FortiGate - Common Errors when debug IPSEC tunnel

Author Johnny Josefsson on April 19, 2013 | Print | Bookmark

If all is well something like this should be visible
ike 3:MyVPN_GW:18690:MyVPN:49143: added IPsec SA: SPIs=939fc892/b54d030

The SPI value is not important


If configured for SNMP something like this could also be visible

ike 3:MyVPN_GW:18690:MyVPN:49143: sending SNMP tunnel UP trap



---------[ERRORS]-------------------------------------


[ PHASE 1 ]

keylife
- - - Make sure you match these in seconds on both ends!!
- - - This could falsely make the tunnel work, bit go down and never come
- - - up again due to the keylife

policy
- - - ike 0:ev_se_nod02:ev_se_nod02_tunnel: IPsec SA connect 7 81.167.188.34->195.49.174.134:500
- - - ike 0:ev_se_nod02: ignoring request to establish IPsec SA, no policy configured


ike 3:MyVPN_GW:18698: sent IKE msg (P1_RETRANSMIT): ....
- - - This could indicate that its missmatch with the pre-shared key
- - - also check that its not a dyanmic client, which could require
- - - aggressive mode. Where Main mode is mostly used with static
- - - connections, but can sometimes also require the aggressive mode
- - - To long interface name over 15 chars, also not that a cisco with
- - - 15 char interface name is for the fortigate to long of a interface name
- - - Also not that the interface can be to long on one side
- - - THIS could also mean that the proposal is not matching on both ends



[ PHASE 1 and 2 ]
ike 3:MyVPN_GW:18707: no SA proposal chosen
- - - No common / not combo match for encryption alg/hash.
- - - Make sure both sides runs the same combo. 3DES-SHA1 for example
- - -
- - - NOTE that this can be error due to earlier errors also...



[ PHASE 2 ]

keylife
- - - Make sure you match these in seconds on both ends!!
- - - This could falsely make the tunnel work, bit go down and never come
- - - up again due to the keylife



(D)ead (P)eer (D)etection
- - - Make sure you match these on both sides. Either of or one. Otherwise 
- - - the tunnel may go up for a time but then go down due to keep-alive
- - - packets but never go up again.



Selectors (ACL / subnets)
ike 0:MyVPN_GW:619134:MyVPN_GW:7806650: trying
ike 0:MyVPN_GW:619134:7806650: specified selectors mismatch
ike 0:MyVPN_GW:619134:7806650: peer: type=7/7, local=0:172.24.0.0-172.24.255.255:0, remote=0:172.30.90.0-172.30.90.63:0
ike 0:MyVPN_GW:619134:7806650: mine: type=7/7, local=0:172.24.0.0-172.24.255.255:0, remote=0:172.30.68.0-172.30.68.255:0
- - - Make sure you match subnets of both ends in the tunnel(s)
- - - It also seems you match them in reverse order if remote is Cisco? Or atleast
- - - in the correct ordet that they defined in the ACL on the remote end. If tunnel_s_



No DH Group specified on the other side
ike 0:MyVPN_GW:619134:MyVPN_GW:7806650: expected PFS DH group 5, but did not receive any DH group
ike 0:MyVPN_GW:619134:MyVPN_GW:7806650: negotiation failure
ike Negotiate IPsec SA Error: ike 0:MyVPN_GW:619134:7806650: no SA proposal chosen
- - - In GUI for Phase 2 to, uncheck the [ ] Enable perfect forward secrecy(PFS).
- - - In CLI for Phase 2, set pfs disable
- - - Or make sure the other end sets the same DH Group



No common combo match for encryption algorithm / hash. Also for example DH group.
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650: my proposal:
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650: proposal id = 1:
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650:   protocol id = IPSEC_ESP:
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650:      trans_id = ESP_3DES
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650:         type = AUTH_ALG, val=SHA1
- - - [take above and below and diff in a text editor]
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650: incoming proposal:
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650: proposal id = 1:
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650:   protocol id = IPSEC_ESP:
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650:      trans_id = ESP_3DES
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:IMPONLINE:619134:IMPONLINE_02:7806650:         type = AUTH_ALG, val=MD5
- - - 
ike Negotiate IPsec SA Error: ike 0:IMPONLINE:619134:7806650: no SA proposal chosen
- - - Incorrect encryption - hash combo, in this example 3DES-SHA1 towards 3DES-MD5
- - - Change to correct on both sides.


REALLY GOOD STUFF
http://itsecworks.wordpress.com/2012/03/22/debugging-fortigate-vpns/

Was this article helpful?

Yes No
Attachments

Category: Fortinet, Fortigate

Last updated on December 3, 2013 with 24631 views