Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DanieZ
New Contributor

Created on ‎02-12-2019 07:25 AM

Fortigate 60E Windows VPN l2tp issue

 Hi.

 

I have a trouble with VPN l2TP after upgrade from 5.6.2 to 6.0.3 version.

When windows try connect to VPN? take error 809.Debug is attached.

Before upgrade all works fine.

Anybody have same issue.

 

FGT60E4Q16093099 # diag debug  enableike 0: comes 192.168.12.111:500->212.90.168.229:500,ifindex=23.... ike 0: IKEv1 exchange=Identity Protection id=f612387e13ca40e3/0000000000000000 len=408 ike 0: in F612387E13CA40E300000000000000000110020000000000000001980D0000D40000000100000001000000C801010005030000280101000080010007800E0100800200028004001480030001800B0001000C000400007080030000280201000080010007800E0080800200028004001380030001800B0001000C000400007080030000280301000080010007800E0100800200028004000E80030001800B0001000C000400007080030000240401000080010005800200028004000E80030001800B0001000C000400007080000000240501000080010005800200028004000280030001800B0001000C0004000070800D00001801528BBBC00696121849AB9A1C5B2A51000000010D0000181E2B516905991C7D7C96FCBFB587E461000000090D0000144A131C81070358455C5728F20E95452F0D00001490CB80913EBB696E086381B5EC427B1F0D0000144048B7D56EBCE88525E7DE7F00D6C2D30D000014FB1DE3CDF341B7EA16B7E5BE0855F1200D00001426244D38EDDB61B3172A36E3D0CFB81900000014E3A5966A76379FE707228231E5CE8652 ike 0:f612387e13ca40e3/0000000000000000:99: responder: main mode get 1st message... ike 0:f612387e13ca40e3/0000000000000000:99: VID unknown (20): 01528BBBC00696121849AB9A1C5B2A5100000001 ike 0:f612387e13ca40e3/0000000000000000:99: VID MS NT5 ISAKMPOAKLEY 1E2B516905991C7D7C96FCBFB587E46100000009 ike 0:f612387e13ca40e3/0000000000000000:99: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:f612387e13ca40e3/0000000000000000:99: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F ike 0:f612387e13ca40e3/0000000000000000:99: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:f612387e13ca40e3/0000000000000000:99: VID unknown (16): FB1DE3CDF341B7EA16B7E5BE0855F120 ike 0:f612387e13ca40e3/0000000000000000:99: VID unknown (16): 26244D38EDDB61B3172A36E3D0CFB819 ike 0:f612387e13ca40e3/0000000000000000:99: VID unknown (16): E3A5966A76379FE707228231E5CE8652 ike 0:f612387e13ca40e3/0000000000000000:99: negotiation result ike 0:f612387e13ca40e3/0000000000000000:99: proposal id = 1: ike 0:f612387e13ca40e3/0000000000000000:99:   protocol id = ISAKMP: ike 0:f612387e13ca40e3/0000000000000000:99:      trans_id = KEY_IKE. ike 0:f612387e13ca40e3/0000000000000000:99:      encapsulation = IKE/none ike 0:f612387e13ca40e3/0000000000000000:99:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:f612387e13ca40e3/0000000000000000:99:         type=OAKLEY_HASH_ALG, val=SHA. ike 0:f612387e13ca40e3/0000000000000000:99:         type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:f612387e13ca40e3/0000000000000000:99:         type=OAKLEY_GROUP, val=MODP1024. ike 0:f612387e13ca40e3/0000000000000000:99: ISAKMP SA lifetime=86400 ike 0:f612387e13ca40e3/0000000000000000:99: SA proposal chosen, matched gateway Windows-VPN ike 0:Windows-VPN: created connection: 0x5379f48 23 212.90.168.229->192.168.12.111:500. ike 0:Windows-VPN: HA L3 state 1/0 ike 0:Windows-VPN:99: selected NAT-T version: RFC 3947 ike 0:Windows-VPN:99: cookie f612387e13ca40e3/ebdf1eee18880d72 ike 0:Windows-VPN:99: out F612387E13CA40E3EBDF1EEE18880D720110020000000000000000BC0D00003800000001000000010000002C01010001000000240501000080010005800200028004000280030001800B0001000C0004000070800D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000 ike 0:Windows-VPN:99: sent IKE msg (ident_r1send): 212.90.168.229:500->192.168.12.111:500, len=188, id=f612387e13ca40e3/ebdf1eee18880d72 ike 0: comes 192.168.12.111:500->212.90.168.229:500,ifindex=23.... ike 0: IKEv1 exchange=Identity Protection id=f612387e13ca40e3/ebdf1eee18880d72 len=260 ike 0: in F612387E13CA40E3EBDF1EEE18880D720410020000000000000001040A0000847CB6C1A88D20A7150EC12F022386903A86707972299ACEC5F3A9918F4FC97C7B9BC698300CF9BA310F42BE1FCD9C04CAD71E56580448434C5830D19BFB5FF1DF42D9A92D15EED94FE0A262D7A37332B38FCD69304C90A86C23F8595E343A1F2CDC58EDCBFA4ABB2F58AB5F03EC2F7FD05B9D19C51CD33FDBFB3380EAAF7BCBD914000034803DE16B6C8188C55006730FA4CABDEB1CF9D17E5BFE0B592B076058C0F507363782AE8B2F5E38E690745A5A1F2C897814000018F1152EF767C7FACADE2495042A2273EA552CB88B00000018542EC6CB8BC0E24885AA4BB5F38F6D56F00778CA ike 0:Windows-VPN:99: responder:main mode get 2nd message... ike 0:Windows-VPN:99: received NAT-D payload type 20 ike 0:Windows-VPN:99: received NAT-D payload type 20 ike 0:Windows-VPN:99: NAT not detected ike 0:Windows-VPN:99: out F612387E13CA40E3EBDF1EEE18880D720410020000000000000000E40A00008490B7C5CB23ED9F8F1AE877C793AA98B9779ED5001F514A0C745E3711FF0326EF95D398FF0C2906BE8AFA0E61824884766142C6CC6C8BCA60652F28968BC6BB94D53134D86C2550A1A405394A623EC7EAB951D865E6DBC43E3004BE944B362244E6D0244544FAFC673FB1A5DB11FC4BBA893130DC2667711877D93C55000EEF381400001415C0A15273A2AB9F4F84BF810812E6D914000018542EC6CB8BC0E24885AA4BB5F38F6D56F00778CA00000018F1152EF767C7FACADE2495042A2273EA552CB88B ike 0:Windows-VPN:99: sent IKE msg (ident_r2send): 212.90.168.229:500->192.168.12.111:500, len=228, id=f612387e13ca40e3/ebdf1eee18880d72 ike 0:Windows-VPN:99: ISAKMP SA f612387e13ca40e3/ebdf1eee18880d72 key 24:706AA5C2F3A92C1727779FED32F1DCCFC80D5E7B0F3A9100 ike 0: comes 192.168.12.111:500->212.90.168.229:500,ifindex=23.... ike 0: IKEv1 exchange=Identity Protection id=f612387e13ca40e3/ebdf1eee18880d72 len=68 ike 0: in F612387E13CA40E3EBDF1EEE18880D72051002010000000000000044FC0487D10D2B1C9F33BE14F9E1434876AFFD5B30B19CE7DFE419CB4E72A89D44CE7ACB553125A330 ike 0:Windows-VPN:99: responder: main mode get 3rd message... ike 0:Windows-VPN:99: dec F612387E13CA40E3EBDF1EEE18880D720510020100000000000000440800000C01000000C0A80C6F000000186CEE052213A11B780844AD6ACDC45E220A54135000000000 ike 0:Windows-VPN:99: peer identifier IPV4_ADDR 192.168.12.111 ike 0:Windows-VPN:99: PSK authentication succeeded ike 0:Windows-VPN:99: authentication OK ike 0:Windows-VPN:99: enc F612387E13CA40E3EBDF1EEE18880D720510020100000000000000400800000C01000000D45AA8E500000018EF3DA3A79F0179930BB67621D37D1AC9F4DF3AA4 ike 0:Windows-VPN:99: out F612387E13CA40E3EBDF1EEE18880D720510020100000000000000444459A5C5CA93DC20429887B8B966B1248926064D33DB3B19E7268F3BF7284037FCDC2DD774B9BC3D ike 0:Windows-VPN:99: sent IKE msg (ident_r3send): 212.90.168.229:500->192.168.12.111:500, len=68, id=f612387e13ca40e3/ebdf1eee18880d72 ike 0:Windows-VPN: adding new dynamic tunnel for 192.168.12.111:500 ike 0:Windows-VPN_0: added new dynamic tunnel for 192.168.12.111:500 ike 0:Windows-VPN_0:99: established IKE SA f612387e13ca40e3/ebdf1eee18880d72 ike 0:Windows-VPN_0: DPD disabled, not negotiated ike 0:Windows-VPN: set oper up ike 0:Windows-VPN_0:99: no pending Quick-Mode negotiations ike 0:Windows-VPN: carrier up ike 0: comes 192.168.12.111:500->212.90.168.229:500,ifindex=23.... ike 0: IKEv1 exchange=Quick id=f612387e13ca40e3/ebdf1eee18880d72:00000001 len=468 ike 0: in F612387E13CA40E3EBDF1EEE18880D720810200100000001000001D420970C55385C8B9D9DCE4F6B4F1B26916FD420A0ED935EECE2BC4F52C1EC61CD36705082554CB5ACDB1A065C96667FBE7B191BDD4709C6272E3BD87AC327BFA99F53B87ACD3370B0F88BD87E99B346B127870D354A991BB74C411B1B2AB9D4AFE6EDFB99D4F0593964CDAFD3C7021982C3459D7B74EADD589DFB8E8B4E98BAE8A37349CAAD6430D3C08A914DDEB28259F9F4EAFD710D6382152B95D06C8D03AB275E4F3F3410BDFAD212539D4651927D6B3458EBCE6FBFA4278C939D1188AEA328F6DA978C7E87D2AE6FAFB3FC48F85B5D243F4491A2760DEAC87261BF374813D6ED32CCFFFDBFC065B7E1071F541D2C49E52902DD53AC6BB5530D0C934B217315164B70B6A142BB2085A001B65DA7AF720E8E107E0D47C74C18A4A8F0EE2194E54F904FAE8A29CC57349A7BF7F8A27588013B41BE741ABA7C7A73DD024433BF03C0D5986A6FFF91B90F0ED5406BAB6305D1327104C050A14E254032475E097D7D91767F7F86E1DCD500475CA86D07DC105951DB6AFFE8BAAC2158889D3D13AF9AF0E469394AF2E8DE602C23A6DA893A9D85F4E676407E30037E1A0867BC92DD9EF848209A088320F06E1BCAC574C44733338B657A26A9F6 ike 0:Windows-VPN_0:99:24178: responder received first quick-mode message ike 0:Windows-VPN_0:99: dec F612387E13CA40E3EBDF1EEE18880D720810200100000001000001D401000018F57B9D9D019102755ADB878C9870C608AC9B4D4D0A00014C000000010000000102000038010304017498E2840000002C010C0000800400028006010080050002800100010002000400000E1080010002000200040003D09002000038020304017498E2840000002C010C0000800400028006008080050002800100010002000400000E1080010002000200040003D09002000034030304017498E28400000028010300008004000280050002800100010002000400000E1080010002000200040003D09002000034040304017498E28400000028010200008004000280050002800100010002000400000E1080010002000200040003D09002000034050304017498E28400000028010B00008004000280050002800100010002000400000E1080010002000200040003D09000000034060204017498E28400000028010300008004000280050002800100010002000400000E1080010002000200040003D09005000034386B0375BCBFBCDB24095C1D6CC1C977004B2BC026CE57769CD1E8DE099E289C46FB4E7A019C054B29E2DBCF7046E8290500000C011106A5C0A80C6F0000000C011106A5D45AA8E50000000000000000 ike 0:Windows-VPN_0:99:24178: peer proposal is: peer:17:192.168.12.111-192.168.12.111:1701, me:17:212.90.168.229-212.90.168.229:1701 ike 0:Windows-VPN_0:99:Windows-VPN:24178: trying ike 0:Windows-VPN_0:99:24178: transport mode, override with 17:212.90.168.229-212.90.168.229:1701 -> 17:192.168.12.111-192.168.12.111:0 ike 0:Windows-VPN_0:99:Windows-VPN:24178: matched phase2 ike 0:Windows-VPN_0:99:Windows-VPN:24178: dynamic client ike 0:Windows-VPN_0:99:Windows-VPN:24178: my proposal: ike 0:Windows-VPN_0:99:Windows-VPN:24178: proposal id = 1: ike 0:Windows-VPN_0:99:Windows-VPN:24178:   protocol id = IPSEC_ESP: ike 0:Windows-VPN_0:99:Windows-VPN:24178:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:Windows-VPN_0:99:Windows-VPN:24178:      encapsulation = ENCAPSULATION_MODE_TRANSPORT ike 0:Windows-VPN_0:99:Windows-VPN:24178:         type = AUTH_ALG, val=MD5 ike 0:Windows-VPN_0:99:Windows-VPN:24178:      trans_id = ESP_3DES ike 0:Windows-VPN_0:99:Windows-VPN:24178:      encapsulation = ENCAPSULATION_MODE_TRANSPORT ike 0:Windows-VPN_0:99:Windows-VPN:24178:         type = AUTH_ALG, val=SHA1 ike 0:Windows-VPN_0:99:Windows-VPN:24178:      trans_id = ESP_AES_CBC (key_len = 192) ike 0:Windows-VPN_0:99:Windows-VPN:24178:      encapsulation = ENCAPSULATION_MODE_TRANSPORT ike 0:Windows-VPN_0:99:Windows-VPN:24178:         type = AUTH_ALG, val=SHA1 ike 0:Windows-VPN_0:99:Windows-VPN:24178: incoming proposal: ike 0:Windows-VPN_0:99:Windows-VPN:24178: proposal id = 1: ike 0:Windows-VPN_0:99:Windows-VPN:24178:   protocol id = IPSEC_ESP: ike 0:Windows-VPN_0:99:Windows-VPN:24178:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:Windows-VPN_0:99:Windows-VPN:24178:      encapsulation = ENCAPSULATION_MODE_TRANSPORT ike 0:Windows-VPN_0:99:Windows-VPN:24178:         type = AUTH_ALG, val=SHA1 ike 0:Windows-VPN_0:99:Windows-VPN:24178: incoming proposal: ike 0:Windows-VPN_0:99:Windows-VPN:24178: proposal id = 2: ike 0:Windows-VPN_0:99:Windows-VPN:24178:   protocol id = IPSEC_ESP: ike 0:Windows-VPN_0:99:Windows-VPN:24178:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:Windows-VPN_0:99:Windows-VPN:24178:      encapsulation = ENCAPSULATION_MODE_TRANSPORT ike 0:Windows-VPN_0:99:Windows-VPN:24178:         type = AUTH_ALG, val=SHA1 ike 0:Windows-VPN_0:99:Windows-VPN:24178: incoming proposal: ike 0:Windows-VPN_0:99:Windows-VPN:24178: proposal id = 3: ike 0:Windows-VPN_0:99:Windows-VPN:24178:   protocol id = IPSEC_ESP: ike 0:Windows-VPN_0:99:Windows-VPN:24178:      trans_id = ESP_3DES ike 0:Windows-VPN_0:99:Windows-VPN:24178:      encapsulation = ENCAPSULATION_MODE_TRANSPORT ike 0:Windows-VPN_0:99:Windows-VPN:24178:         type = AUTH_ALG, val=SHA1 ike 0:Windows-VPN_0:99:Windows-VPN:24178: negotiation result ike 0:Windows-VPN_0:99:Windows-VPN:24178: proposal id = 3: ike 0:Windows-VPN_0:99:Windows-VPN:24178:   protocol id = IPSEC_ESP: ike 0:Windows-VPN_0:99:Windows-VPN:24178:      trans_id = ESP_3DES ike 0:Windows-VPN_0:99:Windows-VPN:24178:      encapsulation = ENCAPSULATION_MODE_TRANSPORT ike 0:Windows-VPN_0:99:Windows-VPN:24178:         type = AUTH_ALG, val=SHA1 ike 0:Windows-VPN_0:99:Windows-VPN:24178: using transport mode. ike 0:Windows-VPN_0:99:Windows-VPN:24178: replay protection enabled ike 0:Windows-VPN_0:99:Windows-VPN:24178: SA life soft seconds=3591. ike 0:Windows-VPN_0:99:Windows-VPN:24178: SA life hard seconds=3600. ike 0:Windows-VPN_0:99:Windows-VPN:24178: IPsec SA selectors #src=1 #dst=1 ike 0:Windows-VPN_0:99:Windows-VPN:24178: src 0 7 17:212.90.168.229-212.90.168.229:1701 ike 0:Windows-VPN_0:99:Windows-VPN:24178: dst 0 7 17:192.168.12.111-192.168.12.111:0 ike 0:Windows-VPN_0:99:Windows-VPN:24178: add dynamic IPsec SA selectors ike 0:Windows-VPN:24178: add route 192.168.12.111/255.255.255.255 gw 192.168.12.111 oif Windows-VPN(36) metric 15 priority 0 ike 0:Windows-VPN_0:99:Windows-VPN:24178: tunnel 1 of VDOM limit 0/0 ike 0:Windows-VPN_0:99:Windows-VPN:24178: add IPsec SA: SPIs=1162c39a/7498e284 ike 0:Windows-VPN_0:99:Windows-VPN:24178: IPsec SA dec spi 1162c39a key 24:79591BFB1884F828E9B516175894268199721A8FFFB6BCE1 auth 20:06258CA5A3C3CFCDA9E443A491DDF54D5E3114BA ike 0:Windows-VPN_0:99:Windows-VPN:24178: IPsec SA enc spi 7498e284 key 24:FD1AD5CD0E31AC0EAD09D5B8114A3D2A87BECBFAD2804DF8 auth 20:CB692C4C568B229D731886C12B99D7384BF5A1E3 ike 0:Windows-VPN_0:99:Windows-VPN:24178: transport mode encapsulation is enabled ike 0:Windows-VPN_0:99:Windows-VPN:24178: added IPsec SA: SPIs=1162c39a/7498e284 ike 0:Windows-VPN_0:99:Windows-VPN:24178: sending SNMP tunnel UP trap ike 0:Windows-VPN_0:99: enc F612387E13CA40E3EBDF1EEE18880D720810200100000001000000A001000018BBB13C3B8B375F058408FFC8E43B5E5F6D09DE4A0A000040000000010000000100000034030304011162C39A00000028010300008004000280050002800100010002000400000E1080010002000200040003D090050000146C1F2299973EF9D4B17827ACFAFC5DCF0500000C011106A5C0A80C6F0000000C011106A5D45AA8E5 ike 0:Windows-VPN_0:99: out F612387E13CA40E3EBDF1EEE18880D720810200100000001000000A4B5CDE044B6A7D2802633A789098AD649AF6F23A4B097E15841C391251FB43B3B0CDAE2259DA0C8C4253B99DEF64539BCBA5DCC09F0489BF5110FFE0A223F3126956D2512354C548521DFD744BD1174158BAAD6C527E403278CB1EEEEA50BEB590A1D0BEA9746176D8B5C4D2427B1F56FD02A0E4E9CCB84395204204F73F2955B1D461614C7D4C500 ike 0:Windows-VPN_0:99: sent IKE msg (quick_r1send): 212.90.168.229:500->192.168.12.111:500, len=164, id=f612387e13ca40e3/ebdf1eee18880d72:00000001 ike 0: comes 192.168.12.111:500->212.90.168.229:500,ifindex=23.... ike 0: IKEv1 exchange=Quick id=f612387e13ca40e3/ebdf1eee18880d72:00000001 len=60 ike 0: in F612387E13CA40E3EBDF1EEE18880D7208102001000000010000003C2D314EBE56DFB909B81EAF3509FF40126870DF27080161B1E7C91A00BA1ECD1C ike 0:Windows-VPN_0:99: dec F612387E13CA40E3EBDF1EEE18880D7208102001000000010000003C00000018511D34B46D268153EEB34305313452E143889DF90000000000000000 ike 0:Windows-VPN_0:Windows-VPN:24178: send SA_DONE SPI 0x7498e284 ike shrank heap by 110592 bytes ike 0: comes 192.168.12.111:500->212.90.168.229:500,ifindex=23.... ike 0: IKEv1 exchange=Informational id=f612387e13ca40e3/ebdf1eee18880d72:42352b5f len=76 ike 0: in F612387E13CA40E3EBDF1EEE18880D720810050142352B5F0000004C53F2173062043A2C941B634208B43A60952461BFF2992F7C140D63812F3F40CDAC588DEB0D75EF489892812D70FB8056 ike 0:Windows-VPN_0:99: dec F612387E13CA40E3EBDF1EEE18880D720810050142352B5F0000004C0C0000187F2060FDE3EB43C9FF156FE01709DF42BF43CAE60000001000000001030400017498E2840000000000000000 ike 0:Windows-VPN_0:99: recv IPsec SA delete, spi count 1 ike 0:Windows-VPN_0: deleting IPsec SA with SPI 7498e284 ike 0:Windows-VPN_0:Windows-VPN: deleted IPsec SA with SPI 7498e284, SA count: 0 ike 0:Windows-VPN_0: sending SNMP tunnel DOWN trap for Windows-VPN ike 0:Windows-VPN:24178: del route 192.168.12.111/255.255.255.255 oif Windows-VPN(36) metric 15 priority 0 ike 0:Windows-VPN_0:Windows-VPN: delete ike 0: comes 192.168.12.111:500->212.90.168.229:500,ifindex=23.... ike 0: IKEv1 exchange=Informational id=f612387e13ca40e3/ebdf1eee18880d72:3f5b56c2 len=84 ike 0: in F612387E13CA40E3EBDF1EEE18880D72081005013F5B56C2000000543F3B2C4F626B60AE8CDB9CB61192D5FDC05F10D014C699E7CA5AFCD77FE054618AB00811268C1F94223DB7A74649D0D06F852D3750DE5380 ike 0:Windows-VPN_0:99: dec F612387E13CA40E3EBDF1EEE18880D72081005013F5B56C2000000540C0000183482E389DEE0938771C161B59EBB943AA74E995B0000001C0000000101100001F612387E13CA40E3EBDF1EEE18880D7200000000 ike 0:Windows-VPN_0:99: recv ISAKMP SA delete f612387e13ca40e3/ebdf1eee18880d72 ike 0:Windows-VPN_0: deleting ike 0:Windows-VPN_0: flushing ike 0:Windows-VPN_0: sending SNMP tunnel DOWN trap ike 0:Windows-VPN_0: flushed ike 0:Windows-VPN_0: delete dynamic ike 0:Windows-VPN_0: deleted ike 0:Windows-VPN: carrier down ike shrank heap by 126976 bytes

1728
0 Kudos
0 REPLIES 0
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.