- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- [Solved]VPN Debug - ipsec interface mode
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Solved]VPN Debug - ipsec interface mode
I don't understand why my Windows7 can't connect to my Fortigate 90D v5.2.0 build0589. I don't install forticlient, i use native windows 7 layer to create VPN connexion.
Error 678 in Windows 7.
Policy on Fortigate : From "tunnel VPN interface" TO "Internal" accept all.
In the fortigate i create tunnel like this :
config vpn ipsec phase1-interface edit "Phase" set type dynamic set interface "wan2" set keylife 28800 set proposal 3des-sha1 aes256-md5 aes192-sha1 set dhgrp 2 set psksecret xxxxxxxxxxxxxxxx next end config vpn ipsec phase2-interface edit "Phase_P2" set phase1name "Phase" set proposal 3des-sha1 aes256-md5 aes192-sha1 set pfs disable set keylife-type both set encapsulation transport-mode set dhcp-ipsec enable set keylifeseconds 3600 set keylifekbs 250000 next end
And add
config system interface edit "Phase" set dhcp-relay-service enable set dhcp-relay-ip "xx.xx.xx.xx" set dhcp-relay-type regular
And no error in the debug log !!!
Just finish with "recv ISAKMP SA delete", "Deleting"....
My debug log :
Line 39: 2014-11-05 12:15:12 ike 0:7552098ed5d761dc/0000000000000000:2624: SA proposal chosen, matched gateway Phase
Line 40: 2014-11-05 12:15:12 ike 0:Phase:2624: selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02\n
Line 41: 2014-11-05 12:15:12 ike 0:Phase:2624: cookie 7552098ed5d761dc/444e8472b6c4b134
Line 42: 2014-11-05 12:15:12 ike 0:Phase:2624: out 7552098ED5D761DC444E8472B6C4B1340110020000000000000000BC0D00003800000001000000010000002C01010001000000240201000080010005800200028004000280030001800B0001000C0004000070800D00001490CB80913EBB696E086381B5EC427B1F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE0005024D0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
Line 43: 2014-11-05 12:15:12 ike 0:Phase:2624: sent IKE msg (ident_r1send): 89.225.232.140:500->90.117.20.5:500, len=188, id=7552098ed5d761dc/444e8472b6c4b134
Line 47: 2014-11-05 12:15:13 ike 0:Phase:2624: retransmission, re-send last message
Line 48: 2014-11-05 12:15:13 ike 0:Phase:2624: out 7552098ED5D761DC444E8472B6C4B1340110020000000000000000BC0D00003800000001000000010000002C01010001000000240201000080010005800200028004000280030001800B0001000C0004000070800D00001490CB80913EBB696E086381B5EC427B1F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE0005024D0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
Line 49: 2014-11-05 12:15:13 ike 0:Phase:2624: sent IKE msg (retransmit): 89.225.232.140:500->90.117.20.5:500, len=188, id=7552098ed5d761dc/444e8472b6c4b134
Line 53: 2014-11-05 12:15:14 ike 0:Phase:2624: responder:main mode get 2nd message...
Line 54: 2014-11-05 12:15:14 ike 0:Phase:2624: NAT not detected
Line 55: 2014-11-05 12:15:14 ike 0:Phase:2624: out 7552098ED5D761DC444E8472B6C4B1340410020000000000000000E40A000084BAE277C94D29E763BBCC6A8116C164360CC2FBA5968A4C33307884D0B920E2BA14F0218420E0EC067BDC5D961332A2181DF23309AE752C72058CBF744A209C73693DD9AC4F155BC4B42A951EFEAE022F713E46B6C0221A55A714E6FC61591398A1E10C409B453D3D4616AAD1BE059D481AF3F3DCC022BAE751043386DDD6D13282000014EE13310F02DEF6AC8F8DA6299E709EAF8200001846CBBA82FC7C6E80F0954DE505B589A58A885F9D00000018AED10DD0968E9CC646A66592E540A01F5CB17168
Line 56: 2014-11-05 12:15:14 ike 0:Phase:2624: sent IKE msg (ident_r2send): 89.225.232.140:500->90.117.20.5:500, len=228, id=7552098ed5d761dc/444e8472b6c4b134
Line 57: 2014-11-05 12:15:14 ike 0:Phase:2624: ISAKMP SA 7552098ed5d761dc/444e8472b6c4b134 key 24:2F09BFFEFC4678E31985E825FD65D308A45C227DE635FD19
Line 61: 2014-11-05 12:15:14 ike 0:Phase:2624: retransmission, re-send last message
Line 62: 2014-11-05 12:15:14 ike 0:Phase:2624: out 7552098ED5D761DC444E8472B6C4B1340410020000000000000000E40A000084BAE277C94D29E763BBCC6A8116C164360CC2FBA5968A4C33307884D0B920E2BA14F0218420E0EC067BDC5D961332A2181DF23309AE752C72058CBF744A209C73693DD9AC4F155BC4B42A951EFEAE022F713E46B6C0221A55A714E6FC61591398A1E10C409B453D3D4616AAD1BE059D481AF3F3DCC022BAE751043386DDD6D13282000014EE13310F02DEF6AC8F8DA6299E709EAF8200001846CBBA82FC7C6E80F0954DE505B589A58A885F9D00000018AED10DD0968E9CC646A66592E540A01F5CB17168
Line 63: 2014-11-05 12:15:14 ike 0:Phase:2624: sent IKE msg (retransmit): 89.225.232.140:500->90.117.20.5:500, len=228, id=7552098ed5d761dc/444e8472b6c4b134
Line 67: 2014-11-05 12:15:16 ike 0:Phase:2624: retransmission, re-send last message
Line 68: 2014-11-05 12:15:16 ike 0:Phase:2624: out 7552098ED5D761DC444E8472B6C4B1340410020000000000000000E40A000084BAE277C94D29E763BBCC6A8116C164360CC2FBA5968A4C33307884D0B920E2BA14F0218420E0EC067BDC5D961332A2181DF23309AE752C72058CBF744A209C73693DD9AC4F155BC4B42A951EFEAE022F713E46B6C0221A55A714E6FC61591398A1E10C409B453D3D4616AAD1BE059D481AF3F3DCC022BAE751043386DDD6D13282000014EE13310F02DEF6AC8F8DA6299E709EAF8200001846CBBA82FC7C6E80F0954DE505B589A58A885F9D00000018AED10DD0968E9CC646A66592E540A01F5CB17168
Line 69: 2014-11-05 12:15:16 ike 0:Phase:2624: sent IKE msg (retransmit): 89.225.232.140:500->90.117.20.5:500, len=228, id=7552098ed5d761dc/444e8472b6c4b134
Line 73: 2014-11-05 12:15:16 ike 0:Phase:2624: responder: main mode get 3rd message...
Line 74: 2014-11-05 12:15:16 ike 0:Phase:2624: dec 7552098ED5D761DC444E8472B6C4B1340510020100000000000000440800000C010000005A7514050000001817A887D93610BB8723AC784DA81A0D22B6DD9ECA00000000
Line 75: 2014-11-05 12:15:16 ike 0:Phase:2624: peer identifier IPV4_ADDR 90.117.20.5
Line 76: 2014-11-05 12:15:16 ike 0:Phase:2624: PSK authentication succeeded
Line 77: 2014-11-05 12:15:16 ike 0:Phase:2624: authentication OK
Line 78: 2014-11-05 12:15:16 ike 0:Phase:2624: enc 7552098ED5D761DC444E8472B6C4B1340510020100000000000000400800000C0100000059E1E88C00000018AFF911C794F008F5E35EB392F6F421641DC9EAC0
Line 79: 2014-11-05 12:15:16 ike 0:Phase:2624: out 7552098ED5D761DC444E8472B6C4B13405100201000000000000004455D9754428467301896361CBC0A297ECB6766C7B02CD211DB316267D1A5FE4DB1833C36675FC85C6
Line 80: 2014-11-05 12:15:16 ike 0:Phase:2624: sent IKE msg (ident_r3send): 89.225.232.140:500->90.117.20.5:500, len=68, id=7552098ed5d761dc/444e8472b6c4b134
Line 81: 2014-11-05 12:15:16 ike 0:Phase:2624: established IKE SA 7552098ed5d761dc/444e8472b6c4b134
Line 82: 2014-11-05 12:15:16 ike 0:Phase: adding new dynamic tunnel for 90.117.20.5:500
Line 83: 2014-11-05 12:15:16 ike 0:Phase_0: added new dynamic tunnel for 90.117.20.5:500
Line 84: 2014-11-05 12:15:16 ike 0:Phase_0:2624: no pending Quick-Mode negotiations
Line 88: 2014-11-05 12:15:16 ike 0:Phase_0:2624: retransmission, re-send last message
Line 89: 2014-11-05 12:15:16 ike 0:Phase_0:2624: out 7552098ED5D761DC444E8472B6C4B13405100201000000000000004455D9754428467301896361CBC0A297ECB6766C7B02CD211DB316267D1A5FE4DB1833C36675FC85C6
Line 90: 2014-11-05 12:15:16 ike 0:Phase_0:2624: sent IKE msg (retransmit): 89.225.232.140:500->90.117.20.5:500, len=68, id=7552098ed5d761dc/444e8472b6c4b134
Line 94: 2014-11-05 12:15:17 ike 0:Phase_0:2624:72180: responder received first quick-mode message
Line 95: 2014-11-05 12:15:17 ike 0:Phase_0:2624: dec 7552098ED5D761DC444E8472B6C4B13408102001E9AF5E8E0000045C01000018D320C571345529FE3305BA5BD1FA0BDEEFBC57680A0003F400000001000000010200005C01030402D68042CA0300002801030000800100010002000400000E1080010002000200040003D09080040002800500010000002802030000800100010002000400000E1080010002000200040003D09080040002800500020200003402020401D68042CA0000002801030000800100010002000400000E1080010002000200040003D09080040002800500020200003002030401B33F3AB20000002401030000800100010002000400000E1080010002000200040003D090800400020200003403020401D68042CA0000002801020000800100010002000400000E1080010002000200040003D09080040002800500010200003003030401B33F3AB20000002401030000800100010002000400000E1080010002000200040003D090800400020200003404020401D68042CA0000002801030000800100010002000400000E1080010002000200040003D09080040002800500020200003404030401B33F3AB20000002801030000800100010002000400000E1080010002000200040003D09080040002800500020200003405020401D68042CA00000028010200008...
Line 96: 2014-11-05 12:15:17 ike 0:Phase_0:2624:72180: peer proposal is: peer:17:90.117.20.5-90.117.20.5:1701, me:17:89.225.232.140-89.225.232.140:1701
Line 97: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trying
Line 97: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trying
Line 98: 2014-11-05 12:15:17 ike 0:Phase_0:2624:72180: transport mode, override with 0:89.225.232.140-89.225.232.140:0 -> 17:90.117.20.5-90.117.20.5:1701
Line 99: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: matched phase2
Line 99: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: matched phase2
Line 100: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: dynamic client
Line 100: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: dynamic client
Line 101: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: my proposal:
Line 101: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: my proposal:
Line 102: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: proposal id = 1:
Line 102: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: proposal id = 1:
Line 103: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: protocol id = IPSEC_ESP:
Line 103: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: protocol id = IPSEC_ESP:
Line 104: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_3DES
Line 104: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_3DES
Line 105: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 105: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 106: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=SHA1
Line 106: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=SHA1
Line 107: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_AES (key_len = 256)
Line 107: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_AES (key_len = 256)
Line 108: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 108: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 109: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=MD5
Line 109: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=MD5
Line 110: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_AES (key_len = 192)
Line 110: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_AES (key_len = 192)
Line 111: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 111: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 112: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=SHA1
Line 112: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=SHA1
Line 113: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: incoming proposal:
Line 113: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: incoming proposal:
Line 114: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: proposal id = 1:
Line 114: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: proposal id = 1:
Line 115: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: protocol id = IPSEC_ESP:
Line 115: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: protocol id = IPSEC_ESP:
Line 116: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_3DES
Line 116: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_3DES
Line 117: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 117: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 118: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=MD5
Line 118: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=MD5
Line 119: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_3DES
Line 119: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_3DES
Line 120: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 120: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 121: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=SHA1
Line 121: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=SHA1
Line 122: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: negotiation result
Line 122: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: negotiation result
Line 123: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: proposal id = 1:
Line 123: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: proposal id = 1:
Line 124: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: protocol id = IPSEC_ESP:
Line 124: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: protocol id = IPSEC_ESP:
Line 125: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_3DES
Line 125: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: trans_id = ESP_3DES
Line 126: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 126: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: encapsulation = ENCAPSULATION_MODE_TRANSPORT
Line 127: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=SHA1
Line 127: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: type = AUTH_ALG, val=SHA1
Line 128: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: using transport mode.
Line 128: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: using transport mode.
Line 129: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: replay protection enabled
Line 129: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: replay protection enabled
Line 130: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: SA life soft seconds=3585.
Line 130: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: SA life soft seconds=3585.
Line 131: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: SA life hard seconds=3600.
Line 131: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: SA life hard seconds=3600.
Line 132: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: set sa life soft/hard kbytes=249488/250000.
Line 132: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: set sa life soft/hard kbytes=249488/250000.
Line 133: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: IPsec SA selectors #src=1 #dst=1
Line 133: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: IPsec SA selectors #src=1 #dst=1
Line 134: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: src 0 7 0:89.225.232.140-89.225.232.140:0
Line 134: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: src 0 7 0:89.225.232.140-89.225.232.140:0
Line 135: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: dst 0 7 17:90.117.20.5-90.117.20.5:1701
Line 135: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: dst 0 7 17:90.117.20.5-90.117.20.5:1701
Line 136: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: add dynamic IPsec SA selectors
Line 136: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: add dynamic IPsec SA selectors
Line 137: 2014-11-05 12:15:17 ike 0:Phase_0:72180: add route 90.117.20.5/255.255.255.255 oif Phase_0(89) metric 15 priority 0
Line 137: 2014-11-05 12:15:17 ike 0:Phase_0:72180: add route 90.117.20.5/255.255.255.255 oif Phase_0(89) metric 15 priority 0
Line 138: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: tunnel 1 of VDOM limit 0/0
Line 138: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: tunnel 1 of VDOM limit 0/0
Line 139: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: add IPsec SA: SPIs=aad72fdd/d68042ca
Line 139: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: add IPsec SA: SPIs=aad72fdd/d68042ca
Line 140: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: IPsec SA dec spi aad72fdd key 24:8539AFF369F5A7058540334233D1DAB9138CA568A599D51D auth 20:92A6068832BE9E8474E4BF4FDA8E96C0C15D2AD7
Line 140: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: IPsec SA dec spi aad72fdd key 24:8539AFF369F5A7058540334233D1DAB9138CA568A599D51D auth 20:92A6068832BE9E8474E4BF4FDA8E96C0C15D2AD7
Line 141: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: IPsec SA enc spi d68042ca key 24:ACF71FC61D98F3563F73BEC91E072ECA98B85D72DCA0F587 auth 20:017797869CF8C53529EBDECB1A1CFE924040C2A0
Line 141: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: IPsec SA enc spi d68042ca key 24:ACF71FC61D98F3563F73BEC91E072ECA98B85D72DCA0F587 auth 20:017797869CF8C53529EBDECB1A1CFE924040C2A0
Line 142: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: transport mode encapsulation is enabled
Line 142: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: transport mode encapsulation is enabled
Line 143: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: added IPsec SA: SPIs=aad72fdd/d68042ca
Line 143: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: added IPsec SA: SPIs=aad72fdd/d68042ca
Line 144: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: sending SNMP tunnel UP trap
Line 144: 2014-11-05 12:15:17 ike 0:Phase_0:2624:Phase_P2:72180: sending SNMP tunnel UP trap
Line 145: 2014-11-05 12:15:17 ike 0:Phase_0:2624: enc 7552098ED5D761DC444E8472B6C4B13408102001E9AF5E8E000000A001000018608EAC5D2DF6C3FAF51720FC773FA4BE81A12A560A00004000000001000000010000003401030401AAD72FDD0000002802030000800100010002000400000E1080010002000200040003D090800400028005000205000014C0E2994D1A8ABEFACE33D88AAB998A2C0500000C011106A55A7514050000000C011106A559E1E88C
Line 146: 2014-11-05 12:15:17 ike 0:Phase_0:2624: out 7552098ED5D761DC444E8472B6C4B13408102001E9AF5E8E000000A40407BF7E122DAF4DC0B416E488895FAF9D98262019404A998158410357AE4E60F173A071142B2F43A4A3FFC7E342F36130F9BDF0082EC4951956D47C7250E3B93E96B320DC3152424D99C258FC819E80906EFB327EAC67053C35910CC8F41267E7590256201A23DF37EDB30127CE7DF64408ABFAB7964632F0809157D45873F9645A1878A3FE4C6C
Line 147: 2014-11-05 12:15:17 ike 0:Phase_0:2624: sent IKE msg (quick_r1send): 89.225.232.140:500->90.117.20.5:500, len=164, id=7552098ed5d761dc/444e8472b6c4b134:e9af5e8e
Line 151: 2014-11-05 12:15:17 ike 0:Phase_0:2624: dec 7552098ED5D761DC444E8472B6C4B13408102001E9AF5E8E0000003400000018276634D36900C33AE5A56ECFCAF52CD3C2FC8916
Line 152: 2014-11-05 12:15:17 ike 0:Phase_0:Phase_P2:72180: send SA_DONE SPI 0xd68042ca
Line 152: 2014-11-05 12:15:17 ike 0:Phase_0:Phase_P2:72180: send SA_DONE SPI 0xd68042ca
Line 177: 2014-11-05 12:15:53 ike 0:Phase_0:2624: dec 7552098ED5D761DC444E8472B6C4B1340810050141FE42EC000000440C000018AA28FE7E2FECC0EA856BB61B131FC517DC52C302000000100000000103040001D68042CA
Line 178: 2014-11-05 12:15:53 ike 0:Phase_0:2624: recv IPsec SA delete, spi count 1
Line 179: 2014-11-05 12:15:53 ike 0:Phase_0: deleting IPsec SA with SPI d68042ca
Line 180: 2014-11-05 12:15:53 ike 0:Phase_0:Phase_P2: deleted IPsec SA with SPI d68042ca, SA count: 0
Line 180: 2014-11-05 12:15:53 ike 0:Phase_0:Phase_P2: deleted IPsec SA with SPI d68042ca, SA count: 0
Line 181: 2014-11-05 12:15:53 ike 0:Phase_0: sending SNMP tunnel DOWN trap for Phase_P2
Line 181: 2014-11-05 12:15:53 ike 0:Phase_0: sending SNMP tunnel DOWN trap for Phase_P2
Line 182: 2014-11-05 12:15:53 ike 0:Phase_0:72180: del route 90.117.20.5/255.255.255.255 oif Phase_0(89) metric 15 priority 0
Line 182: 2014-11-05 12:15:53 ike 0:Phase_0:72180: del route 90.117.20.5/255.255.255.255 oif Phase_0(89) metric 15 priority 0
Line 183: 2014-11-05 12:15:53 ike 0:Phase_0:Phase_P2: delete
Line 183: 2014-11-05 12:15:53 ike 0:Phase_0:Phase_P2: delete
Line 187: 2014-11-05 12:15:53 ike 0:Phase_0:2624: dec 7552098ED5D761DC444E8472B6C4B134081005017604C14B000000540C0000185783B2C10A68133828C145BD326AE28E063C0B130000001C00000001011000017552098ED5D761DC444E8472B6C4B13400000000
Line 188: 2014-11-05 12:15:53 ike 0:Phase_0:2624: recv ISAKMP SA delete 7552098ed5d761dc/444e8472b6c4b134
Line 189: 2014-11-05 12:15:53 ike 0:Phase_0: deleting
Line 190: 2014-11-05 12:15:53 ike 0:Phase_0: flushing
Line 191: 2014-11-05 12:15:53 ike 0:Phase_0: sending SNMP tunnel DOWN trap
Line 192: 2014-11-05 12:15:53 ike 0:Phase_0: flushed
Line 193: 2014-11-05 12:15:53 ike 0:Phase_0: delete dynamic
Line 195: 2014-11-05 12:15:53 ike 0:Phase_0: deleted
Labels:
- Labels:
-
5.2
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm guessing you are using windows7 L2TP/ipsec client? So how are you authenticating the user? I never seen a L2TP-ipsec without authentication parameters.
Did you follow the fortinet vpn guide and mainly for l2tp-ipsec?
I'm sharing one of my l2tp-ipsec post
http://socpuppet.blogspot.com/2013/02/l2tp-setup-fortigate-200b-mr3p12.html
The above is a working l2tp-ipsec vpn setup for windows/macosx/android devices.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, i'm using windows7 L2TP/ipsec client.
Did you follow the fortinet vpn guide and mainly for l2tp-ipsec?
Yes, "FortiOS™ Handbook IPsec VPN for FortiOS 5.2" Page 187 ! But this section talk about VPN in Tunnel Mode not Interface Mode. I need Interface mode because i want to use dhcp relay (dhcp server on my LAN).
Your l2tp-ipsec post talk about VPN in Tunnel mode and when i try it works.
I never seen a L2TP-ipsec without authentication parameters
what do you mean ? it's in the debug log ?
Is it possible to use dhcp in tunnel mode ?
[style="background-color: #ffffff;"]My objectif : same ip for VPN clients with reservation on my LAN dhcp server.[/style]
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll have to read your reference page, but I've never done this using dhcp nor without any client defined as a local or remote user authenticated by let's say RADIUS.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
reading the debug 'Line 178: 2014-11-05 12:15:53 ike 0:Phase_0:2624: recv IPsec SA delete, spi count 1' is the issue from vpn client from windows. this debug confirms that vpn client deleted the tunnel during the or immediately after the negotiation.
you can use the dhcp in tunnel mode, however windows must send the dhcp request over the ipsec tunnel after phase2 come up.
you can try forticlient ipsec vpn which should work flawlessly.
HTH
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ipsec sa,
Do you know if iOS,Android or MACOSX support dhcp request over a l2tp-ipsec tunnel interface?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I stopped windows7 L2TP/ipsec layer.
I began with Forticlient.
It works fine on Windows XP with relay dhcp.
But it doesn't work on any Windows 7 (Idem Windows 8.1) with same parameters. No message on client, just indicate "Connexion..."
It indicates "Wrong credentials" if i put bad password.
In the GUI my tunnel comes up in "IPSec monitor" ???
In the forticlient log i notice "vpntunnel=VPN Failed to acquire an IP address".
what is the difference between XP and SEVEN ? Change key in regedit ?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
AFAIK android and IPhone IPSec Client don't have the dhcp option, instead they do with 'mode-cfg' RFC standard implementation.
if the windows7 cant connect using the forticlient, its better to take the 'ike -1' debug output.
diag debug app ike -1
diag vpn ike log-filter dst-addr4 <client-ip>
diag debug enable
TNX.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With Forticlient it is ok ! This is due to my internal DHCP server. All IP available in address range are reserved with specific mac address. Why ? Because i don't want guest computers have possibility obtain IP of our LAN.
I removed one IP reservation and my VPN client could connect with forticlient.
It's because my test was released with a USB 3G internet key (country = french) and reservation DHCP with ethernet card MAC address doesn't use here. Thanks
Related Posts
Labels
-
FortiGate
6,454 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.