Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
snobs
New Contributor II

Created on ‎11-14-2013 03:13 AM

IPSec: Why does " phase 2" fail?

Hello, my goal is to setup an IPSec IPv6 only tunnel for roadwarriors / clients show vpn ipsec phase1-interface
edit " IKE61" set type dynamic set interface " VLAN964" set ip-version 6 set xauthtype auto set mode aggressive set proposal 3des-sha1 aes128-sha1 aes256-sha512 set authusrgrp " RemoteAccessUsers" set psksecret ENC fgkjhdfgkjdfhgkjhgkjhdfgjghdfjkghdkjfghgdkdjgdfjkhgkdghj next
show vpn ipsec phase2-interface
edit " IKE62" set dst-addr-type subnet6 set keepalive enable set phase1name " IKE61" set proposal aes256-sha512 set src-addr-type subnet6 set dhcp-ipsec enable set dst-subnet6 2001::/16 set src-subnet6 2001::/16 next
edit " VLAN964" set vdom " root" config ipv6 set ip6-address 2001:f587:7ab1:f64::f1/64 set ip6-allowaccess ping fgfm end set interface " port6" set vlanid 964 next
edit " IKE61" set vdom " root" set type tunnel set interface " VLAN964" next
config firewall policy6 edit 1 set srcintf " VLAN964" set dstintf " VLAN9640" set srcaddr " all" set dstaddr " IPSec-IPv6-Pool" set action accept set schedule " always" set service " ALL" set logtraffic all next edit 2 set srcintf " VLAN9640" set dstintf " VLAN964" set srcaddr " all" set dstaddr " IPSec-IPv6-Pool" set action accept set schedule " always" set service " ALL" set logtraffic all next end
Let´s debug IPSec and connect with the " NCP Secure Client" IPsec client from 2001:f587:7ab1:1222::f100
ike 0: comes 2001:f587:7ab1:1222::f100:10952->2001:f587:7ab1:f64::f1:500,ifindex=10754.... ike 0: IKEv1 exchange=Aggressive id=bbae340e1df2eeac/0000000000000000 len=648 ike 0: in BBAE340E1DF2EEAC00000000000000000110040000000000000002880400008000000001000000010000007401010003030000240101000080010007800200068003FADD80040005800B0001800C7080800E0100030000240201000080010007800200068003FDE980040005800B0001800C7080800E0100000000240301000080010007800200068003000180040005800B0001800C7080800E01000A0000C4574E5C62FF8DA1291358B282CC39409924B171FFA43CDFFFEDE5596831D51099B1A251F774EA1EA7BBDCF5E3F6C482F3300113152164D568F1CE818DF6799AA1AFD5CAB8CB989413FC70BF3A352944F64F9BC94387A09919618A4E1A9E5F6299604B4AFF109182A329D597177D96CCAAA2C8554A55F63432A9D52CEB0F1C8744608144146F29A58CF4A4BB92B57248A7723CB90B8115DFA0D636DA4FD50BA56939F55799FA81BF3F110CDE68D183FA24B974C95FE5663623B0011C92021B9ADF0500002CBF9AEFF76415F09444F7E618E280BD1D16C34DBDAB146878CA14ED44B81454AA7CBD2458E5D228F80D000018010000002001f58707ab1122200000000000094E20D00000CDA8E9378800100000D00000C09002689DFD6B7120D0000147D9419A65310CA6F2C179D9215529D560D00001490CB80913EBB696E086381B5EC427B1F0D0000144485152D18B6BBCD0BE8A8469579DDCC0D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D000014EB4C1B788AFD4A9CB7730A68D56D088B0D000014CBE79444A0870DE4224A2C151FBFE0990D000014C61BACA1F1A60CC108000000000000000D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001512F5F28C457168A9702D9FE274CC0100 ike 0: IKEv1 Aggressive, comes 2001:f587:7ab1:1222::f100:10952->2001:f587:7ab1:f64::f1 10754, peer-id=(null). ike 0:IKE61: check for IP assignment method ... ike 0:IKE61: no IP assignment method defined ike 0:IKE61:12042: responder: aggressive mode get 1st message... ike 0:IKE61:12042: VID unknown (8): DA8E937880010000 ike 0:IKE61:12042: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:IKE61:12042: XAUTHv6 negotiated ike 0:IKE61:12042: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56 ike 0:IKE61:12042: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F ike 0:IKE61:12042: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC ike 0:IKE61:12042: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:IKE61:12042: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:IKE61:12042: DPD negotiated ike 0:IKE61:12042: VID unknown (16): EB4C1B788AFD4A9CB7730A68D56D088B ike 0:IKE61:12042: VID unknown (16): CBE79444A0870DE4224A2C151FBFE099 ike 0:IKE61:12042: VID unknown (16): C61BACA1F1A60CC10800000000000000 ike 0:IKE61:12042: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 ike 0:IKE61:12042: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 ike 0:IKE61:12042: peer supports UNITY ike 0:IKE61:12042: negotiation result ike 0:IKE61:12042: proposal id = 1: ike 0:IKE61:12042: protocol id = ISAKMP: ike 0:IKE61:12042: trans_id = KEY_IKE. ike 0:IKE61:12042: encapsulation = IKE/none ike 0:IKE61:12042: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:IKE61:12042: type=OAKLEY_HASH_ALG, val=SHA2_512. ike 0:IKE61:12042: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:IKE61:12042: type=OAKLEY_GROUP, val=1536. ike 0:IKE61:12042: ISKAMP SA lifetime=28800 ike 0:IKE61:12042: selected NAT-T version: RFC 3947 ike 0:IKE61:12042: cookie bbae340e1df2eeac/287a9032ff1c3b3b ike 0:IKE61:12042: ISAKMP SA bbae340e1df2eeac/287a9032ff1c3b3b key 32:27812E827ECF20A2C3D3EA224AEB043379133FF5F80E4F16E6DC88CE26DEFC34 ike 0:IKE61:12042: out BBAE340E1DF2EEAC287A9032FF1C3B3B0110040000000000000002800400003800000001000000010000002C01010001000000240201000080010007800200068003FDE980040005800B0001800C7080800E01000A0000C460297E7CE53B46A9383644A3BE6D13B9721A1F45DC4B74F6DFD90821C9B8E56899AE5863F2478A255D845570371439BB6319F50D25338EE77250FE404B1236E3C7514F6708B5AD68100E3993F241490DA2D43D3AEA130CF1CE8F62756006CD5F3BC9B8D2B1B4184FC601A3954E15C3AD1FB857A5FD7913122F7577CD25FEB64D09213544EE278632BEDD04F5B7733F86F6D8F6F2EC7C02A861F168D15697D82DFA36011B56B96FFBE5FB86C3B5F08E9A71F75815066667DCDF0505FBC3DADCBB050000148AFFA843E6C3149B6303F68B25E3D98208000018050000002001f58707ab1F6400000000000000F10D000044EC5554247234005FAFCA8CD66F879802C18402E4979E50E136C43CBCCFB15135C777D426AD68CC3173547A7B25A2A5FCC184B5646101C0E32E85103E3E9083B2140000144A131C81070358455C5728F20E95452F14000044494A2350EC339BA6B85E647C26BE5FAC838064825DF302D3A97A10E1F8EDAC1E077D615F60ED252D9413788C84526FD1CE0D6F4CBA587BD6812648F9DB77FBCE0D000044091E54B4B44C4052A46109E41CC0DB698AAFD3B8C54D9604F479458CA6E9F9104CDA74F9587C547E8154654AC3B8750E17EDEC8EEF18B92484FA938599CF2F440D000014AFCAD71368A1F1C96B8696FC775701000D00000C09002689DFD6B7120D00001512F5F28C457168A9702D9FE274CC02040D0000148299031757A36082C6A621DE000500B3000000144048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:IKE61:12042: sent IKE msg (agg_r1send): 2001:f587:7ab1:f64::f1:500->2001:f587:7ab1:1222::f100:10952, len=640, id=bbae340e1df2eeac/287a9032ff1c3b3b ike 0: comes 2001:f587:7ab1:1222::f100:10952->2001:f587:7ab1:f64::f1:500,ifindex=10754.... ike 0: IKEv1 exchange=Aggressive id=bbae340e1df2eeac/287a9032ff1c3b3b len=268 ike 0: in BBAE340E1DF2EEAC287A9032FF1C3B3B08100401000000000000010C96F0C437A10CAB78AD41689E76F86C41D594D23077C5808C147EAEBCF4CB76011DE0AFACA6761CC7F47C2E70BFE396E7804D37B55D297C6110893F721EC92AC005873F931FA3ABEF254DB680E60796942E022B75FEF8AE201393F3DA585E17E426594020CC0FEF05F1C5713EFC322671D2FD65B580458EB66F5B6FEEB74BEAA08D10DC9CF1BC035C7D34E99241A6A25C5E948F6E2478187D0253418CF508FEEEC4FD49338E087D003FC0965C887EE14FB1FEF6B83384BEED1570EBB75AFCBA05F773B4DB2BF100425E0EA25082F989AB170E7832C7524CA57ECE221B49CA52C5CB951160D57FFBE9D3DFAF9FA2E9981B ike 0:IKE61:12042: responder: aggressive mode get 2nd response... ike 0:IKE61:12042: dec BBAE340E1DF2EEAC287A9032FF1C3B3B08100401000000000000010C140000447B05E44306C79D474F20EC7C7EDC9630A257CE20DA4D4ECAD34BE655DA4F6838766744A9DBA9CD797DB87FDB7B4BB953D95977CB7B6FE27C6A7218A9A5E2B5CE14000044091E54B4B44C4052A46109E41CC0DB698AAFD3B8C54D9604F479458CA6E9F9104CDA74F9587C547E8154654AC3B8750E17EDEC8EEF18B92484FA938599CF2F440B000044494A2350EC339BA6B85E647C26BE5FAC838064825DF302D3A97A10E1F8EDAC1E077D615F60ED252D9413788C84526FD1CE0D6F4CBA587BD6812648F9DB77FBCE0000001C0000000101106002BBAE340E1DF2EEAC287A9032FF1C3B3B0000000000000000 ike 0:IKE61:12042: received NAT-D payload type 20 ike 0:IKE61:12042: received NAT-D payload type 20 ike 0:IKE61:12042: received notify type 24578 ike 0:IKE61:12042: PSK authentication succeeded ike 0:IKE61:12042: authentication OK ike 0:IKE61:12042: NAT not detected ike 0:IKE61:12042: established IKE SA bbae340e1df2eeac/287a9032ff1c3b3b ike 0:IKE61: adding new dynamic tunnel for 2001:f587:7ab1:1222::f100:10952 ike 0:IKE61_0: added new dynamic tunnel for 2001:f587:7ab1:1222::f100:10952 ike 0:IKE61_0:12042: HA send IKE SA bbae340e1df2eeac/287a9032ff1c3b3b ike 0:IKE61_0:12042: processing INITIAL-CONTACT ike 0:IKE61_0: flushing ike 0:IKE61_0: flushed ike 0:IKE61_0:12042: processed INITIAL-CONTACT ike 0:IKE61_0:12042: initiating XAUTH. ike 0:IKE61_0:12042: sending XAUTH request ike 0:IKE61_0:12042: enc BBAE340E1DF2EEAC287A9032FF1C3B3B0810060145C2B70C000000740E000044A9C39D7658849E8CC226C253B91855263123AF9AE2BECB05014AC7EFBFF7F4B0D63DEC479726857D511F957214E8BDE7DE22299894B152129B28759DE58AEE0F000000140100DEBFC088000040890000408A0000 ike 0:IKE61_0:12042: out BBAE340E1DF2EEAC287A9032FF1C3B3B0810060145C2B70C0000007C6D1D4A8D25E0D077C3DCD8868ACF74C9242249345C3CF7E59DBBD70C2BB3C8E510D5E91DEDB665F4560F71614653B8EA283741539FCFA23B7F0C8FCD6A339976BB5CBFC6A5253C2CC39F61EA453B8132B4229AE0F0766BDCC6A82EA0B60EA915 ike 0:IKE61_0:12042: sent IKE msg (cfg_send): 2001:f587:7ab1:f64::f1:500->2001:f587:7ab1:1222::f100:10952, len=124, id=bbae340e1df2eeac/287a9032ff1c3b3b:45c2b70c ike 0:IKE61_0:12042: peer has not completed XAUTH exchange ike 0: comes 2001:f587:7ab1:1222::f100:10952->2001:f587:7ab1:f64::f1:500,ifindex=10754.... ike 0: IKEv1 exchange=Mode config id=bbae340e1df2eeac/287a9032ff1c3b3b:45c2b70c len=140 ike 0: in BBAE340E1DF2EEAC287A9032FF1C3B3B0810060145C2B70C0000008C3AB59FE6997439091BF8FFC51A6AA8B5692BD686001ECE2D3C1CCC27B482144710DEE9129A0A0789E7FCC2D425ACDADB1280C8FCDF4E1516B87C8A6AB0812B6A3AB50711ADCEAB299E4BAE7DD98F7A81929A62D30F394DCCD0F6EF15E95A11CADF92858980BFBA1ABA1DFE27C80ECFA6 ike 0:IKE61_0:12042: dec BBAE340E1DF2EEAC287A9032FF1C3B3B0810060145C2B70C0000008C0E000044AE78372B3F4E7E51D4AC59C27C9445B42CBCBD33F8399D6A5A49B689580F6B969D72FDEEADE6F9E8EEECCBB6B249B986B6F74D64C231F5B3927D76CA08936A71000000220200DEBFC0880000408900066261727A3634408A0008464265414447342D00000000000000000000 ike 0:IKE61_0:12042: received XAUTH_USER_NAME ' TESTUSER' length 8 ike 0:IKE61_0:12042: received XAUTH_USER_PASSWORD length 16 ike 0:IKE61_0: XAUTH user " TESTUSER" in group ' RemoteAccessUsers' (1) ike 0:IKE61_0: XAUTH 4556 pending ike 0: XAUTH 4556 result 0 ike 0:IKE61_0: XAUTH succeeded for user " TESTUSER" ike 0:IKE61_0:12042: enc BBAE340E1DF2EEAC287A9032FF1C3B3B0810060137F045E20000006C0E000044DEECDBD54B2EDD01C052BFEAC350E7E60E05C0AD3B220996900BC5B2C01B4F20C097499A7870CC9753DF1F93CBF7BF0F27CB5E03C959D38456F9B342936EE0F00000000C0300DEBFC08F0001 ike 0:IKE61_0:12042: out BBAE340E1DF2EEAC287A9032FF1C3B3B0810060137F045E20000007C878113CDD7AF8FCB4C5F1EB0B9A776729F8234CCD33D20B6A0ABA21F946EFB0BA0A23EB73C9559F5F2C53A1C6B365BC46F98CEF2B2D0925DC38A4E9B1D73C5F9BC64E5FCFDE548F91BDBA61D07FB522734185F766D4B483F108F9F708BEBACA8 ike 0:IKE61_0:12042: sent IKE msg (cfg_send): 2001:f587:7ab1:f64::f1:500->2001:f587:7ab1:1222::f100:10952, len=124, id=bbae340e1df2eeac/287a9032ff1c3b3b:37f045e2 ike 0:IKE61_0: HA send XAUTH ike 0: comes 2001:f587:7ab1:1222::f100:10952->2001:f587:7ab1:f64::f1:500,ifindex=10754.... ike 0: IKEv1 exchange=Mode config id=bbae340e1df2eeac/287a9032ff1c3b3b:37f045e2 len=108 ike 0: in BBAE340E1DF2EEAC287A9032FF1C3B3B0810060137F045E20000006CFC190CBAA5FE34219A36906E8B69E0E341470D42F09EA0AFB3B04529AE479302217ab1928CF47A0DE221987E3100F441D4B52B82BC2D532310E2419134687BBD4D5A91A42CA34A4D2A4699191ADF47031 ike 0:IKE61_0:12042: dec BBAE340E1DF2EEAC287A9032FF1C3B3B0810060137F045E20000006C0E00004497ECD03318F9942B0FCA83B3FF728FF7EA0A827CA76654870E664196E730A42AFF2A68A28924069B1532FAEFC136430F3EAC89AAE3B7356DCC99CB6BBE974CF30000000C0400DEBF408F0000 ike 0: comes 2001:f587:7ab1:1222::f100:10952->2001:f587:7ab1:f64::f1:500,ifindex=10754.... ike 0: IKEv1 exchange=Quick id=bbae340e1df2eeac/287a9032ff1c3b3b:95f810ea len=428 ike 0: in BBAE340E1DF2EEAC287A9032FF1C3B3B0810200195F810EA000001AC0C73AA26556D7FCFC9265354CFD74E45B934B11B18889CD10C0F14C4A799F96FAA317228E99E7642FFA76C9A87616EF0E156A243760246D2DCA891D0182137922680306C9CB766DF9F5FFC3EA4F3D5C7B72B12B74424CE095AC87641F089096599E2541129D12DFC5368CF321AFEFA66E4822858931FDF328EE70E0F02E1FDB1B1517631C0472CEA9FC590414D0F5489899225EF5982FC7B350A2B774A4227FBBAEBB11A8FEDA2937388D27C7F98D979C77D09264799974F39992A36F44BD940AC91493BDDBB626DE5A98B04C7DD6FEF8DD94CDA30485D0E279E26106AA577F8579D2BDFFCF3D1834EB7245BAA37425AA9C3F54133125829DCC8DE2013C291CC4D56630AEA0DFCDB81C82CB3ACD30D39A129799BF63F8FA6FF68584DD192C0C08F482FEC7B459D28DBEDC574363C463A02977C64715E53E5D379DD8287EE04FAF5AD48D98264D8B31562A947CC39861676E2C7D612BE73964E9F803357DD46EB044323B23D1186061819A7F9A2A5587BA39167F3412B6AD1AC2EDF156CE76B2D8C653FA96360BA7B515F1DE963E1FBFC ike 0:IKE61_0:12042:896294: responder received first quick-mode message ike 0:IKE61_0:12042: dec BBAE340E1DF2EEAC287A9032FF1C3B3B0810200195F810EA000001AC01000044DE31F6A7D3D187050B9D8EA8BD4B40C2DEB4F6957D31F6D69FC3FC4DD0F627C10E059BCDC00169A372BDD665672E0A0FD0F986FECFFD0B692D79FE4603A01FA70A00003800000001000000010000002C010304010A8AB15400000020010C00008005000780040001800100018002070880030005800601000400002CE4A6289DCADD9B573DCDEE70DA396212560327970632CE4057C3AFBD088D73655E9CEF72726891E8050000C4338F714A1F38F6AFD8AF01A90B9A63F1B27A46821DD440B9BC1619303B904A71D195E1FA1E1966B75D5E2A3E57C58818F94275BF942E00F044E206AB010C1519450ADE05F960312FE4B1EDC9549C39F3D8310108EBFAD519B7EE2BF5F14993683BBA09917ED062AF4BB1190F44EB676A89B4DDAB0EE66ECEF847C2B315A30D89232EAA920C67A9D06CD336B62BD8B4C58AB3531CEC78FC82B2C793E602F1A36E40F9445B5BB5BC2BB57609574C550FF0A1853C1EA5C75AB57D28E8113B9F077D0500000C011100442001f587000000100411004300000000000000000000000000000000 ike 0:IKE61_0:12042:896294: peer proposal is: peer:17:32.1.6.56-32.1.6.56:68, me:17:0.0.0.0-255.255.255.255:67 ike 0:IKE61_0:12042:IKE62:896294: trying ike 0:IKE61_0:12042:896294: no matching phase2 found ike 0:IKE61_0:12042:896294: failed to get responder proposal ike 0:IKE61_0:12042: error processing quick-mode message from 2001:f587:7ab1:1222::f100 as responder ike 0:FClient-RAS_3:12030: send IKEv1 DPD probe, seqno 435 ike 0:FClient-RAS_3:12030: enc 2B2C7EC3D0CD8FBE090BD7AB17D2EDFC0810050179E8997C000000540B000018E3C679CC33F3F5F50080796B1727F1BEC110A3DC000000200000000101108D282B2C7EC3D0CD8FBE090BD7AB17D2EDFC000001B3 ike 0:FClient-RAS_3:12030: out 2B2C7EC3D0CD8FBE090BD7AB17D2EDFC0810050179E8997C0000005C0DEEEA82B422C088313A80148057551EA15C58C9733B5961CE91551EBB1AB828FFABFBE3776EFBB744EC01303B8893D6A53D97BA530E619041D39AF9906E36ED ike 0: IKEv1 exchange=Informational id=2b2c7ec3d0cd8fbe/090bd7ab17d2edfc:c324acb6 len=92 ike 0: in 2B2C7EC3D0CD8FBE090BD7AB17D2EDFC08100501C324ACB60000005C51092F506CF4C990B83909605DA0974E6964A1AFDB75EF787B41087B6105791F1516D0CF39B9E7EF59D69FE743B87ED55C925BDCC2333B412A17387D610D4F18 ike 0:FClient-RAS_3:12030: dec 2B2C7EC3D0CD8FBE090BD7AB17D2EDFC08100501C324ACB60000005C0B000018F9C461E39D7281327AEAE8A52208F9C6A23EBD76000000200000000101108D292B2C7EC3D0CD8FBE090BD7AB17D2EDFC000001B3E68A9FD882EB9C07 ike 0:FClient-RAS_3:12030: notify msg received: R-U-THERE-ACK ike 0:IKE61_0: link is idle 10754 2001:f587:7ab1:f64::f1->2001:f587:7ab1:1222::f100:500 dpd=1 seqno=1 ike 0:IKE61_0:12042: send IKEv1 DPD probe, seqno 1 ike 0:IKE61_0:12042: enc BBAE340E1DF2EEAC287A9032FF1C3B3B08100501D390A9DE000000800B000044F7A2576B9C98001ABA9969E1C3B82BB7AC761484F8A494D7A12F3C3459304FB6BECF4A8BB5B5B7752815EECD17C77798873D6895E9DB483F93A1917C9F79B8BB000000200000000101108D28BBAE340E1DF2EEAC287A9032FF1C3B3B00000001 ike 0:IKE61_0:12042: out BBAE340E1DF2EEAC287A9032FF1C3B3B08100501D390A9DE0000008C54A8E699C0A554A64A3DB27DFA369FC34A226FE1C1BD1F47BC5A804F88983DD3D9E82975F461523ADB514E4ECCCFDBDE586F67B03503FAAB63CB5BBD2957B7B8BD4683A240D5D3E35AE110107A5A1ECD088B0242215799C6F449BA50B568C7F0B62F22939CF22D5E7B9CDCCBF8C771D3 ike 0:IKE61_0:12042: sent IKE msg (R-U-THERE): 2001:f587:7ab1:f64::f1:500->2001:f587:7ab1:1222::f100:10952, len=140, id=bbae340e1df2eeac/287a9032ff1c3b3b:d390a9de ike 0: comes 2001:f587:7ab1:1222::f100:10952->2001:f587:7ab1:f64::f1:500,ifindex=10754.... ike 0: IKEv1 exchange=Informational id=bbae340e1df2eeac/287a9032ff1c3b3b:04cd019e len=140 ike 0: in BBAE340E1DF2EEAC287A9032FF1C3B3B0810050104CD019E0000008CD98F39F3F22DD846B119ABB93CC78EDDE408CFAC97AEE0D0F7B07E087E756F53CE3F519768D1850902F41FC03AA6A64786503FE929A582DF2E656F81456ADFE9734EE56292DB8362DD973EB95EA173E28A1C1CC516DDE26695959A47A82610E60BD0C21696FCDE608E3A28E974F2BE1A ike 0:IKE61_0:12042: dec BBAE340E1DF2EEAC287A9032FF1C3B3B0810050104CD019E0000008C0B00004493FC1E34AFD766DE6B2ABB99833735909DA8747D8D5F1591E7378204DC4D0F8F524E707641FF74E165ED2ECEA8858BA69BFD1CFEF6F163434B6B56F069121680000000200000000101108D29BBAE340E1DF2EEAC287A9032FF1C3B3B00000001000000000000000000000000 ike 0:IKE61_0:12042: notify msg received: R-U-THERE-ACK ike 0: comes 2001:f587:7ab1:1222::f100:10952->2001:f587:7ab1:f64::f1:500,ifindex=10754.... ike 0: IKEv1 exchange=Quick id=bbae340e1df2eeac/287a9032ff1c3b3b:95f810ea len=428 ike 0: in BBAE340E1DF2EEAC287A9032FF1C3B3B0810200195F810EA000001AC0C73AA26556D7FCFC9265354CFD74E45B934B11B18889CD10C0F14C4A799F96FAA317228E99E7642FFA76C9A87616EF0E156A243760246D2DCA891D0182137922680306C9CB766DF9F5FFC3EA4F3D5C7B72B12B74424CE095AC87641F089096599E2541129D12DFC5368CF321AFEFA66E4822858931FDF328EE70E0F02E1FDB1B1517631C0472CEA9FC590414D0F5489899225EF5982FC7B350A2B774A4227FBBAEBB11A8FEDA2937388D27C7F98D979C77D09264799974F39992A36F44BD940AC91493BDDBB626DE5A98B04C7DD6FEF8DD94CDA30485D0E279E26106AA577F8579D2BDFFCF3D1834EB7245BAA37425AA9C3F54133125829DCC8DE2013C291CC4D56630AEA0DFCDB81C82CB3ACD30D39A129799BF63F8FA6FF68584DD192C0C08F482FEC7B459D28DBEDC574363C463A02977C64715E53E5D379DD8287EE04FAF5AD48D98264D8B31562A947CC39861676E2C7D612BE73964E9F803357DD46EB044323B23D1186061819A7F9A2A5587BA39167F3412B6AD1AC2EDF156CE76B2D8C653FA96360BA7B515F1DE963E1FBFC ike 0:IKE61_0:12042:896297: responder received first quick-mode message ike 0:IKE61_0:12042: dec BBAE340E1DF2EEAC287A9032FF1C3B3B0810200195F810EA000001AC01000044DE31F6A7D3D187050B9D8EA8BD4B40C2DEB4F6957D31F6D69FC3FC4DD0F627C10E059BCDC00169A372BDD665672E0A0FD0F986FECFFD0B692D79FE4603A01FA70A00003800000001000000010000002C010304010A8AB15400000020010C00008005000780040001800100018002070880030005800601000400002CE4A6289DCADD9B573DCDEE70DA396212560327970632CE4057C3AFBD088D73655E9CEF72726891E8050000C4338F714A1F38F6AFD8AF01A90B9A63F1B27A46821DD440B9BC1619303B904A71D195E1FA1E1966B75D5E2A3E57C58818F94275BF942E00F044E206AB010C1519450ADE05F960312FE4B1EDC9549C39F3D8310108EBFAD519B7EE2BF5F14993683BBA09917ED062AF4BB1190F44EB676A89B4DDAB0EE66ECEF847C2B315A30D89232EAA920C67A9D06CD336B62BD8B4C58AB3531CEC78FC82B2C793E602F1A36E40F9445B5BB5BC2BB57609574C550FF0A1853C1EA5C75AB57D28E8113B9F077D0500000C011100442001f587000000100411004300000000000000000000000000000000 ike 0:IKE61_0:12042:896297: peer proposal is: peer:17:32.1.6.56-32.1.6.56:68, me:17:0.0.0.0-255.255.255.255:67 ike 0:IKE61_0:12042:IKE62:896297: trying ike 0:IKE61_0:12042:896297: no matching phase2 found ike 0:IKE61_0:12042:896297: failed to get responder proposal ike 0:IKE61_0:12042: error processing quick-mode message from 2001:f587:7ab1:1222::f100 as responder
Reading some blogs, the reason for failing could be the IPv6 range for " Quick Mode Selector" This one: peer proposal is: peer:17:32.1.6.56-32.1.6.56:68, me:17:0.0.0.0-255.255.255.255:67 seems to be the reason, right? But as we are living within IPv6 world, that part doesn´t belong here? So why is phase 2 failing? It would be great if someone could give me a hint..
16482
0 Kudos
4 REPLIES 4
emnoc
Esteemed Contributor III

Created on ‎11-14-2013 09:56 AM

1st off, that 2001:: global and /16 prefix doesn' t seem right , why did you pick that ? Now on to your proposal,l have you tried a ::/0 prefix ( ANY ) for the src-dst-subnets proxy-ids ? Also what type of vpnclient is this? On the " IPSec-IPv6-Pool" pool what do you have configured? And finally fwpolic6 #2 is that src/dst correct for the ipv6 address? You can confirm the fwpolicy6 via the diag debug flow6 later after you get thru the proposal match issues.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2494
0 Kudos
snobs
New Contributor II
In response to emnoc

Created on ‎11-15-2013 12:12 AM

Quick Mode Selector
Well I was actually testing different addresses to see whether something changed within the logs. So, I changed it back
edit " IKE62" set dst-addr-type subnet6 set keepalive enable set phase1name " IKE61" set proposal aes256-sha512 set src-addr-type subnet6 set dhcp-ipsec enable
which doesn´t help.
config firewall address6 edit " all6" next edit " IPSec-IPv6-Pool" set ip6 2001:f587:7ab1:f640::/64 next ...
The IPSec client is from http://www.ncp-e.com/de/downloadstatistik/secure-entry-client/ncp-secure-entry-client-win-3264.html Also I played with different policy6 configurations and routing settings:
config router static6 edit 1 set device " VLAN964" set dst 2001:f587:7ab1:::/48 set gateway 2001:f587:7ab1:f64::A next edit 2 set device " VLAN9640" set dst 2001:f587:7ab1:f640::/64 set gateway 2001:f587:7ab1:f640::A next end
Well, nothing helps. The error messag is still the same:
2013-11-15 09:17:38 ike 0:IKE61_0:12140:926057: peer proposal is: peer:17:32.1.6.56-32.1.6.56:68, me:17:0.0.0.0-255.255.255.255:67 2013-11-15 09:17:38 ike 0:IKE61_0:12140:IKE62:926057: trying 2013-11-15 09:17:38 ike 0:IKE61_0:12140:926057: no matching phase2 found 2013-11-15 09:17:38 ike 0:IKE61_0:12140:926057: failed to get responder proposal 2013-11-15 09:17:38 ike 0:IKE61_0:12140: error processing quick-mode message from 2001:f587:7ab1:1222::f100 as responder
Preview file
127 KB
2494
0 Kudos
snobs
New Contributor II

Created on ‎11-15-2013 12:27 AM

client settings:
Preview file
175 KB
2494
0 Kudos
snobs
New Contributor II

Created on ‎11-15-2013 12:40 AM

" my" network:
Preview file
69 KB
2493
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.