Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6114
Views
0
Helpful
3
Replies

RVS4000 --> Fortigate 200A

postfalls
Level 1
Level 1

‎02-25-2010 11:11 AM

I'm attempting to set up an IPSEC VPN connection between my RVS4000 at home and my Fortigate 200A at work.  I've verified all Phase 1 and Phase 2 settings and checked to make sure the shared key is identical on both units.  When I try to initiate a connection, the log shows the following:

Feb 25 10:50:54 - [VPN Log]: "Fortigate" #61: next payload type of ISAKMP Hash Payload has an unknown value: 172
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #61: malformed payload in packet
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #61: sending notification PAYLOAD_MALFORMED to {REMOTE_IPADDRESS}:500
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [RFC 3947] method set to=109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [Dead Peer Detection]
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: Aggressive mode peer ID is ID_IPV4_ADDR: {REMOTE_IPADDRESS}'
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: responding to Aggressive Mode, state #62, connection "Fortigate" from {REMOTE_IPADDRESS}
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: STATE_AGGR_R1: sent AR1, expecting AI2
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: packet rejected: should have been encrypted
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: sending notification INVALID_FLAGS to {REMOTE_IPADDRESS}:500
Feb 25 10:50:55 - [VPN Log]: "Fortigate" #63: initiating Aggressive Mode #63, connection "Fortigate"
Feb 25 10:50:56 - [VPN Log]: "Fortigate" #63: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the outermost level
Feb 25 10:50:56 - [VPN Log]: "Fortigate" #63: sending notification INVALID_PAYLOAD_TYPE to {REMOTE_IPADDRESS}:500
Feb 25 10:50:58 - [VPN Log]: "Fortigate" #63: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the outermost level
Feb 25 10:50:58 - [VPN Log]: "Fortigate" #63: sending notification INVALID_PAYLOAD_TYPE to {REMOTE_IPADDRESS}:500

No connection is ever made.  Does anyone know what I should be looking at to fix this???

Labels:
0 Helpful
3 Replies 3

alissitz
Level 4
Level 4

‎02-25-2010 07:22 PM

Hello,

I am not sure of what the problem is, however there are several messages below for why a packet or communication is denied. "packet should be encrypted, message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the outermost level, etc ..."

It looks like something in the config parameters is not matching.

Does Fortigate have any literature for how you can connect different vendor's VPN?  Is there a 'standardized' method for connecting multiple vendors with the Fortigate?

Perhaps someone much smarter than me on this community has some additioanl suggestions, however I would suggest checking with Fortigate and seeing if they have a config guide that explains how to connect to 3rd party vendors and which settings will be standard and accepted.

Also, you may consider posting your config here.  Just be sure to remove any information that is sensitive and you don't want to be shared.

HTH,

Andrew Lissitz

0 Helpful

postfalls
Level 1
Level 1
In response to alissitz

‎02-26-2010 06:22 AM

Actually, I got it working.  The Fortigate has an advanced setting under the Phase 2 configuration like this:

Quick Mode Selector
Source addressWORK_INTERNAL_SUBNET
Source port
Destination addressHOME_INTERNAL_SUBNET
Destination port
Protocol


I had left these at all zeros which was supposed to allow all subs on either side, but once I specified my main one, it started up.

Thanks for your help.

0 Helpful

alissitz
Level 4
Level 4
In response to postfalls

‎02-26-2010 06:48 AM

Glad to hear it is up and going, and I appreciate the update and letting us know how you solved this!

Good stuff.

Best wishes for a great weekend,

Andrew Lissitz

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents