEY_IKE. ike 0:SCR-RVPN-PH1:84: encapsulation = IKE/none ike 0:SCR-RVPN-PH1:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:SCR-RVPN-PH1:84: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_GROUP, val=1024. ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800 ike 0:SCR-RVPN-PH1:84: proposal id = 1: ike 0:SCR-RVPN-PH1:84: protocol id = ISAKMP: ike 0:SCR-RVPN-PH1:84: trans_id = KEY_IKE. ike 0:SCR-RVPN-PH1:84: encapsulation = IKE/none ike 0:SCR-RVPN-PH1:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:SCR-RVPN-PH1:84: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:SCR-RVPN-PH1:84: type=OAKLEY_GROUP, val=1024. ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800 ike 0:SCR-RVPN-PH1:84: negotiation failure ike Negotiate ISAKMP SA Error: ike 0:SCR-RVPN-PH1:84: no SA proposal chosen ike 0:SCR-RVPN-PH1: connection expiring due to phase1 down ike 0:SCR-RVPN-PH1: deleting ike 0:SCR-RVPN-PH1: flushing ike 0:SCR-RVPN-PH1: sending SNMP tunnel DOWN trap ike 0:SCR-RVPN-PH1: flushed ike 0:SCR-RVPN-PH1: reset NAT-T ike 0:SCR-RVPN-PH1: deletedAnd here is the same with XAUTH enabled (That what I want) (Yes i' m sure the login/password are good):
ike 0: comes xxx:1049->xxx:500,ifindex=5.... ike 0: IKEv1 exchange=Aggressive id=0848dc178f36b835/0000000000000000 len=642 ike 0: cache rebuild start ike 0: cache rebuild done ike 0: IKEv1 Aggressive, comes xxx:1049->xxx 5, peer-id=remote. ike 0:SCR-RVPN-PH1: check for IP assignment method ... ike 0:SCR-RVPN-PH1: no IP assignment method defined ike 0:SCR-RVPN-PH1:96: responder: aggressive mode get 1st message... ike 0:SCR-RVPN-PH1:96: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000 ike 0:SCR-RVPN-PH1:96: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:SCR-RVPN-PH1:96: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448 ike 0:SCR-RVPN-PH1:96: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F ike 0:SCR-RVPN-PH1:96: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC ike 0:SCR-RVPN-PH1:96: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:SCR-RVPN-PH1:96: XAUTHv6 negotiated ike 0:SCR-RVPN-PH1:96: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 ike 0:SCR-RVPN-PH1:96: peer supports UNITY ike 0:SCR-RVPN-PH1:96: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:SCR-RVPN-PH1:96: DPD negotiated ike 0:SCR-RVPN-PH1:96: negotiation result ike 0:SCR-RVPN-PH1:96: proposal id = 1: ike 0:SCR-RVPN-PH1:96: protocol id = ISAKMP: ike 0:SCR-RVPN-PH1:96: trans_id = KEY_IKE. ike 0:SCR-RVPN-PH1:96: encapsulation = IKE/none ike 0:SCR-RVPN-PH1:96: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:SCR-RVPN-PH1:96: type=OAKLEY_HASH_ALG, val=SHA. ike 0:SCR-RVPN-PH1:96: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:SCR-RVPN-PH1:96: type=OAKLEY_GROUP, val=1024. ike 0:SCR-RVPN-PH1:96: ISKAMP SA lifetime=28800 ike 0:SCR-RVPN-PH1:96: selected NAT-T version: RFC 3947 ike 0:SCR-RVPN-PH1:96: cookie 0848dc178f36b835/9d0a3d848c2b5739 ike 0:SCR-RVPN-PH1:96: sent IKE msg (agg_r1send): xxx:500->xxx:1049, len=412, id=0848dc178f36b835/9d0a3d848c2b5739 ike 0: comes xxx:4505->xxx:4500,ifindex=5.... ike 0: IKEv1 exchange=Aggressive id=0848dc178f36b835/9d0a3d848c2b5739 len=100 ike 0:SCR-RVPN-PH1:96: responder: aggressive mode get 2nd response... ike 0:SCR-RVPN-PH1:96: received NAT-D payload type 20 ike 0:SCR-RVPN-PH1:96: received NAT-D payload type 20 ike 0:SCR-RVPN-PH1:96: PSK authentication succeeded ike 0:SCR-RVPN-PH1:96: authentication OK ike 0:SCR-RVPN-PH1:96: NAT detected: ME PEER ike 0:SCR-RVPN-PH1:96: port change 1049 -> 4505 ike 0:SCR-RVPN-PH1:96: established IKE SA 0848dc178f36b835/9d0a3d848c2b5739 ike 0:SCR-RVPN-PH1: adding new dynamic tunnel for xxx:4505 ike 0:SCR-RVPN-PH1_0: added new dynamic tunnel for xxx:4505 ike 0:SCR-RVPN-PH1_0:96: initiating XAUTH. ike 0:SCR-RVPN-PH1_0:96: sending XAUTH request ike 0:SCR-RVPN-PH1_0:96: sent IKE msg (cfg_send): xxx:4500->xxx:4505, len=76, id=0848dc178f36b835/9d0a3d848c2b5739:fd718ad4 ike 0: comes xxx:4505->xxx:4500,ifindex=5.... ike 0:SCR-RVPN-PH1_0:96: notify msg received: INITIAL-CONTACT ike 0:SCR-RVPN-PH1_0:96: processing INITIAL-CONTACT ike 0:SCR-RVPN-PH1_0: flushing ike 0:SCR-RVPN-PH1_0: flushed ike 0:SCR-RVPN-PH1_0:96: processed INITIAL-CONTACT ike 0: comes xxx:4505->xxx:4500,ifindex=5.... ike 0: IKEv1 exchange=Mode config id=0848dc178f36b835/9d0a3d848c2b5739:fd718ad4 len=108 ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_NAME ' kedare' length 6 ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_PASSWORD length 7 ike 0:SCR-RVPN-PH1_0: XAUTH user " kedare" in group ' VPN-group' (2) ike 0:SCR-RVPN-PH1_0: XAUTH failed for user " kedare" , retry(2). ike 0:SCR-RVPN-PH1_0:96: sending XAUTH request ike 0:SCR-RVPN-PH1_0:96: sent IKE msg (cfg_send): xxx:4500->xxx:4505, len=76, id=0848dc178f36b835/9d0a3d848c2b5739:f4cd6fee ike 0: comes xxx:4505->xxx:4500,ifindex=5.... ike 0: IKEv1 exchange=Mode config id=0848dc178f36b835/9d0a3d848c2b5739:f4cd6fee len=108 ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_NAME ' kedare' length 6 ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_PASSWORD length 7 ike 0:SCR-RVPN-PH1_0: XAUTH user " kedare" in group ' VPN-group' (2) ike 0:SCR-RVPN-PH1_0: XAUTH failed for user " kedare" , retry(1). ike 0:SCR-RVPN-PH1_0:96: sending XAUTH request ike 0:SCR-RVPN-PH1_0:96: sent IKE msg (cfg_send): xxx:4500->xxx:4505, len=76, id=0848dc178f36b835/9d0a3d848c2b5739:42d9a816 ike 0: comes xxx:4505->xxx:4500,ifindex=5.... ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_NAME ' kedare' length 6 ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_PASSWORD length 7 ike 0:SCR-RVPN-PH1_0: XAUTH user " kedare" in group ' VPN-group' (2) ike 0:SCR-RVPN-PH1_0: XAUTH failed for user " kedare" ike 0:SCR-RVPN-PH1_0: connection expiring due to XAUTH failure ike 0:SCR-RVPN-PH1_0: deleting ike 0:SCR-RVPN-PH1_0: flushing ike 0:SCR-RVPN-PH1_0: sending SNMP tunnel DOWN trap ike 0:SCR-RVPN-PH1_0: flushed ike 0:SCR-RVPN-PH1_0:96: send ISAKMP delete 0848dc178f36b835/9d0a3d848c2b5739 ike 0:SCR-RVPN-PH1_0:96: sent IKE msg (ISKAMP SA DELETE-NOTIFY): xxx:4500->xxx:4505, len=92, id=0848dc178f36b835/9d0a3d848c2b5739:99a3844d ike 0:SCR-RVPN-PH1_0: delete dynamic ike 0:SCR-RVPN-PH1_0: reset NAT-T ike 0:SCR-RVPN-PH1_0: deleted ike shrank heap by 8192 bytesI don' t know why the XAuth fail... Do you have any idea ? Thank you
Looks like it want a " Transport mode" and not a " Tunnel mode" but how to configure this ? Is this the same thing than the non interface mode ? (Never used it).Hi. yes, you ssh to the firewall and... config vpn ipsec phase2 edit [yr-phase2] set encapsulation transparent-mode mine is stuck in phase2. I don' t know what' s going on I have nothing on debug while ssh. is there anything I should enable to have debug report on ssh?? I don' t know... xauth seems like it doesn' t work good with windows, I don' t why, I tried it, failed, please tell me what you have done, I changed the place of my policies in firewall policies, bring them to top but yet no result :( the same error, no default gateway.... did you pass this error? how??
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.