peer has not completed Configuration Method

morczak · ‎01-26-2012

Hey volks, I have two Fortigate 50B in use, one on the Datacenter with a static IP, the other with dynamic ip (using DDNS dyndns.info) on a branch office. The VPN tunnel between these both fortigates works fine. The Client Login with FortiClient on the Datacenter works fine The Client Login on the branch office doesn' t work. I setup the client user on both fortigates exactly the same way, however, when i try to login with the client on the branch office it stops on Phase1 Here is some stuff from the test log (client side) In run_timer_list, jiffies=00000000, skipped = 0 tvecs[1]->bits is 3, tvecs->index is 0 sys_get_local_gwy() called: [in] remote gw: 178.27.217.232. [in] Next hop: 0.0.0.0 sys_get_local_gwy() called: [in] remote gw: 178.27.217.232. [in] Next hop: 0.0.0.0 Detect local gateway for peer: 178.27.217.232 sys_get_local_gwy() called: [in] remote gw: 178.27.217.232. [in] Next hop: 0.0.0.0 sys_get_local_gwy() called: [in] remote gw: 178.27.217.232. [in] Next hop: 172.20.10.1 Get sa_connect message...172.20.10.8->178.27.217.232:6144, natt_mode=0 Using new connection...natt_mode=0 Set connection name = test. Adding timer #1... expiry=3600, data=7373512 Adding to bucket 3 at index 1 Tunnel 172.20.10.8 ---> 178.27.217.232:500,natt_en=1 is starting negotiation Will negotiate a normal SA Initiator: main mode is sending 1st message... Sending DPD VID payloads.... Sending VID payload.... Sending NATT VID payload (draft3).... Sending NATT VID payload (draft3 and draft1).... Initiator: sent 178.27.217.232 main mode message #1 (OK) Adding timer #2... expiry=28770, data=8446856 Adding to bucket 4 at index 1 set retransmit: st=1, timeout=10. Adding timer #2... expiry=10, data=8446856 Adding to bucket 1 at index 10 Next_time = 10 sec In run_timer_list, jiffies=0000000A, skipped = 10 tvecs[1]->bits is 3, tvecs->index is 0 No response from the peer, retransmit (st=1).... set retransmit: st=1, timeout=5. Adding timer #2... expiry=5, data=8446856 Adding to queue Adding timer #3... expiry=5, data=8446856 Adding to bucket 1 at index 15 Next_time = 5 sec And here is some stuff from debug on the fortigate: ike 0:cl-morczak:9: protocol id = ISAKMP: ike 0:cl-morczak:9: trans_id = KEY_IKE. ike 0:cl-morczak:9: encapsulation = IKE/none ike 0:cl-morczak:9: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:cl-morczak:9: type=OAKLEY_HASH_ALG, val=SHA. ike 0:cl-morczak:9: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:cl-morczak:9: type=OAKLEY_GROUP, val=1024. ike 0:cl-morczak:9: ISKAMP SA lifetime=28800 ike 0:cl-morczak:9: selected NAT-T version: draft-ietf-ipsec-nat-t-ike-03 ike 0:cl-morczak:9: cookie 4a1d904ab3796906/c8797af4df630401 ike 0:cl-morczak:9: ISAKMP SA 4a1d904ab3796906/c8797af4df630401 key 24:7E9B3A40BB67191989653F2A519B8F283842E35F32FB3552 ike 0:cl-morczak:9: out 4A1D904AB3796906C8797AF4DF63040101100400000000000000017804000034000000010000000100000028010100010000002001010000800B0001800C7080800100058002000280030001800400020A0000843B7CBE3DCB7E060769B314488CA9FE1B6443E4EA420B13589108971695A6E25FA3DD7B86B3DAEB8464242CC5175045F9EA25684A827C04DC9F216683367FFD3235F05C28ACD0430C8F3446294975CF845BE239ED10BD31B039B14C931543B5144E2D4F8E9F626A7B8BAB4B32D8E2FC953911BAAC5D8448927C15212D1F59F31D05000014896F966D3BCAF449D5574709975D69B80800000C01000000B21BD9E80D0000188EDBBF9DA7EB800C3E50E3374CBC721145E00C07820000147D9419A65310CA6F2C179D9215529D5682000018A45DCF64A65F5777D0C46C11952F12330C4F0EDD0D000018D9E0F562FA1F210A0A25097917ACEACB042F3EF30D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE000401CA ike 0:cl-morczak:9: sent IKE msg (agg_r1send): 178.27.217.232:500->80.187.106.254:500, len=376, id=4a1d904ab3796906/c8797af4df630401 ike 0: comes 80.187.106.254:32808->178.27.217.232:4500,ifindex=6.... ike 0: IKEv1 exchange=Aggressive id=4a1d904ab3796906/c8797af4df630401 len=132 ike 0: in 4A1D904AB3796906C8797AF4DF6304018210040100000000000000845B117D2275091654ECD2B1FC09A010EA990EB1AF3DD6B822427CD7EF200C6E8BB6092E5F4EF848C2A86A5039476EC0F3EC9DE9CBC73C35F220587EB4661CBF0F94B159EEADE8C0052E11FB8B35378BA3F7FBB2CC42C0275059BF3073331BCDE5E9AA3541DAD19E15 ike 0:cl-morczak:9: responder: aggressive mode get 2nd response... ike 0:cl-morczak:9: dec 4A1D904AB3796906C8797AF4DF63040182100401000000000000008482000018F0D3809D32C94EEA66604972C54BC26C71AD1D2308000018733B05382518ED27B3B563955F26E2E9E3FC070C0B00001804628B67EB9945AA6F027531E12774739A5710E10000001C00000001011060024A1D904AB3796906C8797AF4DF63040100000000 ike 0:cl-morczak:9: received NAT-D payload type 130 ike 0:cl-morczak:9: received NAT-D payload type 130 ike 0:cl-morczak:9: received notify type 24578 ike 0:cl-morczak:9: PSK authentication succeeded ike 0:cl-morczak:9: authentication OK ike 0:cl-morczak:9: NAT detected: ME PEER ike 0:cl-morczak:9: port change 500 -> 32808 ike 0:cl-morczak:9: established IKE SA 4a1d904ab3796906/c8797af4df630401 ike 0:cl-morczak: adding new dynamic tunnel for 80.187.106.254:32808 ike 0:cl-morczak_0: added new dynamic tunnel for 80.187.106.254:32808 ike 0:cl-morczak_0:9: processing INITIAL-CONTACT ike 0:cl-morczak_0: flushing ike 0:cl-morczak_0: flushed ike 0:cl-morczak_0:9: processed INITIAL-CONTACT ike 0:cl-morczak_0:9: no pending Quick-Mode negotiations ike 0: comes 80.187.106.254:32808->178.27.217.232:4500,ifindex=6.... ike 0: IKEv1 exchange=Quick id=4a1d904ab3796906/c8797af4df630401:8f8f4bd4 len=148 ike 0: in 4A1D904AB3796906C8797AF4DF630401081020018F8F4BD400000094A29C3620F5A828A842E5EBE0405A278FD6735D4B271D89863879793CA87C04EC54146E5F8B6090856C87EB8929DF8FE0323720A8D3E4B605BAC0CF8A9329721643DAF9D5D5EB15020310031DA2D44A27774C61863B97D0BA42AF07DCAD34EDD8F0697B11F2088C5B361EC3346F49A2DA82C9D41829B46369 ike 0:cl-morczak_0:9: peer has not completed Configuration Method diag debug appli ike 255ike shrank heap by 126976 bytes ike 0: comes 62.180.106.10:500->178.27.217.232:500,ifindex=6.... ike 0: IKEv1 exchange=Informational id=d3aae11c2d6532bd/8bbff19b7a6bd2dd:8ed84767 len=92 What means the " peer has not completed Configuration Method" on the fortigate side? Why do i get a " No response from the peer, retransmit (st=1)...." on the test log on client side? Any suggestions are welcome.... Greetz, Matthias

morczak · ‎01-27-2012

nobody ever had this issue? Can' t believe .... :(

morczak · ‎01-27-2012

Hey Volks, I found the solution, don' t ask me why it was enabled (must be a default setting as i never activate it via CLI) the set mode-cfg was enabled. And because my FortiClient (4.1.3) does not support this feature the Phase1 was dropped all the time... To fix it i did the following steps: open the cli on the fortigate config vpn ipsec phase1-interface edit " NAME-OF-THE-CLIENT-PROFILE" set mode-cfg disable next end After this i was able to connect to the fortigate without any problems. greetz, Matthias

Carl_Wallmark · ‎01-27-2012

Hi morczak, the mode-cfg issue you have is a bug in the early firmware versions of MR3, i think it was fixed somewhere aroung MR3 Patch 2-3. Check the release notes, in some situations it was turned on by default.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FransUrbo · ‎10-19-2018

"a bug in the early firmware versions of MR3".. ? What does MR3 stand for?

I'm running version FGT50E-5.6.6-FW-build1630-180913, and that bug seems to be in that version. There's apparently no newer version than that (don't want to go to v6 just yet).