- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vpn Ipsec error
Hi forti users,
I have big issue when trying to implement VPN ispec wtih fortigate80C and cisco ASA. I dont have acces to the ASA. after all configuration when I try to bring up the VPN i receive this debug message below and the VPN doesn't work:
ike 0:IPsec2ASA: carrier down
ike shrank heap by 126976 bytes
ike 0:IPsec2ASA: auto-negotiate connection
ike 0:IPsec2ASA: created connection: 0xa4f0878 3 localIP->remoteIP:500.
ike 0:IPsec2ASA:9295: initiator: main mode is sending 1st message...
ike 0:IPsec2ASA:9295: cookie 0f15990e0bced5d6/0000000000000000
ike 0:IPsec2ASA:9295: out 0F15990E0BCED5D600000000000000000110020000000000000001080D00003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000148299031757A36082C6A621DE0005010F
ike 0:IPsec2ASA:9295: sent IKE msg (ident_i1send): localIP:500->remoteIP:500, len=264, id=0f15990e0bced5d6/0000000000000000
ike 0: comes remoteIP:500->localIP:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=0f15990e0bced5d6/aee35b2c685b6881 len=128
ike 0: in 0F15990E0BCED5D6AEE35B2C685B68810110020000000000000000800D00003800000001000000010000002C01010001000000240101000080010005800200028004000280030001800B0001000C0004000151800D00001490CB80913EBB696E086381B5EC427B1F000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:IPsec2ASA:9295: initiator: main mode get 1st response...
ike 0:IPsec2ASA:9295: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:IPsec2ASA:9295: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:IPsec2ASA:9295: selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02\n
ike 0:IPsec2ASA:9295: negotiation result
ike 0:IPsec2ASA:9295: proposal id = 1:
ike 0:IPsec2ASA:9295: protocol id = ISAKMP:
ike 0:IPsec2ASA:9295: trans_id = KEY_IKE.
ike 0:IPsec2ASA:9295: encapsulation = IKE/none
ike 0:IPsec2ASA:9295: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:IPsec2ASA:9295: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:IPsec2ASA:9295: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:IPsec2ASA:9295: type=OAKLEY_GROUP, val=1024.
ike 0:IPsec2ASA:9295: ISAKMP SA lifetime=86400
ike 0:IPsec2ASA:9295: out 0F15990E0BCED5D6AEE35B2C685B68810410020000000000000000E40A000084947ED556F658BE553DDA6E0DAB75401B8807B377684948DD540ADB67D8F4BB26AC1E6712B5704632EF77A7E222298C0C70CA8BBD346CCA22C54991714175A009EC86A8311709480B8645C5431DA5C1BCD18C99F429E8AA98DDA2C7AF7DC9A776ED98BFBFDBE551D8A09E9BEA9FF747B417887E0EE96CCD8BF1C348612D4C5C9682000014F90A47995AB52D4133548580109E749582000018F4FCCB5856D9FA1B16F9B34BBC05DF243FD0294E000000187CDC806405FA802111D5E74DA03356ADA9BB3293
ike 0:IPsec2ASA:9295: sent IKE msg (ident_i2send): localIP:500->remoteIP:500, len=228, id=0f15990e0bced5d6/aee35b2c685b6881
ike 0: comes remoteIP:500->localIP:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=0f15990e0bced5d6/aee35b2c685b6881 len=304
ike 0: in 0F15990E0BCED5D6AEE35B2C685B68810410020000000000000001300A000084E1D2E9309D013F2517E25A37801793E9ABE3C604E0A7780DEADE07F39F8AF6DC20E0BB3CA4933F03FE09C2B7EF56A556E79D96880D4D04BA79DF158BC9125DBBE8DED40951A14EC04446A225155E8E2918976EBEBBED314455CF0B17DCA12741C752B854012A8AFFA4C7CD7818C64EA9A7121F7927D5E34AFD36648C37B95ACB0D0000185D5F98F5FBEFDECE2241DADA4C21FC9FC75B1B8D0D00001412F5F28C457168A9702D9FE274CC01000D00000C09002689DFD6B7120D0000145B24FC31685A6881EBB781B7518230B1820000141F07F70EAA6514D3B0FA96542A500100820000187CDC806405FA802111D5E74DA03356ADA9BB329300000018F4FCCB5856D9FA1B16F9B34BBC05DF243FD0294E
ike 0:IPsec2ASA:9295: initiator: main mode get 2nd response...
ike 0:IPsec2ASA:9295: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:IPsec2ASA:9295: peer supports UNITY
ike 0:IPsec2ASA:9295: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:IPsec2ASA:9295: VID unknown (16): 5B24FC31685A6881EBB781B7518230B1
ike 0:IPsec2ASA:9295: VID unknown (16): 1F07F70EAA6514D3B0FA96542A500100
ike 0:IPsec2ASA:9295: NAT not detected
ike 0:IPsec2ASA:9295: ISAKMP SA 0f15990e0bced5d6/aee35b2c685b6881 key 24:12CC6BCFC6A3C03E445D2A32D27B182589ECF4400783F4E8
ike 0:IPsec2ASA:9295: add INITIAL-CONTACT
ike 0:IPsec2ASA:9295: enc 0F15990E0BCED5D6AEE35B2C685B688105100201000000000000005C0800000C0100000029DB0BE20B000018A40B90B6D53A8FAFB9C5C159B9ED9140B154294D0000001C00000001011060020F15990E0BCED5D6AEE35B2C685B6881
ike 0:IPsec2ASA:9295: out 0F15990E0BCED5D6AEE35B2C685B6881051002010000000000000064CFBC03A101328796F08B92FBABED78C7547BAED5AEC4E3CCCB1A96A16FF8645690A96289D735A5E9D2D5BCDCD5F3BB2E2214F0C9610739453A2E645935733CDAFF3BA6BC139C4032
ike 0:IPsec2ASA:9295: sent IKE msg (ident_i3send): localIP:500->remoteIP:500, len=100, id=0f15990e0bced5d6/aee35b2c685b6881
ike 0: comes remoteIP:500->localIP:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=0f15990e0bced5d6/aee35b2c685b6881 len=84
ike 0: in 0F15990E0BCED5D6AEE35B2C685B6881051002010000000000000054166397399289C45CC526182A29EE8D4CC0E6511DDAE6A68ADEBE5A876CB4F0557E65E71ABD73354AB9B972A05F55CB38392E2D88B9136E06
ike 0:IPsec2ASA:9295: initiator: main mode get 3rd response...
ike 0:IPsec2ASA:9295: dec 0F15990E0BCED5D6AEE35B2C685B68810510020100000000000000540800000C01110000D58869120D0000184169AA7DDD14F58D70736B66F14366D175C8B88B00000014AFCAD71368A1F1C96B8696FC77570100
ike 0:IPsec2ASA:9295: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:IPsec2ASA:9295: DPD negotiated
ike 0:IPsec2ASA:9295: PSK authentication succeeded
ike 0:IPsec2ASA:9295: authentication OK
ike 0:IPsec2ASA:9295: established IKE SA 0f15990e0bced5d6/aee35b2c685b6881
ike 0:IPsec2ASA: set oper up
ike 0:IPsec2ASA: schedule auto-negotiate
ike 0:IPsec2ASA:9295: no pending Quick-Mode negotiations
ike 0:IPsec2ASA: carrier up
ike 0:IPsec2ASA:VPNPhase2: IPsec SA connect 3 localIP->remoteIP:0
ike 0:IPsec2ASA:VPNPhase2: using existing connection
ike 0:IPsec2ASA:VPNPhase2: config found
ike 0:IPsec2ASA:VPNPhase2: IPsec SA connect 3 localIP->remoteIP:500 negotiating
ike 0:IPsec2ASA:9295: cookie 0f15990e0bced5d6/aee35b2c685b6881:34a0b58e
ike 0:IPsec2ASA:9295:VPNPhase2:11600: initiator selectors 0 0:192.168.101.0/255.255.255.0:0:0->0:192.168.2.0/255.255.255.0:0:0
ike 0:IPsec2ASA:9295: enc 0F15990E0BCED5D6AEE35B2C685B68810810200134A0B58E00000120010000187EFF4E4361DE5F2523905A84D1E742D5E91AE93C0A0000340000000100000001000000280103040146FF4CDD0000001C010200008001000180020E1080040001800500018003000204000014D5745F25DDA81FDE2908DF7FF6101A39050000848EF247FF09A054A9B5CAE64880C7CBF6BE8B1BC2E097AC319911CD72508E4F7E80819C44AD
80E04766C518F02300933C241300F5416BF2534BF5913789E3D497043C1AE295FBE0E40C229D443D7D5941CCFBEF5B30FB6A63735CDE91C2AB105ACB85FF90DBB514A74B930F07A73B4B0D503C930A55815C2DB61EFAB9A967DEA0500001004000000C0A86500FFFFFF000000001004000000C0A80200FFFFFF00
ike 0:IPsec2ASA:9295: out 0F15990E0BCED5D6AEE35B2C685B68810810200134A0B58E00000124C8071A5965065417411B3FBC65946B21139B25696CFE1588BFFD994CE2F3D50AFBBAAA64ECD2F79A5C437E6793113A08D00D2EA875A27EA818FD9A142D9C87449F97ED375CCB7CE1E76F1D6889B23E1864C7F5F5DCDECF2E90BB6345FDCC9807F46734C035656B8D3B59B79AF01015A84F70A6B5DD7EF69D761A6DBCC35414469F2D7B6122DEAE1BE1D3C05E419A6CF0C68BECB28C8DD45DF836F4875A4A1D6CAA6481A619552DACDA701104878F74F9C4A343D1963606067722347D1D75A2D15C8BC2BF90F3806322F588BA1032E28ACA6CF62D8AD31F91FCB7DE51F8115B0DD50C1EE22F7A2E091E9612F17FF8D9DA2FD35673FA8462C449147E4A4EEA74B86CDA51525E261917
ike 0:IPsec2ASA:9295: sent IKE msg (quick_i1send): localIP:500->remoteIP:500, len=292, id=0f15990e0bced5d6/aee35b2c685b6881:34a0b58e
ike 0: comes remoteIP:500->localIP:500,ifindex=3....
ike 0: IKEv1 exchange=Informational id=0f15990e0bced5d6/aee35b2c685b6881:883467b8 len=84
ike 0: in 0F15990E0BCED5D6AEE35B2C685B688108100501883467B800000054FEDAD0A3BA5D06537514042A3BD6A84B88210DF4B0D0660C1B8EC3D4AC6E6CC61DF8E72E93B27AE7C6446205B2A0D819379DC6ECBE85E7A7
ike 0:IPsec2ASA:9295: dec 0F15990E0BCED5D6AEE35B2C685B688108100501883467B8000000540B0000181E068ACC9670F054FDF161E17D4C54E1C7E617D900000020000000010310000E0F15990E0BCED5D6AEE35B2C685B688134A0B58E
ike 0:IPsec2ASA:9295: notify msg received: NO-PROPOSAL-CHOSEN
ike 0: comes remoteIP:500->localIP:500,ifindex=3....
ike 0: IKEv1 exchange=Informational id=0f15990e0bced5d6/aee35b2c685b6881:6473ccd5 len=84
ike 0: in 0F15990E0BCED5D6AEE35B2C685B6881081005016473CCD500000054BAC33C73492BE11188A5926E86C1F02A96ECDF7F69DE54DC2ED369C77EAD45449FF1FE95000EEA81349868BDECA0E4997D9E3B5076954D20
ike 0:IPsec2ASA:9295: dec 0F15990E0BCED5D6AEE35B2C685B6881081005016473CCD5000000540C0000183B109FAEF711B2429CF35FC0B07C2CFAFD7042C90000001C00000001011000010F15990E0BCED5D6AEE35B2C685B688100000000
ike 0:IPsec2ASA:9295: recv ISAKMP SA delete 0f15990e0bced5d6/aee35b2c685b6881
ike 0:IPsec2ASA: deleting
ike 0:IPsec2ASA: flushing
ike 0:IPsec2ASA: flushed
ike 0:IPsec2ASA: deleted
ike 0:IPsec2ASA: set oper down
ike 0:IPsec2ASA: schedule auto-negotiate
ike 0:IPsec2ASA: carrier down
ike 0:IPsec2ASA: auto-negotiate connection
ike 0:IPsec2ASA: created connection: 0xa4f0878 3 localIP->remoteIP:500.
ike 0:IPsec2ASA:9296: initiator: main mode is sending 1st message...
here is my config and ASA config from their side
fortigate ASA
Encryption Algorithm 3DES 3DES
Hash Algorithm SHA SHA
Diffie-Hellman Group GROUP 2 GROUP 2
Encryption key Lifetime 86400 86400
PHASE 2
Encryption Method DES ESP-DES
Authentication Method MD5 ESP-MD5-HMAC
Lifetime 3600 3600
I really need help
thanks
- Labels:
-
5.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The logs states that the firewalls could not negotiate a common phase2 proposal (auth+encr). I wonder how in the world one would choose DES and MD5 nowadays. Are you 100% sure it's not meant to be 3DES?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks ede_pfau for your answer,
by the way I have a question is there any difference between MD5 and esp-MD5-hmac and between DES and esp_DES. Maybe this is a stupid question but I'd like to know as it is my first time to work on that
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I don't think these terms (vendor specific) denote different things - DES is a 56bit encryption, MD5 a hash algorithm.
Can you verify the Cisco settings, esp. "DES" instead of "3DES"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't have access to the cisco ASA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would find out who does and ask them to verify some things with you. Perhaps a webex to help you with the troubleshooting at the very least.
That would be the fastest way to resolve your issue.
Mike Pruett
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, it wouldn't hurt your firewall or theirs to simply try 3DES - MD5, and then just clicking through a few random variations. If you hit the right combination you will have it up all weekend.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone, the problem is solved. just had to disable the "PFS" I did not have that information. thank you to all