- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Site-to-Site IPSec VPN from private IP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site-to-Site IPSec VPN from private IP
Dear all,
I'm struggling to connect 2 sites with IPSec VPN.
A central firewall has a static public ip address, but the other side is behind nat and it only has private ip address(sometimes dynamically changed).
Phase 1 has been passed, but I got a phase 2 negotiation error.
I found suspicious logs in diag messages:
ike 0:Remote-IPSec_0: add peer route 169.254.1.1
ike 0:Remote-IPSec_0: add peer route failed, peer ip=169.254.1.1
Would you please tell me if there is some workaround for this issue?
Phase 2 diag logs:
(omitted Phase 1 negotiation)
ike 0:b674c784d615bb9d/0000000000000000:5298: SA proposal chosen, matched gateway Remote-IPSec
ike 0:Remote-IPSec: created connection: 0x57e33a0 5 180.149.180.99->126.236.145.247:62882.
ike 0:Remote-IPSec:5298: DPD negotiated
ike 0:Remote-IPSec:5298: selected NAT-T version: RFC 3947
ike 0:Remote-IPSec:5298: cookie b674c784d615bb9d/a73a6850fda5c98a
ike 0:Remote-IPSec:5298: ISAKMP SA b674c784d615bb9d/a73a6850fda5c98a key 16:10BDB5369F1683B2117261B395110F9D
ike 0:Remote-IPSec:5298: out B674C784D615BB9DA73A6850FDA5C98A01100400000000(omitted)
ike 0:Remote-IPSec:5298: sent IKE msg (agg_r1send): 180.149.180.99:500->126.236.145.247:62882, len=512, id=b674c784d615bb9d/a73a6850fda5c98a
ike 0: comes 126.236.145.247:27555->180.149.180.99:4500,ifindex=5....
ike 0: IKEv1 exchange=Aggressive id=b674c784d615bb9d/a73a6850fda5c98a len=100
ike 0: in B674C784D615BB9DA73A6850FDA5C98A141004000000000000000064(omitted)
ike 0:Remote-IPSec:5298: responder: aggressive mode get 2nd response...
ike 0:Remote-IPSec:5298: received NAT-D payload type 20
ike 0:Remote-IPSec:5298: received NAT-D payload type 20
ike 0:Remote-IPSec:5298: PSK authentication succeeded
ike 0:Remote-IPSec:5298: authentication OK
ike 0:Remote-IPSec:5298: NAT detected: PEER
ike 0:Remote-IPSec:5298: remote port change 62882 -> 27555
ike 0:Remote-IPSec: adding new dynamic tunnel for 126.236.145.247:27555
ike 0:Remote-IPSec_0: added new dynamic tunnel for 126.236.145.247:27555
ike 0:Remote-IPSec_0: add peer route 169.254.1.1
ike 0:Remote-IPSec_0: add peer route failed, peer ip=169.254.1.1 <-------------- I got failure message
ike 0:Remote-IPSec_0:5298: established IKE SA b674c784d615bb9d/a73a6850fda5c98a
ike 0:Remote-IPSec: set oper up
ike 0:Remote-IPSec_0:5298: no pending Quick-Mode negotiations
ike 0:Remote-IPSec: carrier up
ike 0: comes 126.236.145.247:27555->180.149.180.99:4500,ifindex=5....
ike 0: IKEv1 exchange=Quick id=b674c784d615bb9d/a73a6850fda5c98a:b2020c16 len=444
ike 0: in B674C784D615BB9DA73A6850FDA5C98A08102001B2020C16000001BC448E2 (omitted)
ike 0: comes 126.236.145.247:27555->180.149.180.99:4500,ifindex=5....
ike 0: IKEv1 exchange=Quick id=b674c784d615bb9d/a73a6850fda5c98a:b2020c16 len=444
ike 0: in B674C784D615BB9DA73A6850FDA5C98A08102001B2020C16000001BC448E2 (omitted)
ike 0: comes 126.236.145.247:27555->180.149.180.99:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=b674c784d615bb9d/a73a6850fda5c98a:84c1ee31 len=92
ike 0: in B674C784D615BB9DA73A6850FDA5C98A0810050184C1EE310000005C01070 (omitted)
Like the following message shows many times, but Phase 2 negitiation fails...:crying_face:
ike 0: comes 126.236.145.247:27555->180.149.180.99:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=b674c784d615bb9d/a73a6850fda5c98a:84c1ee31 len=92
ike 0: in B674C784D615BB9DA73A6850FDA5C98A0810050184C1EE310000005C0107058B5C(omitted)
Thank you.
Yoshikae Oyagi
Yoshikae Oyagi
Labels:
- Labels:
-
FortiGate
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
I suspect you have not configured dial up vpn propelry on both ends.
Could you please follow this article and make sure you configured it proerly:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/6896/fortigate-as-dialup-client
Please check and keep us posted
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, as my colleague said, verify the tunnel IP address on that device if you manually configured it and verify config on HUB.
Adrian
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
he wrote it is S2S not dial up.
However 169.254.x.x as remote gw...isn't that APIPA and not routeable?
You have to have reachable public ip as remote gw for a s2s since the getways must be able to reach each other for a s2s to work. So that would require some Portforwarding too.
I have s2s here at my homeoffice too. Endpoint here is a FGT that is behind my router that does the internet connection. So Router has to have 500/udp and 4500/udp forwarded to my FGT because it is ipsec (Port 500) and due to NAT we ned NAT-T (4500).
Except from some ddns issue (because my wan ip is not static) which I am currently analyzing with TAC (and which I consider a bug in FortiOS) it works fine.
If you don't really need S2S for some reason it might tough be easier to switch to dial up.
The only issue here is that dial up does not to auto negotiation...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
That 169.254.1.1 is APIPA, but it is tunnel interface. And it this case APIPA is legit IP address, you can assign it to tunnels and even build BGP over it, etc. So that should be ok.
Adrian
Related Posts
- IPSEC Down After Changing the IP... 81 Views
- FortiClient and T-Mobile 196 Views
- on-prem Fortigate can't reach EC2 VM... 328 Views
- Adding 26 locations with dual redundant... 210 Views
- IPSEC Tunnel doesn't match user in... 562 Views
Labels
-
FortiGate
6,534 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.