Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortinoy
New Contributor II

Created on ‎08-14-2019 01:42 AM

site to site vpn tunnel is up but no traffic flowing

setup site to site vpn using the ipsec wizard. tunnel is already up but keeps on getting the error "progress ipsec phase 1 negotiate failure" in vpn events log. need your help where and what to check.

 

note: i initially setup ssl vpn on the same fortigate and it works well. trying to setup the site to site vpn now. the setup on the ipsec wizard is easy and fast. but it is not working.

 

please advise. thanks.

38970
0 Kudos
34 REPLIES 34
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-14-2019 09:37 AM

I'm assuming your tunnel is working fine. Then take a close look at the log detail. Does the remote IP match the IP of the other side of your VPN? Chances are somebody else is trying to set up VPN to your FGT.

13925
0 Kudos
fortinoy
New Contributor II
In response to Toshi_Esumi

Created on ‎08-14-2019 04:48 PM

The IPs on both sides are correct. What do you mean when you say "Chances are somebody else is trying to set up VPN to your FGT."? I have setup SSL VPN too on the same Fortigate on both sides. Will that affect the site to site vpn i'm trying to setup? Thanks.

13925
0 Kudos
OneOfUs
New Contributor III
In response to fortinoy

Created on ‎08-16-2019 07:00 PM

Based on this:

ike 0:”LOCAL VPN NAME”: sending SNMP tunnel DOWN trap for “LOCAL VPN NAME” ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:[style="background-color: #ffff00;"] my proposal:[/style] ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [style="background-color: #ffff00;"]proposal id = 1[/style]: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS DH group = 14 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [style="background-color: #ff0000;"]proposal id = 2:[/style] ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS DH group = 5 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: incoming proposal: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS DH group = 14 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [style="background-color: #00ff00;"]negotiation result[/style] ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS [style="background-color: #00ffff;"]DH[/style] group = [style="background-color: #00ffff;"]14[/style] ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_[style="background-color: #00ffff;"]AES[/style]_CBC (key_len = [style="background-color: #00ffff;"]128[/style]) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=[style="background-color: #00ffff;"]SHA1[/style] ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [style="background-color: #00ff00;"]sending SNMP tunnel UP trap[/style]

 

It appears the phase 1 (IKE) is coming up and the issue is with the phase 2 (IPSEC) negotiation.  The only thing I saw odd in the debug is that you appear to have two phase 2 selectors however the remote only has one.  It may help to eliminate the 2nd phase 2 selector and additional (unneeded) encryption / authentication protocols.  Make sure the phase 2 local / remote addresses match.

 

The phase 2 negotiation appears to complete using: AES-128 SHA1 DH 14 Keylife 43200.  

 

If you look at the IPSEC VPN monitor does the tunnel appear to bounce?

 

 

13926
0 Kudos
OneOfUs
New Contributor III

Created on ‎08-14-2019 05:33 PM

This is the best article I've found to troubleshoot IPSEC VPNs, some of the GUI information has changed over the years:

 

To get diagnose information for the VPN connection - CLI

1.Log into the CLI as admin with the output being logged to a file.

2.Stop any diagnose debug sessions that are currently running with the CLI command

diagnose debug disable

3.Clear any existing log-filters by running

diagnose vpn ike log-filter clear

4.Set the log-filter to the IP address of the remote computer (Remote Gateway). This filters out all VPN connections except ones to the IP address we are concerned with. The command is

diagnose vpn ike log-filter dst-addr4 <remote gateway>

5.Set up the commands to output the VPN handshaking. The commands are:

diagnose debug app ike 63

diagnose debug enable

6.Have the remote FortiGate initiate the VPN connection in the web-based manager by going to VPN > Monitor and selecting Bring up.

This makes the remote FortiGate the initiator and the local FortiGate becomes the responder. Establishing the connection in this manner means the local FortiGate will have its configuration information as well as the information the remote computer sends. Having both sets of information locally makes it easier to troubleshoot your VPN connection.

7.Watch the screen for output, and after roughly 15 seconds enter the following CLI command to stop the output.

diagnose debug disable

8.If needed, save the log file of this output to a file on your local computer. Saving the output to a file can make it easier to search for a particular phrase, and is useful for comparisons.

 

From <http://docs-legacy.fortinet.com/fos50hlp/50/FortiOS%205.0%20Help/TestandMonitor.129.08.html>

13926
0 Kudos
fortinoy
New Contributor II
In response to OneOfUs

Created on ‎08-15-2019 05:50 PM

Thanks for the steps. Please help me to check the result of the debug below. I replaced the ips and the vpn names for security.

 

LEGEND:

“local FG public ip” "remote FG public ip" "local vpn name" "remote vpn name" "remote FG LAN ip" "local FG LAN ip"

 

FGT60ETK180999ZJ # ike shrank heap by 126976 bytes ike 0: comes "remote FG public ip:"500“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Informational id=1bb17d97025b7eba/126b50d856d51ce4:c40c60a2 len=92 ike 0: "local vpn name":327: recv IPsec SA delete, spi count 1 ike 0: "local vpn name": deleting IPsec SA with SPI 4d6c1357 ike 0: "local vpn name":"local vpn name": deleted IPsec SA with SPI 4d6c1357, SA count: 0 ike 0: "local vpn name": sending SNMP tunnel DOWN trap for "local vpn name" ike 0: comes "remote FG public ip":500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Quick id=1bb17d97025b7eba/126b50d856d51ce4:25461b74 len=588 ike 0: "local vpn name":327:19: responder received first quick-mode message ike 0: "local vpn name":327:19: peer proposal is: peer:0: "remote FG LAN ip"-"remote FG LAN ip", me:0: "local FG LAN ip"-"local FG LAN ip" ike 0: "local vpn name":327: "local vpn name":19: trying ike 0: "local vpn name":327: "local vpn name":19: matched phase2 ike 0: "local vpn name":327: "local vpn name":19: autokey ike 0: "local vpn name":327: "local vpn name":19: my proposal: ike 0: "local vpn name":327: "local vpn name":19: proposal id = 1: ike 0: "local vpn name":327: "local vpn name":19:   protocol id = IPSEC_ESP: ike 0: "local vpn name":327: "local vpn name":19:   PFS DH group = 14 ike 0: "local vpn name":327: "local vpn name":19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0: "local vpn name":327: "local vpn name":19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0: "local vpn name":327: "local vpn name":19:         type = AUTH_ALG, val=SHA1 ike 0: "local vpn name":327: "local vpn name":19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0: "local vpn name":327: "local vpn name":19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0: "local vpn name":327: "local vpn name":19:         type = AUTH_ALG, val=SHA1 ike 0: "local vpn name":327: "local vpn name":19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: proposal id = 2: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   PFS DH group = 5 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: incoming proposal: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: proposal id = 1: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   PFS DH group = 14 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_3DES ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_3DES ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: negotiation result ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: proposal id = 1: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   PFS DH group = 14 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: set pfs=MODP2048 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: using tunnel mode. ike 0:”LOCAL VPN NAME”: schedule auto-negotiate ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: replay protection enabled ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: SA life soft seconds=42929. ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: SA life hard seconds=43200. ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: IPsec SA selectors #src=1 #dst=1 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: src 0 4 0:”local FG LAN ip”/255.255.255.0:0 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: dst 0 4 0:”remote FG LAN ip”/255.255.255.0:0 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: add IPsec SA: SPIs=0c219574/4d6c1358 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: added IPsec SA: SPIs=0c219574/4d6c1358 ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: sending SNMP tunnel UP trap ike 0:”LOCAL VPN NAME”:327: sent IKE msg (quick_r1send): “local FG public ip”:500->“remote FG public ip”:500, len=444, id=1bb17d97025b7eba/126b50d856d51ce4:25461b74 ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Quick id=1bb17d97025b7eba/126b50d856d51ce4:25461b74 len=76 ike 0:”LOCAL VPN NAME”:”LOCAL VPN NAME”:19: send SA_DONE SPI 0x4d6c1358   FGT60ETK180999ZJ # diagnose debug disable=========== ================================================ FGT60ETK180999ZJ # ike shrank heap by 126976 bytes ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Informational id=936e3ddcaaec9ef2/af17441d730dc067:ebcb47ca len=92 ike 0:”LOCAL VPN NAME”:330: recv IPsec SA delete, spi count 1 ike 0:”LOCAL VPN NAME”: deleting IPsec SA with SPI 4d6c1359 ike 0:”LOCAL VPN NAME”:”LOCAL VPN NAME”: deleted IPsec SA with SPI 4d6c1359, SA count: 0 ike 0:”LOCAL VPN NAME”: sending SNMP tunnel DOWN trap for “LOCAL VPN NAME” ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Quick id=936e3ddcaaec9ef2/af17441d730dc067:42eb0de9 len=588 ike 0:”LOCAL VPN NAME”:330:21: responder received first quick-mode message ike 0:”LOCAL VPN NAME”:330:21: peer proposal is: peer:0:”remote FG LAN ip”-192.168.100.255:0, me:0:”local FG LAN ip”-192.168.17.255:0 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trying ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: matched phase2 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: autokey ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: my proposal: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 14 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 2: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 5 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: incoming proposal: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 14 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_3DES ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_3DES ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: negotiation result ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP: ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 14 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128) ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: set pfs=MODP2048 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: using tunnel mode. ike 0:”LOCAL VPN NAME”: schedule auto-negotiate ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: replay protection enabled ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: SA life soft seconds=42930. ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: SA life hard seconds=43200. ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: IPsec SA selectors #src=1 #dst=1 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: src 0 4 0:”local FG LAN ip”/255.255.255.0:0 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: dst 0 4 0:”remote FG LAN ip”/255.255.255.0:0 ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: add IPsec SA: SPIs=0c219576/4d6c135a ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: added IPsec SA: SPIs=0c219576/4d6c135a ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: sending SNMP tunnel UP trap ike 0:”LOCAL VPN NAME”:330: sent IKE msg (quick_r1send): “local FG public ip”:500->“remote FG public ip”:500, len=444, id=936e3ddcaaec9ef2/af17441d730dc067:42eb0de9 ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Quick id=936e3ddcaaec9ef2/af17441d730dc067:42eb0de9 len=76 ike 0:”LOCAL VPN NAME”:”LOCAL VPN NAME”:21: send SA_DONE SPI 0x4d6c135a FGT60ETK180999ZJ # ike 0:”LOCAL VPN NAME”:326: expiring IKE SA e8819280293ca8bf/f0e01864a2ffc7c3 ike 0:”LOCAL VPN NAME”:326: send IKE SA delete e8819280293ca8bf/f0e01864a2ffc7c3 ike 0:”LOCAL VPN NAME”:326: sent IKE msg (ISAKMP SA DELETE-NOTIFY): “local FG public ip”:500->“remote FG public ip”:500, len=108, id=e8819280293ca8bf/f0e01864a2ffc7c3:0bb860e3 ike 0:”LOCAL VPN NAME”: schedule auto-negotiate ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6.... ike 0: IKEv1 exchange=Informational id=e8819280293ca8bf/f0e01864a2ffc7c3:439f8810 len=108 ike 0: no established IKE SA for exchange-type Informational from “remote FG public ip”:500->“local FG public ip” 6 cookie e8819280293ca8bf/f0e01864a2ffc7c3, drop ike 0:”LOCAL VPN NAME”:327: expiring IKE SA 1bb17d97025b7eba/126b50d856d51ce4 ike 0:”LOCAL VPN NAME”:327: send IKE SA delete 1bb17d97025b7eba/126b50d856d51ce4 ike 0:”LOCAL VPN NAME”:327: sent IKE msg (ISAKMP SA DELETE-NOTIFY): “local FG public ip”:500->“remote FG public ip”:500, len=108, id=1bb17d97025b7eba/126b50d856d51ce4:c9c0f7d6 ike 0:”LOCAL VPN NAME”: schedule auto-negotiate  

13926
0 Kudos
sw2090
Honored Contributor
In response to fortinoy

Created on ‎08-16-2019 12:28 AM

Well Ipsec is cool when it works but its a pain in the a** to debug :/ That's not on Fortinet but something to blame ipsec itself for.

 

Accoarding to the logs I see no negotiation errors or timeouts. Just the tunnel going up and then down again sending the specific smtp trap.

Did you check if your Key TTLS in phase1 AND 2 do match on both sides? 

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
13926
0 Kudos
fortinoy
New Contributor II
In response to sw2090

Created on ‎08-16-2019 12:58 AM

Yes, TTLS in phase 1 and 2 have the same settings.

13926
0 Kudos
fortinoy
New Contributor II
In response to fortinoy

Created on ‎08-16-2019 01:27 AM

Can you guys send me a sample debug of a working site to site vpn on two Fortigates? I really don't know what and where to check to fix this. Thanks.

 

13926
0 Kudos
fortinoy
New Contributor II
In response to fortinoy

Created on ‎08-16-2019 01:52 AM

Here is another debug from the local Fortigate:

 

ike config update start

ike config update done

ike 0: cache rebuild done

ike 0: comes LOCAL PUBLIC IP:500->REMOTE PUBLIC IP:500,ifindex=6....

ike 0: IKEv2 exchange=INFORMATIONAL id=a4d297da840a9b86/8dcfd5a5eb102e38:00000002 len=80

ike 0:LOCAL  VPN NAME:1091: received informational request

ike 0:LOCAL  VPN NAME:1091: processing delete request (proto 3)

ike 0:LOCAL  VPN NAME: deleting IPsec SA with SPI 4d6c140e

ike 0:LOCAL  VPN NAME:LOCAL  VPN NAME: deleted IPsec SA with SPI 4d6c140e, SA count: 0

ike 0:LOCAL  VPN NAME: sending SNMP tunnel DOWN trap for LOCAL  VPN NAME

ike 0:LOCAL  VPN NAME:1091: sending delete ack

ike 0:LOCAL  VPN NAME:1091: sent IKE msg (INFORMATIONAL_RESPONSE): REMOTE PUBLIC IP:500->LOCAL PUBLIC IP:500, len=80, id=a4d297da840a9b86/8dcfd5a5eb102e38:00000002

ike 0: comes LOCAL PUBLIC IP:500->REMOTE PUBLIC IP:500,ifindex=6....

ike 0: IKEv2 exchange=CREATE_CHILD id=a4d297da840a9b86/8dcfd5a5eb102e38:00000003 len=192

ike 0:LOCAL  VPN NAME:1091: received create-child request

ike 0:LOCAL  VPN NAME:1091: responder received CREATE_CHILD exchange

ike 0:LOCAL  VPN NAME:1091: responder creating new child

ike 0:LOCAL  VPN NAME:1091:63: peer proposal:

ike 0:LOCAL  VPN NAME:1091:63: TSi_0 0:REMOTE  LAN IP-REMOTE  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:63: TSr_0 0:LOCAL LAN IP-LOCAL  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: comparing selectors

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: matched by rfc-rule-2

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: phase2 matched by subset

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: accepted proposal:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: TSi_0 0:REMOTE  LAN IP-REMOTE  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: TSr_0 0:LOCAL LAN IP-LOCAL  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: autokey

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: incoming child SA proposal:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: proposal id = 1:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:   protocol = ESP:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:      encapsulation = TUNNEL

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ENCR, val=AES_CBC (key_len = 256)

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=INTEGR, val=SHA256

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ESN, val=NO

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         PFS is disabled

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: matched proposal id 1

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: proposal id = 1:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:   protocol = ESP:

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:      encapsulation = TUNNEL

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ENCR, val=AES_CBC (key_len = 256)

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=INTEGR, val=SHA256

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ESN, val=NO

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         PFS is disabled

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: lifetime=28800

ike 0:LOCAL  VPN NAME: schedule auto-negotiate

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: set sa life soft seconds=28528.

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: set sa life hard seconds=28800.

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: IPsec SA selectors #src=1 #dst=1

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: src 0 7 0:LOCAL LAN IP-LOCAL  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: dst 0 7 0:REMOTE  LAN IP-REMOTE  LAN IP:0

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: add IPsec SA: SPIs=0c219592/4d6c1410

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: added IPsec SA: SPIs=0c219592/4d6c1410

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: sending SNMP tunnel UP trap

ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: responder preparing CREATE_CHILD message

ike 0:LOCAL  VPN NAME:1091: sent IKE msg (CREATE_CHILD_RESPONSE): REMOTE PUBLIC IP:500->LOCAL PUBLIC IP:500, len=192, id=a4d297da840a9b86/8dcfd5a5eb102e38:00000003

 

13926
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.