Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortinoy
New Contributor II

site to site vpn tunnel is up but no traffic flowing

setup site to site vpn using the ipsec wizard. tunnel is already up but keeps on getting the error "progress ipsec phase 1 negotiate failure" in vpn events log. need your help where and what to check.

 

note: i initially setup ssl vpn on the same fortigate and it works well. trying to setup the site to site vpn now. the setup on the ipsec wizard is easy and fast. but it is not working.

 

please advise. thanks.

34 REPLIES 34
Toshi_Esumi
SuperUser
SuperUser

I'm assuming your tunnel is working fine. Then take a close look at the log detail. Does the remote IP match the IP of the other side of your VPN? Chances are somebody else is trying to set up VPN to your FGT.

fortinoy

The IPs on both sides are correct. What do you mean when you say "Chances are somebody else is trying to set up VPN to your FGT."? I have setup SSL VPN too on the same Fortigate on both sides. Will that affect the site to site vpn i'm trying to setup? Thanks.

OneOfUs
New Contributor III

Based on this:

ike 0:”LOCAL VPN NAME”: sending SNMP tunnel DOWN trap for “LOCAL VPN NAME” ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:[style="background-color: #ffff00;"] my proposal:[/style] ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [style="background-color: #ffff00;"]proposal id = 1[/style]: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS DH group = 14 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [style="background-color: #ff0000;"]proposal id = 2:[/style] ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS DH group = 5 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: incoming proposal: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS DH group = 14 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [style="background-color: #00ff00;"]negotiation result[/style] ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS [style="background-color: #00ffff;"]DH[/style] group = [style="background-color: #00ffff;"]14[/style] ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_[style="background-color: #00ffff;"]AES[/style]_CBC (key_len = [style="background-color: #00ffff;"]128[/style]) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=[style="background-color: #00ffff;"]SHA1[/style] ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [style="background-color: #00ff00;"]sending SNMP tunnel UP trap[/style]

 

It appears the phase 1 (IKE) is coming up and the issue is with the phase 2 (IPSEC) negotiation.  The only thing I saw odd in the debug is that you appear to have two phase 2 selectors however the remote only has one.  It may help to eliminate the 2nd phase 2 selector and additional (unneeded) encryption / authentication protocols.  Make sure the phase 2 local / remote addresses match.

 

The phase 2 negotiation appears to complete using: AES-128 SHA1 DH 14 Keylife 43200.  

 

If you look at the IPSEC VPN monitor does the tunnel appear to bounce?

 

 

OneOfUs
New Contributor III

This is the best article I've found to troubleshoot IPSEC VPNs, some of the GUI information has changed over the years:

 

To get diagnose information for the VPN connection - CLI

1.Log into the CLI as admin with the output being logged to a file.

2.Stop any diagnose debug sessions that are currently running with the CLI command

diagnose debug disable

3.Clear any existing log-filters by running

diagnose vpn ike log-filter clear

4.Set the log-filter to the IP address of the remote computer (Remote Gateway). This filters out all VPN connections except ones to the IP address we are concerned with. The command is

diagnose vpn ike log-filter dst-addr4 <remote gateway>

5.Set up the commands to output the VPN handshaking. The commands are:

diagnose debug app ike 63

diagnose debug enable

6.Have the remote FortiGate initiate the VPN connection in the web-based manager by going to VPN > Monitor and selecting Bring up.

This makes the remote FortiGate the initiator and the local FortiGate becomes the responder. Establishing the connection in this manner means the local FortiGate will have its configuration information as well as the information the remote computer sends. Having both sets of information locally makes it easier to troubleshoot your VPN connection.

7.Watch the screen for output, and after roughly 15 seconds enter the following CLI command to stop the output.

diagnose debug disable

8.If needed, save the log file of this output to a file on your local computer. Saving the output to a file can make it easier to search for a particular phrase, and is useful for comparisons.

 

From <http://docs-legacy.fortinet.com/fos50hlp/50/FortiOS%205.0%20Help/TestandMonitor.129.08.html>

fortinoy
New Contributor II

Thanks for the steps. Please help me to check the result of the debug below. I replaced the ips and the vpn names for security.

 

LEGEND:

“local FG public ip” "remote FG public ip" "local vpn name" "remote vpn name" "remote FG LAN ip" "local FG LAN ip"

 

FGT60ETK180999ZJ # ike shrank heap by 126976 bytes ike 0: comes "remote FG public ip:"500“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Informational id=1bb17d97025b7eba/126b50d856d51ce4:c40c60a2 len=92 ike 0: "local vpn name":327: recv IPsec SA delete, spi count 1 ike 0: "local vpn name": deleting IPsec SA with SPI 4d6c1357 ike 0: "local vpn name":"local vpn name": deleted IPsec SA with SPI 4d6c1357, SA count: 0 ike 0: "local vpn name": sending SNMP tunnel DOWN trap for "local vpn name" ike 0: comes "remote FG public ip":500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Quick id=1bb17d97025b7eba/126b50d856d51ce4:25461b74 len=588 ike 0: "local vpn name":327:19: responder received first quick-mode message ike 0: "local vpn name":327:19: peer proposal is: peer:0: "remote FG LAN ip"-"remote FG LAN ip", me:0: "local FG LAN ip"-"local FG LAN ip" ike 0: "local vpn name":327: "local vpn name":19: trying ike 0: "local vpn name":327: "local vpn name":19: matched phase2 ike 0: "local vpn name":327: "local vpn name":19: autokey ike 0: "local vpn name":327: "local vpn name":19: my proposal: ike 0: "local vpn name":327: "local vpn name":19: proposal id = 1: ike 0: "local vpn name":327: "local vpn name":19:   protocol id = IPSEC_ESP: ike 0: "local vpn name":327: "local vpn name":19:   PFS DH group = 14 ike 0: "local vpn name":327: "local vpn name":19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0: "local vpn name":327: "local vpn name":19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0: "local vpn name":327: "local vpn name":19:         type = AUTH_ALG, val=SHA1 ike 0: "local vpn name":327: "local vpn name":19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0: "local vpn name":327: "local vpn name":19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0: "local vpn name":327: "local vpn name":19:         type = AUTH_ALG, val=SHA1 ike 0: "local vpn name":327: "local vpn name":19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: proposal id = 2: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   PFS DH group = 5 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: incoming proposal: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: proposal id = 1: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   PFS DH group = 14 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_3DES ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_3DES ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: negotiation result ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: proposal id = 1: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   PFS DH group = 14 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: set pfs=MODP2048 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: using tunnel mode. ike 0:”LOCAL VPN NAME”: schedule auto-negotiate ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: replay protection enabled ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: SA life soft seconds=42929. ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: SA life hard seconds=43200. ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: IPsec SA selectors #src=1 #dst=1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: src 0 4 0:”local FG LAN ip”/255.255.255.0:0 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: dst 0 4 0:”remote FG LAN ip”/255.255.255.0:0 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: add IPsec SA: SPIs=0c219574/4d6c1358 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: added IPsec SA: SPIs=0c219574/4d6c1358 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: sending SNMP tunnel UP trap ike 0:”LOCAL VPN NAME”:327: sent IKE msg (quick_r1send): “local FG public ip”:500->“remote FG public ip”:500, len=444, id=1bb17d97025b7eba/126b50d856d51ce4:25461b74 ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Quick id=1bb17d97025b7eba/126b50d856d51ce4:25461b74 len=76 ike 0:”LOCAL VPN NAME”:”LOCAL VPN NAME”:19: send SA_DONE SPI 0x4d6c1358   FGT60ETK180999ZJ # diagnose debug disable=========== ================================================ FGT60ETK180999ZJ # ike shrank heap by 126976 bytes ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Informational id=936e3ddcaaec9ef2/af17441d730dc067:ebcb47ca len=92 ike 0:”LOCAL VPN NAME”:330: recv IPsec SA delete, spi count 1 ike 0:”LOCAL VPN NAME”: deleting IPsec SA with SPI 4d6c1359 ike 0:”LOCAL VPN NAME”:”LOCAL VPN NAME”: deleted IPsec SA with SPI 4d6c1359, SA count: 0 ike 0:”LOCAL VPN NAME”: sending SNMP tunnel DOWN trap for “LOCAL VPN NAME” ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Quick id=936e3ddcaaec9ef2/af17441d730dc067:42eb0de9 len=588 ike 0:”LOCAL VPN NAME”:330:21: responder received first quick-mode message ike 0:”LOCAL VPN NAME”:330:21: peer proposal is: peer:0:”remote FG LAN ip”-192.168.100.255:0, me:0:”local FG LAN ip”-192.168.17.255:0 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trying ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: matched phase2 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: autokey ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: my proposal: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 14 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 2: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 5 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: incoming proposal: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 14 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_3DES ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_3DES ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: negotiation result ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 14 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: set pfs=MODP2048 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: using tunnel mode. ike 0:”LOCAL VPN NAME”: schedule auto-negotiate ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: replay protection enabled ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: SA life soft seconds=42930. ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: SA life hard seconds=43200. ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: IPsec SA selectors #src=1 #dst=1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: src 0 4 0:”local FG LAN ip”/255.255.255.0:0 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: dst 0 4 0:”remote FG LAN ip”/255.255.255.0:0 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: add IPsec SA: SPIs=0c219576/4d6c135a ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: added IPsec SA: SPIs=0c219576/4d6c135a ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: sending SNMP tunnel UP trap ike 0:”LOCAL VPN NAME”:330: sent IKE msg (quick_r1send): “local FG public ip”:500->“remote FG public ip”:500, len=444, id=936e3ddcaaec9ef2/af17441d730dc067:42eb0de9 ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Quick id=936e3ddcaaec9ef2/af17441d730dc067:42eb0de9 len=76 ike 0:”LOCAL VPN NAME”:”LOCAL VPN NAME”:21: send SA_DONE SPI 0x4d6c135a FGT60ETK180999ZJ # ike 0:”LOCAL VPN NAME”:326: expiring IKE SA e8819280293ca8bf/f0e01864a2ffc7c3 ike 0:”LOCAL VPN NAME”:326: send IKE SA delete e8819280293ca8bf/f0e01864a2ffc7c3 ike 0:”LOCAL VPN NAME”:326: sent IKE msg (ISAKMP SA DELETE-NOTIFY): “local FG public ip”:500->“remote FG public ip”:500, len=108, id=e8819280293ca8bf/f0e01864a2ffc7c3:0bb860e3 ike 0:”LOCAL VPN NAME”: schedule auto-negotiate ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Informational id=e8819280293ca8bf/f0e01864a2ffc7c3:439f8810 len=108 ike 0: no established IKE SA for exchange-type Informational from “remote FG public ip”:500->“local FG public ip” 6 cookie e8819280293ca8bf/f0e01864a2ffc7c3, drop ike 0:”LOCAL VPN NAME”:327: expiring IKE SA 1bb17d97025b7eba/126b50d856d51ce4 ike 0:”LOCAL VPN NAME”:327: send IKE SA delete 1bb17d97025b7eba/126b50d856d51ce4 ike 0:”LOCAL VPN NAME”:327: sent IKE msg (ISAKMP SA DELETE-NOTIFY): “local FG public ip”:500->“remote FG public ip”:500, len=108, id=1bb17d97025b7eba/126b50d856d51ce4:c9c0f7d6 ike 0:”LOCAL VPN NAME”: schedule auto-negotiate  

sw2090

Well Ipsec is cool when it works but its a pain in the a** to debug :/ That's not on Fortinet but something to blame ipsec itself for.

 

Accoarding to the logs I see no negotiation errors or timeouts. Just the tunnel going up and then down again sending the specific smtp trap.

Did you check if your Key TTLS in phase1 AND 2 do match on both sides? 

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
fortinoy
New Contributor II

Yes, TTLS in phase 1 and 2 have the same settings.

fortinoy
New Contributor II

Can you guys send me a sample debug of a working site to site vpn on two Fortigates? I really don't know what and where to check to fix this. Thanks.

 

fortinoy
New Contributor II

Here is another debug from the local Fortigate:

 

ike config update start

ike config update done

ike 0: cache rebuild done

ike 0: comes LOCAL PUBLIC IP:500->REMOTE PUBLIC IP:500,ifindex=6....

ike 0: IKEv2 exchange=INFORMATIONAL id=a4d297da840a9b86/8dcfd5a5eb102e38:00000002 len=80

ike 0:LOCAL  VPN NAME:1091: received informational request

ike 0:LOCAL  VPN NAME:1091: processing delete request (proto 3)

ike 0:LOCAL  VPN NAME: deleting IPsec SA with SPI 4d6c140e

ike 0:LOCAL  VPN NAME:LOCAL  VPN NAME: deleted IPsec SA with SPI 4d6c140e, SA count: 0

ike 0:LOCAL  VPN NAME: sending SNMP tunnel DOWN trap for LOCAL  VPN NAME

ike 0:LOCAL  VPN NAME:1091: sending delete ack

ike 0:LOCAL  VPN NAME:1091: sent IKE msg (INFORMATIONAL_RESPONSE): REMOTE PUBLIC IP:500->LOCAL PUBLIC IP:500, len=80, id=a4d297da840a9b86/8dcfd5a5eb102e38:00000002

ike 0: comes LOCAL PUBLIC IP:500->REMOTE PUBLIC IP:500,ifindex=6....

ike 0: IKEv2 exchange=CREATE_CHILD id=a4d297da840a9b86/8dcfd5a5eb102e38:00000003 len=192

ike 0:LOCAL  VPN NAME:1091: received create-child request

ike 0:LOCAL  VPN NAME:1091: responder received CREATE_CHILD exchange

ike 0:LOCAL  VPN NAME:1091: responder creating new child

ike 0:LOCAL  VPN NAME:1091:63: peer proposal:

ike 0:LOCAL  VPN NAME:1091:63: TSi_0 0:REMOTE  LAN IP-REMOTE  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:63: TSr_0 0:LOCAL LAN IP-LOCAL  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: comparing selectors

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: matched by rfc-rule-2

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: phase2 matched by subset

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: accepted proposal:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: TSi_0 0:REMOTE  LAN IP-REMOTE  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: TSr_0 0:LOCAL LAN IP-LOCAL  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: autokey

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: incoming child SA proposal:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: proposal id = 1:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:   protocol = ESP:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:      encapsulation = TUNNEL

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ENCR, val=AES_CBC (key_len = 256)

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=INTEGR, val=SHA256

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ESN, val=NO

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         PFS is disabled

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: matched proposal id 1

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: proposal id = 1:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:   protocol = ESP:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:      encapsulation = TUNNEL

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ENCR, val=AES_CBC (key_len = 256)

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=INTEGR, val=SHA256

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ESN, val=NO

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         PFS is disabled

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: lifetime=28800

ike 0:LOCAL  VPN NAME: schedule auto-negotiate

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: set sa life soft seconds=28528.

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: set sa life hard seconds=28800.

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: IPsec SA selectors #src=1 #dst=1

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: src 0 7 0:LOCAL LAN IP-LOCAL  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: dst 0 7 0:REMOTE  LAN IP-REMOTE  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: add IPsec SA: SPIs=0c219592/4d6c1410

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: added IPsec SA: SPIs=0c219592/4d6c1410

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: sending SNMP tunnel UP trap

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: responder preparing CREATE_CHILD message

ike 0:LOCAL  VPN NAME:1091: sent IKE msg (CREATE_CHILD_RESPONSE): REMOTE PUBLIC IP:500->LOCAL PUBLIC IP:500, len=192, id=a4d297da840a9b86/8dcfd5a5eb102e38:00000003

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors