- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Site 2 Site VPN is not bringing up
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site 2 Site VPN is not bringing up
Hi All,
We have created a site 2 site VPN from Fortigate to PFsense firewall. I have checked and verified that all configurations are matched with each other like IKE mode , preshared key etc. I have generated the given below logs. Can someone please look into the logs and let me know what could be the issue.
ike 0:Diag: IPsec SA connect 3 10.11.11.5->CustomerIP:500 negotiating ike 0:Diag: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation ike 0:Diag:233372: initiator: main mode is sending 1st message... ike 0:Diag:233372: cookie 360c9faddebb34af/0000000000000000 ike 0:Diag:233372: out 360C9FADDEBB34AF00000000000000000110020000000000000001240D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E01008003000180020002800400020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:Diag:233372: sent IKE msg (ident_i1send): 10.11.11.5:500->CustomerIP:500, len=292, id=360c9faddebb34af/0000000000000000 ike 0: comes CustomerIP:500->10.11.11.5:500,ifindex=3.... ike 0: IKEv1 exchange=Identity Protection id=360c9faddebb34af/5a0489a8af1142b7 len=164 ike 0: in 360C9FADDEBB34AF5A0489A8AF1142B70110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200028004000280030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F ike 0:Diag:233372: initiator: main mode get 1st response... ike 0:Diag:233372: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:Diag:233372: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:Diag:233372: DPD negotiated ike 0:Diag:233372: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000 ike 0:Diag:233372: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:Diag:233372: selected NAT-T version: RFC 3947 ike 0:Diag:233372: negotiation result ike 0:Diag:233372: proposal id = 1: ike 0:Diag:233372: protocol id = ISAKMP: ike 0:Diag:233372: trans_id = KEY_IKE. ike 0:Diag:233372: encapsulation = IKE/none ike 0:Diag:233372: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256 ike 0:Diag:233372: type=OAKLEY_HASH_ALG, val=SHA. ike 0:Diag:233372: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:Diag:233372: type=OAKLEY_GROUP, val=MODP1024. ike 0:Diag:233372: ISAKMP SA lifetime=86400 ike 0:Diag:233372: out 360C9FADDEBB34AF5A0489A8AF1142B70410020000000000000000E40A000084C13C89A8CF03D04F0295C43DCAC04EAE35C140DE3B065C1813FC611D8C72DA60BFDE3F9A2614EFBBFDA09D295FA49EC6ED6D63B2690D5453D58870C3816DD30469899354B5250BD4C08293D97288DDF438212A84356EE31F40F2F6DE9D416A784B39F474F039DC7D0A91929EB7E340D144F4646651A4082C79D9A13D0EA3547614000014E6A5C59BB4B3759FB1F952DFB47DD859140000187F06B9117DCC631A384A9ED21B978D94DB9F1D080000001893A708E3C8FCE4A81AD8F7866DB9CB6E209C6B51 ike 0:Diag:233372: sent IKE msg (ident_i2send): 10.11.11.5:500->CustomerIP:500, len=228, id=360c9faddebb34af/5a0489a8af1142b7 ike 0: comes CustomerIP:500->10.11.11.5:500,ifindex=3.... ike 0: IKEv1 exchange=Identity Protection id=360c9faddebb34af/5a0489a8af1142b7 len=244 ike 0: in 360C9FADDEBB34AF5A0489A8AF1142B70410020000000000000000F40A0000841FD82A379294E7407FFB34E0EF613B088264D42B804A3E32938520D52F0372C26081E6194F455388B61FF206ABFFE2B74A99551D1A02092DF6113A361FC1BF257F8DA88203D882484EC7E28CF120010BAE033D6817F48A5A8C06FB8ED5D1A8E9CB593F994779B014F6C1F7DFCA3BF96868A423B2AAEE6A4BF6F6178D55CA36A214000024331799E40B1D794C245CB4403F438884016172BDED56F52B23782DE962D1254C14000018C549D2A8AAF64CCD150541A0A386108E5CA226B0000000187F06B9117DCC631A384A9ED21B978D94DB9F1D08 ike 0:Diag:233372: initiator: main mode get 2nd response... ike 0:Diag:233372: received NAT-D payload type 20 ike 0:Diag:233372: received NAT-D payload type 20 ike 0:Diag:233372: NAT detected: ME ike 0:Diag:233372: NAT-T float port 4500 ike 0:Diag:233372: ISAKMP SA 360c9faddebb34af/5a0489a8af1142b7 key 32:537547271D063F604DA55A9B82A46FCC4D0A0B259544B72F3B88F5129531CDD5 ike 0:Diag:233372: add INITIAL-CONTACT ike 0:Diag:233372: enc 360C9FADDEBB34AF5A0489A8AF1142B705100201000000000000005C0800000C010000000A0B0B050B00001893B2E85FB488E9E1BB4CD05CFBE119FDAA632D2D0000001C0000000101106002360C9FADDEBB34AF5A0489A8AF1142B7 ike 0:Diag:233372: out 360C9FADDEBB34AF5A0489A8AF1142B705100201000000000000006C71A3E259B2E8233E28BD1D53B361ABE5AB5D70461B66865E991433C4843E8E667120F95FC8598056D16D3AA0A3C1828453A0A7BE742144513615CE94DC26EE0FE628CB92D5724D099F550DA2E6BB5408 ike 0:Diag:233372: sent IKE msg (ident_i3send): 10.11.11.5:4500->CustomerIP:4500, len=108, id=360c9faddebb34af/5a0489a8af1142b7 ike 0: comes CustomerIP:4500->10.11.11.5:4500,ifindex=3.... ike 0: IKEv1 exchange=Informational id=360c9faddebb34af/5a0489a8af1142b7:c693f99f len=92 ike 0: in 360C9FADDEBB34AF5A0489A8AF1142B708100501C693F99F0000005C8F95DE79D6FDCF143D9CCC3BD04D1A0E6FDC24EDD9B713656C0ED57CF37E5060CA0D60F78453FC5455C5FC8D148C47E84FDA0136C7EE6FE8472B62E672B4D113 ike 0:Diag:233372: dec 360C9FADDEBB34AF5A0489A8AF1142B708100501C693F99F0000005C0B000018C37029997A5CE4ABCD4D5D842A7B67FCEC7790320000001C0000000101100018360C9FADDEBB34AF5A0489A8AF1142B7000000000000000000000000
ike 0:Diag:232993: negotiation timeout, deleting ike 0:Diag: connection expiring due to phase1 down ike 0:Diag: deleting ike 0:Diag: deleted ike 0:Diag: schedule auto-negotiate
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's saying it successfully exchanged the initial IKE exchange with the other end on port 500 and changed the port to 4500 due to NAT-T. But it can't get any response from the other end on port 4500. Check the same on the other end and if the other end is not receiving the third packet on port 4500, something inbetween is likely blocking it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your comment and looking into this case. I have resolved the case by looking into the pfsense logs. Actually the FortiGate is deployed in AWS. As AWS Mapped the public IP against NIC on which private IP is already assigned. So on FortiGate WAN interface private IP is assigned and I have allocate the Public IP on it.
In pfsense, I had defined the peer identifier as peer IP address but when pfsense receive the peer identifier it was private IP of WAN interface. So it was giving the error IDR "Private IP (like 10.11.11.5") does not match with ( Pubic IP "The elastic IP which was assigned)".
I had changed the peer identifier to private IP of WAN interface and VPN comes UP. I have also attached the screenshot below as well.
Related Posts
- How to upgrade WAN bandwidth 67 Views
- IPSec tunnel error : no SA... 145 Views
- Does anyone know a tool/site to... 96 Views
- When connecting VPN from FortiClient getting... 173 Views
- Site to Site VPN to 2... 188 Views
Labels
-
FortiGate
6,527 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.