VPN Tunnel brought up but Phase2 error !?

Tedd · ‎05-26-2010

Hi all, I setup a Dialup VPN with 2 Fortigate, Firmware version is 4.0MR1-Patch4 I follow the way how I config with firmware version 3.0 MR7-Patch 9 The tunnel is successfully been brought up, but peers are not connected I check the log, the error message is : IPSec Phase2 Error The Raw information shows " no matching gateway for new request" I am wondering about what is such " gateway" and " new request" means the configuration is worked with the firmware version 3.0 MR7-Patch 9 Thank you

Keep The Faith !!

ede_pfau · ‎05-26-2010

Hi Tedd, welcome to the Forums. Please post the phase 2 parameters of the local and remote side of your tunnel, and the policy allowing the traffic.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Tedd · ‎05-26-2010

Hi Ede Here are the Phase 2 Parameters of both peer local Phase 2 parameter and Policy: config vpn ipsec phase2-interface edit " VPN-P2" set keepalive enable set phase1name " VPN-P1" set proposal 3des-sha1 aes128-sha1 set dst-subnet 10.20.7.0 255.255.255.0 set src-subnet 10.22.3.0 255.255.255.0 next end edit 3 set srcintf " VPN-P1" set dstintf " internal" set srcaddr " 2007-Spoke" set dstaddr " 2203-HUB" set action accept set schedule " always" set service " ANY" set nat enable next edit 4 set srcintf " internal" set dstintf " VPN-P1" set srcaddr " 2203-HUB" set dstaddr " 2007-Spoke" set action accept set schedule " always" set service " ANY" set nat enable next end Remote Phase 2 parameter and Policy: config vpn ipsec phase2-interface edit " VPN-P2" set keepalive enable set phase1name " VPN-P1" set proposal 3des-sha1 aes128-sha1 set dst-subnet 10.22.3.0 255.255.255.0 set src-subnet 10.20.7.0 255.255.255.0 next end edit 3 set srcintf " VPN-P1" set dstintf " internal" set srcaddr " 2203-HUB" set dstaddr " 2007-Spoke" set action accept set schedule " always" set service " ANY" set nat enable next edit 4 set srcintf " internal" set dstintf " VPN-P1" set srcaddr " 2007-Spoke" set dstaddr " 2203-HUB" set action accept set schedule " always" set service " ANY" set nat enable next end Thank you

Keep The Faith !!

ede_pfau · ‎05-26-2010

so remote is 10.20.7.0 " spoke" local is 10.22.3.0 " hub" ? The only strange thing I notice is that you use NAT. Why? Try without, on both sides (phase 2 configs).

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Tedd · ‎05-26-2010

I followed the manual steps I unchecked NAT, but it still doesn' t work here is the message in the error log : 2010-05-26 21:02:20 log_id=0101037125 type=event subtype=ipsec pri=error fwver=040004 vd=" root" msg=" IPsec phase 2 error" action=" negotiate" rem_ip=211.22.134.2 loc_ip=122.117.39.104 rem_port=500 loc_port=500 out_intf=" wan1" cookies=" 534c2b4b91e03cca/0000000000000000" user=" N/A" group=" N/A" xauth_user=" N/A" xauth_group=" N/A" vpn_tunnel=" N/A" status=negotiate_error error_reason=no matching gateway for new request

Keep The Faith !!

rwpatterson · ‎05-26-2010

You created these in interface mode. Did you create static routes? You need them when configuring this way. Policy mode you do not. Everything else in the configs looks correct from here as well. Also, try set " proposal 3des-sha1" instead of " set proposal 3des-sha1 aes128-sha1" .

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau · ‎05-26-2010

OK for some more output: on the CLI please type diag deb ena diag deb cons ti ena diag deb app ike -1 -- then initiate the tunnel - stop debug output with: diag deb app ike 0

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Tedd · ‎05-26-2010

I did it and it keeps coming up these messages ike 0:VPN_0:0: notify msg received: R-U-THERE ike 0:VPN_0:0: sent IKE msg (R-U-THERE-ACK): 122.117.39.104:500->125.230.90.117:500, len=92 ike 0: comes 125.230.90.117:500->122.117.39.104:500,ifindex=12.... ike 0: IKEv1 exchange=Informational id=73f6ee918c5dc702/6615f1298960d180:29b60c9e len=92 ike 0: found VPN_0 122.117.39.104 12 -> 125.230.90.117:500 ike 0:VPN_0:0: notify msg received: R-U-THERE-ACK ike 0:VPN_0: link is idle 12 122.117.39.104->125.230.90.117:500 dpd=1 seqno=250 ike 0:VPN_0:0: send IKEv1 DPD probe, seqno 592 ike 0:VPN_0:0: sent IKE msg (R-U-THERE): 122.117.39.104:500->125.230.90.117:500, len=92 ike 0: comes 125.230.90.117:500->122.117.39.104:500,ifindex=12.... ike 0: IKEv1 exchange=Informational id=73f6ee918c5dc702/6615f1298960d180:0992800b len=92 ike 0: found VPN_0 122.117.39.104 12 -> 125.230.90.117:500 ike 0:VPN_0:0: notify msg received: R-U-THERE ike 0:VPN_0:0: sent IKE msg (R-U-THERE-ACK): 122.117.39.104:500->125.230.90.117:500, len=92 ike 0: comes 125.230.90.117:500->122.117.39.104:500,ifindex=12.... ike 0: IKEv1 exchange=Informational id=73f6ee918c5dc702/6615f1298960d180:0da2a899 len=92 ike 0: found VPN_0 122.117.39.104 12 -> 125.230.90.117:500 ike 0:VPN_0:0: notify msg received: R-U-THERE-ACK ike 0: comes 211.22.134.2:500->122.117.39.104:500,ifindex=12.... ike 0: IKEv1 exchange=Aggressive id=d6c744933de72c12/0000000000000000 len=580 ike 0: no IKEv1 phase1 configuration matching 211.22.134.2:500->122.117.39.104 12 ike 0: comes 211.22.134.2:500->122.117.39.104:500,ifindex=12.... ike 0: IKEv1 exchange=Aggressive id=38a893ecee5be36c/0000000000000000 len=580 ike 0: no IKEv1 phase1 configuration matching 211.22.134.2:500->122.117.39.104 12 ike 0: comes 211.22.134.2:500->122.117.39.104:500,ifindex=12.... ike 0: IKEv1 exchange=Aggressive id=38a893ecee5be36c/0000000000000000 len=580 ike 0: no IKEv1 phase1 configuration matching 211.22.134.2:500->122.117.39.104 12 ike 0:VPN_0: link is idle 12 122.117.39.104->125.230.90.117:500 dpd=1 seqno=251 ike 0:VPN_0:0: send IKEv1 DPD probe, seqno 593 ike 0:VPN_0:0: sent IKE msg (R-U-THERE): 122.117.39.104:500->125.230.90.117:500, len=92 ike 0: comes 125.230.90.117:500->122.117.39.104:500,ifindex=12.... ike 0: IKEv1 exchange=Informational id=73f6ee918c5dc702/6615f1298960d180:88695a04 len=92 ike 0: found VPN_0 122.117.39.104 12 -> 125.230.90.117:500 ike 0:VPN_0:0: notify msg received: R-U-THERE ike 0:VPN_0:0: sent IKE msg (R-U-THERE-ACK): 122.117.39.104:500->125.230.90.117:500, len=92 ike 0: comes 125.230.90.117:500->122.117.39.104:500,ifindex=12.... ike 0: IKEv1 exchange=Informational id=73f6ee918c5dc702/6615f1298960d180:c520005c len=92 ike 0: found VPN_0 122.117.39.104 12 -> 125.230.90.117:500 ike 0:VPN_0:0: notify msg received: R-U-THERE-ACK ike 0: comes 211.22.134.2:500->122.117.39.104:500,ifindex=12.... ike 0: IKEv1 exchange=Aggressive id=38a893ecee5be36c/0000000000000000 len=580 ike 0: no IKEv1 phase1 configuration matching 211.22.134.2:500->122.117.39.104 12 sorry, I lost in these messages

Keep The Faith !!

ede_pfau · ‎05-26-2010

no IKEv1 phase1 configuration matching 211.22.134.2:500->122.117.39.104

so you need to look into your phase1 config - parameters must match on both sides. This has nothing to do with the IPs (src/dst). I see you have a second VPN up and running, to 125.230... Don' t get confused from messages related to that. phase 1 parameters to match: proposals (enc/hash) localID / peerID DH group mode (agg/main) PSK of course keylife NAT-T DPD please check and if you don' t find anything, post them.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Tedd · ‎05-26-2010

First of all , thanks for your kindness help, I load factroy default and re-config all the VPN parameters. the Tunnel is up, peers connected to each other, communications are fine. (I execute ping the remote gateway on both side, 0% packet lost ) But still the log shows the error message " IPSec Phase2 Error" , the error reason is " no matching gateway for new quest" !!! I look over the " Fortigate-Log_Message_Reference_V4.0_MR1" but no further information would someone please so kind tell me what' s going on with my configuration ? I will mail the full configuration if that is necessary

Keep The Faith !!