Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
samanka80
New Contributor

no matching gateway for new request /// ipsec

Hi, I have been trying to use l2tp, I have the following error from fortigate 200B, what is this " no matching gateway for new request" ??? what should I do?? I also have my config below.... Message meets Alert condition date=2012-07-18 time=22:54:50 devname=Seth_Main device_id=FG200B3911606385 log_id=0101037125 type=event subtype=ipsec pri=error vd=" root" msg=" IPsec phase 2 error" action=" negotiate" rem_ip=.............. loc_ip=............... rem_port=500 loc_port=500 out_intf=" port9" cookies=" cf082b1b56e8146e/0000000000000000" user=" N/A" group=" N/A" xauth_user=" N/A" xauth_group=" N/A" vpn_tunnel=" N/A" status=negotiate_error error_reason=no matching gateway for new request here is config: config vpn l2tp set eip 10.0.2.120 set sip 10.0.2.101 set status enable set usrgrp " L2TP_GROUP" end config user group edit " L2TP_GROUP" set member " neda" " divek" next end config vpn ipsec phase1 edit " REMOTE_P1" set type dynamic ******* //the remote gateway is set to dialup clients set interface " port9" set dhgrp 2 set proposal aes256-md5 3des-sha1 aes192-sha1 set psksecret ENC xVy3WCpj6r8OQiu5KGaqM0z4uODBwAVRBE7NMv6kcoQ/B0ERBlYB0rtrPTaRgxn6QGW4zR9xhx1PNEfNSc2wXO/iEDwvzjpbtyu3kY8aUr7MqFOs next end config vpn ipsec phase2 edit " REMOTE_P2" set encapsulation transport-mode set pfs disable set phase1name " REMOTE_P1" set proposal aes256-md5 3des-sha1 aes192-sha1 set keylifeseconds 3600 **//relay is enabled it is not shown next end config firewall policy edit 64 set srcintf " port9" //wan interface set dstintf " truWorkstations" //lan interface set srcaddr " L2TPclients" set dstaddr " all" set action accept set schedule " always" set service " ANY" next end config firewall policy edit 57 set srcintf " truWorkstations" set dstintf " port9" set srcaddr " all" set dstaddr " all" set action ipsec set schedule " always" set service " ANY" set inbound enable set outbound enable set vpntunnel " REMOTE_P1" next end config firewall address edit " L2TPclients" set type iprange set end-ip 10.0.2.120 set start-ip 10.0.2.101 next end config system dhcp server edit 1 set default-gateway 10.0.2.1 config exclude-range edit 1 set end-ip 10.0.2.120 set start-ip 10.0.2.101 next end set interface " truWorkstations" config ip-range edit 1 set end-ip 10.0.2.100 set start-ip 10.0.2.2 next end set netmask 255.255.255.0 set wins-server1 10.0.5.25 set dns-server1 10.0.2.1 set dns-server2 //DNS server next end and there is more about this in this link:: http://support.fortinet.com/forum/tm.asp?m=86327&p=1&tmode=1&smode=1 I wanted to post in the same topic, but it was getting long and confusing... so I used a brand new topic.... You are really angels... thank you... please help me....
11 REPLIES 11
Kedare
New Contributor

Hello, I have exactly the same problem, here is my configuration:
SCR-F0-FGT100C-1 # diagnose vpn ike config
 
 vd: root/0
 name: SCR-REMOTEVPN
 serial: 7
 version: 1
 type: dynamic
 mode: aggressive
 dpd: enable  retry-count 3  interval 5000ms
 auth: psk
 dhgrp:  2
 xauth: server-auto
 xauth-group: VPN-group
 interface: wan1
 distance: 1
 priority: 0
 phase2s:
   SCR-REMOTEVPN-PH2 proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0  dhgrp 5  replay  keep-alive  dhcp
 policies: none
config vpn ipsec phase1-interface
     edit " SCR-REMOTEVPN" 
         set type dynamic
         set interface " wan1" 
         set dhgrp 2
         set xauthtype auto
         set mode aggressive
         set proposal aes256-sha1 aes256-md5
         set authusrgrp " VPN-group" 
         set psksecret ENC xxx
     next
 
 
 config vpn ipsec phase2-interface
     edit " SCR-REMOTEVPN-PH2" 
         set keepalive enable
         set phase1name " SCR-REMOTEVPN" 
         set proposal aes256-sha1 aes256-md5
         set dhcp-ipsec enable
     next
 end
Here is the error:
2012-07-20 13:08:51 log_id=0101037124 
 type=event 
 subtype=ipsec 
 pri=error 
 vd=" root"  
 msg=" IPsec phase 1 error"  
 action=" negotiate"  
 rem_ip=xxx
 loc_ip=xxx 
 rem_port=1049 
 loc_port=500 
 out_intf=" wan1"  
 cookies=" xxx"  
 user=" N/A"  
 group=" N/A"  
 xauth_user=" N/A"  
 xauth_group=" N/A"  
 vpn_tunnel=" N/A"  
 status=negotiate_error error_reason=no matching gateway for new request 
 peer_notif=INITIAL-CONTACT
I' ve searched for HOURS, without success. I' m connecting from an Android Phone, the fortinet is a Fortiwifi 60C with 4.0 MR3 Patch 8 (The last available build) Using L2TP does the same problem, Using PPTP is working but not really secure so I would like to avoid it. Please help us. Thank you
romanr
Valued Contributor

Hi, for both problems, you will need to dig the output from the IKE daemon to see where it goes wrong! The following debugging commands for the command line interface will bring you the IKE daemon debug messages: diag debug app ike -1 diag debug enable best regards, Roman
Kedare
New Contributor

Hello, I successfully passed this step with the debug, But now I stuck at the proposals exchanges, I don' t understand why the android phoen don' t accept the Fortigate proposals, they looks the same. Other strange thing, when I try to connect using remote IPSEC, the proposals stuck at Phase 1, when I try to connect using L2TP, the proposals stuck at phase 2 Exemple with L2TP:
ke 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: trying
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: matched phase2
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: dynamic client
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: my proposal:
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: proposal id = 1:
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:   protocol id = IPSEC_ESP:
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      trans_id = ESP_AES (key_len = 256)
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      encapsulation = ENCAPSULATION_MODE_TUNNEL
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:         type = AUTH_ALG, val=SHA1
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      trans_id = ESP_AES (key_len = 128)
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      encapsulation = ENCAPSULATION_MODE_TUNNEL
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:         type = AUTH_ALG, val=SHA1
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: incoming proposal:
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: proposal id = 1:
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:   protocol id = IPSEC_ESP:
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      trans_id = ESP_AES (key_len = 256)
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:         type = AUTH_ALG, val=SHA1
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      trans_id = ESP_AES (key_len = 256)
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:         type = AUTH_ALG, val=MD5
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      trans_id = ESP_AES (key_len = 128)
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:         type = AUTH_ALG, val=SHA1
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      trans_id = ESP_AES (key_len = 128)
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:         type = AUTH_ALG, val=MD5
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      trans_id = ESP_3DES
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:         type = AUTH_ALG, val=SHA1
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      trans_id = ESP_3DES
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:         type = AUTH_ALG, val=MD5
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      trans_id = ESP_DES
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:         type = AUTH_ALG, val=SHA1
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      trans_id = ESP_DES
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:      encapsulation = UDP_ENCAPSULATION_MODE_TRANSPORT_RFC3947
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309:         type = AUTH_ALG, val=MD5
 ike 0:SCR-RVPN-PH1_0:82:SCR-RVPN-PH2:309: negotiation failure
 ike Negotiate IPsec SA Error: ike 0:SCR-RVPN-PH1_0:82:309: no SA proposal chosen
Looks like it want a " Transport mode" and not a " Tunnel mode" but how to configure this ? Is this the same thing than the non interface mode ? (Never used it). And here is the pure IPSEC proposal with XAUTH disabled :
ike 0: IKEv1 Aggressive, comes **:1049->** 5, peer-id=remote.
 ike 0:SCR-RVPN-PH1:84: responder: aggressive mode get 1st message...
 ike 0:SCR-RVPN-PH1:84: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
 ike 0:SCR-RVPN-PH1:84: VID RFC 3947 4A131C81070358455C5728F20E95452F
 ike 0:SCR-RVPN-PH1:84: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
 ike 0:SCR-RVPN-PH1:84: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
 ike 0:SCR-RVPN-PH1:84: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
 ike 0:SCR-RVPN-PH1:84: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
 ike 0:SCR-RVPN-PH1:84: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
 ike 0:SCR-RVPN-PH1:84: peer supports UNITY
 ike 0:SCR-RVPN-PH1:84: VID DPD AFCAD71368A1F1C96B8696FC77570100
 ike 0:SCR-RVPN-PH1:84: DPD negotiated
 ike 0:SCR-RVPN-PH1:84: incoming proposal:
 ike 0:SCR-RVPN-PH1:84: proposal id = 0:
 ike 0:SCR-RVPN-PH1:84:   protocol id = ISAKMP:
 ike 0:SCR-RVPN-PH1:84:      trans_id = KEY_IKE.
 ike 0:SCR-RVPN-PH1:84:      encapsulation = IKE/none
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_HASH_ALG, val=SHA.
 ike 0:SCR-RVPN-PH1:84:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_GROUP, val=1024.
 ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800
 ike 0:SCR-RVPN-PH1:84: proposal id = 0:
 ike 0:SCR-RVPN-PH1:84:   protocol id = ISAKMP:
 ike 0:SCR-RVPN-PH1:84:      trans_id = KEY_IKE.
 ike 0:SCR-RVPN-PH1:84:      encapsulation = IKE/none
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_HASH_ALG, val=MD5.
 ike 0:SCR-RVPN-PH1:84:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_GROUP, val=1024.
 ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800
 ike 0:SCR-RVPN-PH1:84: proposal id = 0:
 ike 0:SCR-RVPN-PH1:84:   protocol id = ISAKMP:
 ike 0:SCR-RVPN-PH1:84:      trans_id = KEY_IKE.
 ike 0:SCR-RVPN-PH1:84:      encapsulation = IKE/none
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_HASH_ALG, val=SHA.
 ike 0:SCR-RVPN-PH1:84:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_GROUP, val=1024.
 ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800
 ike 0:SCR-RVPN-PH1:84: proposal id = 0:
 ike 0:SCR-RVPN-PH1:84:   protocol id = ISAKMP:
 ike 0:SCR-RVPN-PH1:84:      trans_id = KEY_IKE.
 ike 0:SCR-RVPN-PH1:84:      encapsulation = IKE/none
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_HASH_ALG, val=MD5.
 ike 0:SCR-RVPN-PH1:84:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_GROUP, val=1024.
 ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800
 ike 0:SCR-RVPN-PH1:84: proposal id = 0:
 ike 0:SCR-RVPN-PH1:84:   protocol id = ISAKMP:
 ike 0:SCR-RVPN-PH1:84:      trans_id = KEY_IKE.
 ike 0:SCR-RVPN-PH1:84:      encapsulation = IKE/none
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_HASH_ALG, val=SHA.
 ike 0:SCR-RVPN-PH1:84:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_GROUP, val=1024.
 ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800
 ike 0:SCR-RVPN-PH1:84: proposal id = 0:
 ike 0:SCR-RVPN-PH1:84:   protocol id = ISAKMP:
 ike 0:SCR-RVPN-PH1:84:      trans_id = KEY_IKE.
 ike 0:SCR-RVPN-PH1:84:      encapsulation = IKE/none
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_HASH_ALG, val=MD5.
 ike 0:SCR-RVPN-PH1:84:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_GROUP, val=1024.
 ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800
 ike 0:SCR-RVPN-PH1:84: proposal id = 0:
 ike 0:SCR-RVPN-PH1:84:   protocol id = ISAKMP:
 ike 0:SCR-RVPN-PH1:84:      trans_id = KEY_IKE.
 ike 0:SCR-RVPN-PH1:84:      encapsulation = IKE/none
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_ENCRYPT_ALG, val=DES_CBC.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_HASH_ALG, val=SHA.
 ike 0:SCR-RVPN-PH1:84:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_GROUP, val=1024.
 ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800
 ike 0:SCR-RVPN-PH1:84: proposal id = 0:
 ike 0:SCR-RVPN-PH1:84:   protocol id = ISAKMP:
 ike 0:SCR-RVPN-PH1:84:      trans_id = KEY_IKE.
 ike 0:SCR-RVPN-PH1:84:      encapsulation = IKE/none
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_ENCRYPT_ALG, val=DES_CBC.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_HASH_ALG, val=MD5.
 ike 0:SCR-RVPN-PH1:84:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_GROUP, val=1024.
 ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800
 ike 0:SCR-RVPN-PH1:84: my proposal:
 ike 0:SCR-RVPN-PH1:84: proposal id = 1:
 ike 0:SCR-RVPN-PH1:84:   protocol id = ISAKMP:
 ike 0:SCR-RVPN-PH1:84:      trans_id = KEY_IKE.
 ike 0:SCR-RVPN-PH1:84:      encapsulation = IKE/none
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_HASH_ALG, val=SHA.
 ike 0:SCR-RVPN-PH1:84:         type=AUTH_METHOD, val=PRESHARED_KEY.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_GROUP, val=1024.
 ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800
 ike 0:SCR-RVPN-PH1:84: proposal id = 1:
 ike 0:SCR-RVPN-PH1:84:   protocol id = ISAKMP:
 ike 0:SCR-RVPN-PH1:84:      trans_id = KEY_IKE.
 ike 0:SCR-RVPN-PH1:84:      encapsulation = IKE/none
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_HASH_ALG, val=SHA.
 ike 0:SCR-RVPN-PH1:84:         type=AUTH_METHOD, val=PRESHARED_KEY.
 ike 0:SCR-RVPN-PH1:84:         type=OAKLEY_GROUP, val=1024.
 ike 0:SCR-RVPN-PH1:84: ISKAMP SA lifetime=28800
 ike 0:SCR-RVPN-PH1:84: negotiation failure
 ike Negotiate ISAKMP SA Error: ike 0:SCR-RVPN-PH1:84: no SA proposal chosen
 ike 0:SCR-RVPN-PH1: connection expiring due to phase1 down
 ike 0:SCR-RVPN-PH1: deleting
 ike 0:SCR-RVPN-PH1: flushing 
 ike 0:SCR-RVPN-PH1: sending SNMP tunnel DOWN trap
 ike 0:SCR-RVPN-PH1: flushed 
 ike 0:SCR-RVPN-PH1: reset NAT-T
 ike 0:SCR-RVPN-PH1: deleted
And here is the same with XAUTH enabled (That what I want) (Yes i' m sure the login/password are good):
ike 0: comes xxx:1049->xxx:500,ifindex=5....
 ike 0: IKEv1 exchange=Aggressive id=0848dc178f36b835/0000000000000000 len=642
 ike 0: cache rebuild start
 ike 0: cache rebuild done
 ike 0: IKEv1 Aggressive, comes xxx:1049->xxx 5, peer-id=remote.
 ike 0:SCR-RVPN-PH1: check for IP assignment method ...
 ike 0:SCR-RVPN-PH1: no IP assignment method defined
 ike 0:SCR-RVPN-PH1:96: responder: aggressive mode get 1st message...
 ike 0:SCR-RVPN-PH1:96: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
 ike 0:SCR-RVPN-PH1:96: VID RFC 3947 4A131C81070358455C5728F20E95452F
 ike 0:SCR-RVPN-PH1:96: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
 ike 0:SCR-RVPN-PH1:96: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
 ike 0:SCR-RVPN-PH1:96: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
 ike 0:SCR-RVPN-PH1:96: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
 ike 0:SCR-RVPN-PH1:96: XAUTHv6 negotiated
 ike 0:SCR-RVPN-PH1:96: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
 ike 0:SCR-RVPN-PH1:96: peer supports UNITY
 ike 0:SCR-RVPN-PH1:96: VID DPD AFCAD71368A1F1C96B8696FC77570100
 ike 0:SCR-RVPN-PH1:96: DPD negotiated
 ike 0:SCR-RVPN-PH1:96: negotiation result
 ike 0:SCR-RVPN-PH1:96: proposal id = 1:
 ike 0:SCR-RVPN-PH1:96:   protocol id = ISAKMP:
 ike 0:SCR-RVPN-PH1:96:      trans_id = KEY_IKE.
 ike 0:SCR-RVPN-PH1:96:      encapsulation = IKE/none
 ike 0:SCR-RVPN-PH1:96:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
 ike 0:SCR-RVPN-PH1:96:         type=OAKLEY_HASH_ALG, val=SHA.
 ike 0:SCR-RVPN-PH1:96:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
 ike 0:SCR-RVPN-PH1:96:         type=OAKLEY_GROUP, val=1024.
 ike 0:SCR-RVPN-PH1:96: ISKAMP SA lifetime=28800
 ike 0:SCR-RVPN-PH1:96: selected NAT-T version: RFC 3947
 ike 0:SCR-RVPN-PH1:96: cookie 0848dc178f36b835/9d0a3d848c2b5739
 ike 0:SCR-RVPN-PH1:96: sent IKE msg (agg_r1send): xxx:500->xxx:1049, len=412, id=0848dc178f36b835/9d0a3d848c2b5739
 ike 0: comes xxx:4505->xxx:4500,ifindex=5....
 ike 0: IKEv1 exchange=Aggressive id=0848dc178f36b835/9d0a3d848c2b5739 len=100
 ike 0:SCR-RVPN-PH1:96: responder: aggressive mode get 2nd response...
 ike 0:SCR-RVPN-PH1:96: received NAT-D payload type 20
 ike 0:SCR-RVPN-PH1:96: received NAT-D payload type 20
 ike 0:SCR-RVPN-PH1:96: PSK authentication succeeded
 ike 0:SCR-RVPN-PH1:96: authentication OK
 ike 0:SCR-RVPN-PH1:96: NAT detected: ME PEER
 ike 0:SCR-RVPN-PH1:96: port change 1049 -> 4505
 ike 0:SCR-RVPN-PH1:96: established IKE SA 0848dc178f36b835/9d0a3d848c2b5739
 ike 0:SCR-RVPN-PH1: adding new dynamic tunnel for xxx:4505
 ike 0:SCR-RVPN-PH1_0: added new dynamic tunnel for xxx:4505
 ike 0:SCR-RVPN-PH1_0:96: initiating XAUTH.
 ike 0:SCR-RVPN-PH1_0:96: sending XAUTH request
 ike 0:SCR-RVPN-PH1_0:96: sent IKE msg (cfg_send): xxx:4500->xxx:4505, len=76, id=0848dc178f36b835/9d0a3d848c2b5739:fd718ad4
 ike 0: comes xxx:4505->xxx:4500,ifindex=5....
 ike 0:SCR-RVPN-PH1_0:96: notify msg received: INITIAL-CONTACT
 ike 0:SCR-RVPN-PH1_0:96: processing INITIAL-CONTACT
 ike 0:SCR-RVPN-PH1_0: flushing 
 ike 0:SCR-RVPN-PH1_0: flushed 
 ike 0:SCR-RVPN-PH1_0:96: processed INITIAL-CONTACT
 ike 0: comes xxx:4505->xxx:4500,ifindex=5....
 ike 0: IKEv1 exchange=Mode config id=0848dc178f36b835/9d0a3d848c2b5739:fd718ad4 len=108
 ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_NAME ' kedare'  length 6
 ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_PASSWORD length 7
 ike 0:SCR-RVPN-PH1_0: XAUTH user " kedare"  in group ' VPN-group'  (2)
 ike 0:SCR-RVPN-PH1_0: XAUTH failed for user " kedare" , retry(2).
 ike 0:SCR-RVPN-PH1_0:96: sending XAUTH request
 ike 0:SCR-RVPN-PH1_0:96: sent IKE msg (cfg_send): xxx:4500->xxx:4505, len=76, id=0848dc178f36b835/9d0a3d848c2b5739:f4cd6fee
 ike 0: comes xxx:4505->xxx:4500,ifindex=5....
 ike 0: IKEv1 exchange=Mode config id=0848dc178f36b835/9d0a3d848c2b5739:f4cd6fee len=108
 ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_NAME ' kedare'  length 6
 ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_PASSWORD length 7
 ike 0:SCR-RVPN-PH1_0: XAUTH user " kedare"  in group ' VPN-group'  (2)
 ike 0:SCR-RVPN-PH1_0: XAUTH failed for user " kedare" , retry(1).
 ike 0:SCR-RVPN-PH1_0:96: sending XAUTH request
 ike 0:SCR-RVPN-PH1_0:96: sent IKE msg (cfg_send): xxx:4500->xxx:4505, len=76, id=0848dc178f36b835/9d0a3d848c2b5739:42d9a816
 ike 0: comes xxx:4505->xxx:4500,ifindex=5....
 ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_NAME ' kedare'  length 6
 ike 0:SCR-RVPN-PH1_0:96: received XAUTH_USER_PASSWORD length 7
 ike 0:SCR-RVPN-PH1_0: XAUTH user " kedare"  in group ' VPN-group'  (2)
 ike 0:SCR-RVPN-PH1_0: XAUTH failed for user " kedare" 
 ike 0:SCR-RVPN-PH1_0: connection expiring due to XAUTH failure
 ike 0:SCR-RVPN-PH1_0: deleting
 ike 0:SCR-RVPN-PH1_0: flushing 
 ike 0:SCR-RVPN-PH1_0: sending SNMP tunnel DOWN trap
 ike 0:SCR-RVPN-PH1_0: flushed 
 ike 0:SCR-RVPN-PH1_0:96: send ISAKMP delete 0848dc178f36b835/9d0a3d848c2b5739
 ike 0:SCR-RVPN-PH1_0:96: sent IKE msg (ISKAMP SA DELETE-NOTIFY): xxx:4500->xxx:4505, len=92, id=0848dc178f36b835/9d0a3d848c2b5739:99a3844d
 ike 0:SCR-RVPN-PH1_0: delete dynamic
 ike 0:SCR-RVPN-PH1_0: reset NAT-T
 ike 0:SCR-RVPN-PH1_0: deleted
 ike shrank heap by 8192 bytes
I don' t know why the XAuth fail... Do you have any idea ? Thank you
samanka80
New Contributor

Looks like it want a " Transport mode" and not a " Tunnel mode" but how to configure this ? Is this the same thing than the non interface mode ? (Never used it).
Hi. yes, you ssh to the firewall and... config vpn ipsec phase2 edit [yr-phase2] set encapsulation transparent-mode mine is stuck in phase2. I don' t know what' s going on I have nothing on debug while ssh. is there anything I should enable to have debug report on ssh?? I don' t know... xauth seems like it doesn' t work good with windows, I don' t why, I tried it, failed, please tell me what you have done, I changed the place of my policies in firewall policies, bring them to top but yet no result :( the same error, no default gateway.... did you pass this error? how??
samanka80
New Contributor

By the way, are you sure that android phones work with l2tp???? I think it' s something for windows...
samanka80
New Contributor

Do the transparent mode I think you' ll be fine, and pleaseeeeeee tell me what did you do that you passed this gateway error.... if possible, put your configuration for me thanks
samanka80
New Contributor

Hi Romanr! I finally got debug remote, but I keep recieving this message... I have read somewhere that some ISPs with nat-traversal don' t let l2tp, is that the same error?? I am at my home connecting, is this the nat-t problem? is this my isp? can I do something??? please tell me if you can... Thank you and God bless you... here is my debug :REMOTE_P1:25872: responder: main mode get 1st message... ike 0:REMOTE_P1:25872: selected NAT-T version: RFC 3947 ike 0:REMOTE_P1:25872: responder:main mode get 2nd message... ike 0:REMOTE_P1:25872: NAT detected: PEER ike 0:REMOTE_P1:25872: responder: main mode get 3rd message... ike 0:REMOTE_P1_0:25872:28: responder received first quick-mode message
samanka80
New Contributor

In another try, I see this :o ike 0:REMOTE_P1_0:26085: recv ISAKMP SA delete 94cbef966d7faac0/4d733cd4e86c59a6 ike 0:REMOTE_P1_0: deleting ike 0:REMOTE_P1_0: flushing ike 0:REMOTE_P1_0: sending SNMP tunnel DOWN trap ike 0:REMOTE_P1_0: flushed ike 0:REMOTE_P1_0:26085: HA send IKE SA del 94cbef966d7faac0/4d733cd4e86c59a6 ike 0:REMOTE_P1_0: delete dynamic ike 0:REMOTE_P1_0: deleted sorry I keep posting, my page is not shown good and I can' t edit prev. posts :(
samanka80
New Contributor

everybody read this conversation.... I am using unupdated win7, I am going to instal XP SP2 on virtual machin and test it ;) http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/630488b8-e638-488d-803a-08ef9281e4fb/
Labels
Top Kudoed Authors