Site 2 Site VPN is not bringing up

Author
asif.janjua88
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/09 22:28:07
  • Status: offline
2019/01/09 22:40:33 (permalink)
0

Site 2 Site VPN is not bringing up

Hi All, 
We have created a site 2 site VPN from Fortigate to PFsense firewall. I have checked and verified that all configurations are matched with each other like IKE mode , preshared key etc. I have generated the given below logs. Can someone please look into the logs and let me know what could be the issue. 
 
ike 0:Diag: IPsec SA connect 3 10.11.11.5->CustomerIP:500 negotiating
ike 0:Diag: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:Diag:233372: initiator: main mode is sending 1st message...
ike 0:Diag:233372: cookie 360c9faddebb34af/0000000000000000
ike 0:Diag:233372: out 360C9FADDEBB34AF00000000000000000110020000000000000001240D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E01008003000180020002800400020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:Diag:233372: sent IKE msg (ident_i1send): 10.11.11.5:500->CustomerIP:500, len=292, id=360c9faddebb34af/0000000000000000
ike 0: comes CustomerIP:500->10.11.11.5:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=360c9faddebb34af/5a0489a8af1142b7 len=164
ike 0: in 360C9FADDEBB34AF5A0489A8AF1142B70110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200028004000280030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0:Diag:233372: initiator: main mode get 1st response...
ike 0:Diag:233372: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:Diag:233372: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:Diag:233372: DPD negotiated
ike 0:Diag:233372: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:Diag:233372: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:Diag:233372: selected NAT-T version: RFC 3947
ike 0:Diag:233372: negotiation result
ike 0:Diag:233372: proposal id = 1:
ike 0:Diag:233372: protocol id = ISAKMP:
ike 0:Diag:233372: trans_id = KEY_IKE.
ike 0:Diag:233372: encapsulation = IKE/none
ike 0:Diag:233372: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:Diag:233372: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:Diag:233372: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:Diag:233372: type=OAKLEY_GROUP, val=MODP1024.
ike 0:Diag:233372: ISAKMP SA lifetime=86400
ike 0:Diag:233372: out 360C9FADDEBB34AF5A0489A8AF1142B70410020000000000000000E40A000084C13C89A8CF03D04F0295C43DCAC04EAE35C140DE3B065C1813FC611D8C72DA60BFDE3F9A2614EFBBFDA09D295FA49EC6ED6D63B2690D5453D58870C3816DD30469899354B5250BD4C08293D97288DDF438212A84356EE31F40F2F6DE9D416A784B39F474F039DC7D0A91929EB7E340D144F4646651A4082C79D9A13D0EA3547614000014E6A5C59BB4B3759FB1F952DFB47DD859140000187F06B9117DCC631A384A9ED21B978D94DB9F1D080000001893A708E3C8FCE4A81AD8F7866DB9CB6E209C6B51
ike 0:Diag:233372: sent IKE msg (ident_i2send): 10.11.11.5:500->CustomerIP:500, len=228, id=360c9faddebb34af/5a0489a8af1142b7
ike 0: comes CustomerIP:500->10.11.11.5:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=360c9faddebb34af/5a0489a8af1142b7 len=244
ike 0: in 360C9FADDEBB34AF5A0489A8AF1142B70410020000000000000000F40A0000841FD82A379294E7407FFB34E0EF613B088264D42B804A3E32938520D52F0372C26081E6194F455388B61FF206ABFFE2B74A99551D1A02092DF6113A361FC1BF257F8DA88203D882484EC7E28CF120010BAE033D6817F48A5A8C06FB8ED5D1A8E9CB593F994779B014F6C1F7DFCA3BF96868A423B2AAEE6A4BF6F6178D55CA36A214000024331799E40B1D794C245CB4403F438884016172BDED56F52B23782DE962D1254C14000018C549D2A8AAF64CCD150541A0A386108E5CA226B0000000187F06B9117DCC631A384A9ED21B978D94DB9F1D08
ike 0:Diag:233372: initiator: main mode get 2nd response...
ike 0:Diag:233372: received NAT-D payload type 20
ike 0:Diag:233372: received NAT-D payload type 20
ike 0:Diag:233372: NAT detected: ME
ike 0:Diag:233372: NAT-T float port 4500
ike 0:Diag:233372: ISAKMP SA 360c9faddebb34af/5a0489a8af1142b7 key 32:537547271D063F604DA55A9B82A46FCC4D0A0B259544B72F3B88F5129531CDD5
ike 0:Diag:233372: add INITIAL-CONTACT
ike 0:Diag:233372: enc 360C9FADDEBB34AF5A0489A8AF1142B705100201000000000000005C0800000C010000000A0B0B050B00001893B2E85FB488E9E1BB4CD05CFBE119FDAA632D2D0000001C0000000101106002360C9FADDEBB34AF5A0489A8AF1142B7
ike 0:Diag:233372: out 360C9FADDEBB34AF5A0489A8AF1142B705100201000000000000006C71A3E259B2E8233E28BD1D53B361ABE5AB5D70461B66865E991433C4843E8E667120F95FC8598056D16D3AA0A3C1828453A0A7BE742144513615CE94DC26EE0FE628CB92D5724D099F550DA2E6BB5408
ike 0:Diag:233372: sent IKE msg (ident_i3send): 10.11.11.5:4500->CustomerIP:4500, len=108, id=360c9faddebb34af/5a0489a8af1142b7
ike 0: comes CustomerIP:4500->10.11.11.5:4500,ifindex=3....
ike 0: IKEv1 exchange=Informational id=360c9faddebb34af/5a0489a8af1142b7:c693f99f len=92
ike 0: in 360C9FADDEBB34AF5A0489A8AF1142B708100501C693F99F0000005C8F95DE79D6FDCF143D9CCC3BD04D1A0E6FDC24EDD9B713656C0ED57CF37E5060CA0D60F78453FC5455C5FC8D148C47E84FDA0136C7EE6FE8472B62E672B4D113
ike 0:Diag:233372: dec 360C9FADDEBB34AF5A0489A8AF1142B708100501C693F99F0000005C0B000018C37029997A5CE4ABCD4D5D842A7B67FCEC7790320000001C0000000101100018360C9FADDEBB34AF5A0489A8AF1142B7000000000000000000000000
 
ike 0:Diag:232993: negotiation timeout, deleting
ike 0:Diag: connection expiring due to phase1 down
ike 0:Diag: deleting
ike 0:Diag: deleted
ike 0:Diag: schedule auto-negotiate
#1
Toshi Esumi
Expert Member
  • Total Posts : 1293
  • Scores: 93
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Site 2 Site VPN is not bringing up 2019/01/10 08:54:35 (permalink)
0
It's saying it successfully exchanged the initial IKE exchange with the other end on port 500 and changed the port to 4500 due to NAT-T. But it can't get any response from the other end on port 4500. Check the same on the other end and if the other end is not receiving the third packet on port 4500, something inbetween is likely blocking it.
#2
asif.janjua88
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/09 22:28:07
  • Status: offline
Re: Site 2 Site VPN is not bringing up 2019/01/16 02:10:39 (permalink)
0
Hi, 
 
Thanks for your comment and looking into this case. I have resolved the case by looking into the pfsense logs. Actually the FortiGate is deployed in AWS. As AWS Mapped the public IP against NIC on which private IP is already assigned. So on FortiGate WAN interface private IP is assigned and I have allocate the Public IP on it. 
 
In pfsense, I had defined the peer identifier as peer IP address but when pfsense receive the peer identifier it was private IP of WAN interface. So it was giving the error IDR "Private IP (like 10.11.11.5") does not match with ( Pubic IP "The elastic IP which was assigned)". 
 
I had changed the peer identifier to private IP of WAN interface and VPN comes UP. I have also attached the screenshot below as well. 
 

 
 
 

Attached Image(s)

#3
Jump to:
© 2019 APG vNext Commercial Version 5.5