cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2461
Views
0
Helpful
5
Replies

IPSEC between 3745 and Fortigate not working

ppucci
Level 1
Level 1

Hi all,

trying to bring up an IPSEC VPN between a fortigate and a 3745, no success. Something is not right but I cannot tell what is it.

Looks like after they exchange Phase 1 parameters, something goes haywire and they stop talking. Any ideas?:


VPN_CONCENTRATOR#
Jul  4 16:35:51.123 GMT: ISAKMP: local port 500, remote port 500
Jul  4 16:35:51.123 GMT: insert sa successfully sa = 6608AA50
Jul  4 16:35:51.123 GMT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul  4 16:35:51.123 GMT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1

Jul  4 16:35:51.123 GMT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Jul  4 16:35:51.123 GMT: ISAKMP:(0:0:N/A:0): processing vendor id payload
Jul  4 16:35:51.123 GMT: ISAKMP:(0:0:N/A:0): vendor ID is DPD
Jul  4 16:35:51.123 GMT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching XXX.XXX.24.253
Jul  4 16:35:51.123 GMT: ISAKMP:(0:0:N/A:0): local preshared key found
Jul  4 16:35:51.123 GMT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
Jul  4 16:35:51.123 GMT: ISAKMP:      life type in seconds
Jul  4 16:35:51.123 GMT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Jul  4 16:35:51.127 GMT: ISAKMP:      encryption 3DES-CBC
Jul  4 16:35:51.127 GMT: ISAKMP:      auth pre-share
Jul  4 16:35:51.127 GMT: ISAKMP:      hash MD5
Jul  4 16:35:51.127 GMT: ISAKMP:      default group 2
Jul  4 16:35:51.127 GMT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
Jul  4 16:35:51.147 GMT: ISAKMP:(0:429:SW:1): processing vendor id payload
VPN_CONCENTRATOR#
Jul  4 16:35:51.147 GMT: ISAKMP:(0:429:SW:1): vendor ID is DPD
Jul  4 16:35:51.147 GMT: ISAKMP:(0:429:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul  4 16:35:51.147 GMT: ISAKMP:(0:429:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1

Jul  4 16:35:51.151 GMT: ISAKMP:(0:429:SW:1): sending packet to XXX.XXX.24.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul  4 16:35:51.151 GMT: ISAKMP:(0:429:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul  4 16:35:51.151 GMT: ISAKMP:(0:429:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2

VPN_CONCENTRATOR#
VPN_CONCENTRATOR#
Jul  4 16:35:53.119 GMT: ISAKMP (0:134218157): received packet from XXX.XXX.24.253 dport 500 sport 500 XXXCUSTOMERS (R) MM_SA_SETUP
Jul  4 16:35:53.123 GMT: ISAKMP:(0:429:SW:1): phase 1 packet is a duplicate of a previous packet.
Jul  4 16:35:53.123 GMT: ISAKMP:(0:429:SW:1): retransmitting due to retransmit phase 1
Jul  4 16:35:53.623 GMT: ISAKMP:(0:429:SW:1): retransmitting phase 1 MM_SA_SETUP...
Jul  4 16:35:53.623 GMT: ISAKMP (0:134218157): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul  4 16:35:53.623 GMT: ISAKMP:(0:429:SW:1): retransmitting phase 1 MM_SA_SETUP
VPN_CONCENTRATOR#
Jul  4 16:35:53.623 GMT: ISAKMP:(0:429:SW:1): sending packet to XXX.XXX.24.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
VPN_CONCENTRATOR#
Jul  4 16:35:57.119 GMT: ISAKMP (0:134218157): received packet from XXX.XXX.24.253 dport 500 sport 500 XXXCUSTOMERS (R) MM_SA_SETUP
Jul  4 16:35:57.119 GMT: ISAKMP:(0:429:SW:1): phase 1 packet is a duplicate of a previous packet.
Jul  4 16:35:57.123 GMT: ISAKMP:(0:429:SW:1): retransmitting due to retransmit phase 1
Jul  4 16:35:57.623 GMT: ISAKMP:(0:429:SW:1): retransmitting phase 1 MM_SA_SETUP...
Jul  4 16:35:57.623 GMT: ISAKMP (0:134218157): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jul  4 16:35:57.623 GMT: ISAKMP:(0:429:SW:1): retransmitting phase 1 MM_SA_SETUP
VPN_CONCENTRATOR#
Jul  4 16:35:57.623 GMT: ISAKMP:(0:429:SW:1): sending packet to XXX.XXX.24.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
VPN_CONCENTRATOR#
Jul  4 16:36:05.123 GMT: ISAKMP (0:134218157): received packet from XXX.XXX.24.253 dport 500 sport 500 XXXCUSTOMERS (R) MM_SA_SETUP
Jul  4 16:36:05.123 GMT: ISAKMP:(0:429:SW:1): phase 1 packet is a duplicate of a previous packet.
Jul  4 16:36:05.123 GMT: ISAKMP:(0:429:SW:1): retransmitting due to retransmit phase 1
Jul  4 16:36:05.623 GMT: ISAKMP:(0:429:SW:1): retransmitting phase 1 MM_SA_SETUP...
Jul  4 16:36:05.623 GMT: ISAKMP (0:134218157): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul  4 16:36:05.623 GMT: ISAKMP:(0:429:SW:1): retransmitting phase 1 MM_SA_SETUP
VPN_CONCENTRATOR#
Jul  4 16:36:05.623 GMT: ISAKMP:(0:429:SW:1): sending packet to XXX.XXX.24.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
VPN_CONCENTRATOR#
Jul  4 16:36:15.623 GMT: ISAKMP:(0:429:SW:1): retransmitting phase 1 MM_SA_SETUP...
Jul  4 16:36:15.623 GMT: ISAKMP (0:134218157): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul  4 16:36:15.623 GMT: ISAKMP:(0:429:SW:1): retransmitting phase 1 MM_SA_SETUP
Jul  4 16:36:15.623 GMT: ISAKMP:(0:429:SW:1): sending packet to XXX.XXX.24.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
VPN_CONCENTRATOR#
Jul  4 16:36:21.123 GMT: ISAKMP (0:134218157): received packet from XXX.XXX.24.253 dport 500 sport 500 XXXCUSTOMERS (R) MM_SA_SETUP
Jul  4 16:36:21.123 GMT: ISAKMP:(0:429:SW:1): phase 1 packet is a duplicate of a previous packet.
Jul  4 16:36:21.123 GMT: ISAKMP:(0:429:SW:1): retransmitting due to retransmit phase 1
Jul  4 16:36:21.623 GMT: ISAKMP:(0:429:SW:1): retransmitting phase 1 MM_SA_SETUP...
Jul  4 16:36:21.623 GMT: ISAKMP (0:134218157): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul  4 16:36:21.623 GMT: ISAKMP:(0:429:SW:1): retransmitting phase 1 MM_SA_SETUP
VPN_CONCENTRATOR#
Jul  4 16:36:21.623 GMT: ISAKMP:(0:429:SW:1): sending packet to XXX.XXX.24.253 my_port 500 peer_port 500 (R) MM_SA_SETUP
VPN_CONCENTRATOR#
VPN_CONCENTRATOR#
Jul  4 16:36:31.622 GMT: ISAKMP:(0:429:SW:1): retransmitting phase 1 MM_SA_SETUP...
Jul  4 16:36:31.622 GMT: ISAKMP:(0:429:SW:1):peer does not do paranoid keepalives.

Jul  4 16:36:31.622 GMT: ISAKMP:(0:429:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer XXX.XXX.24.253)
Jul  4 16:36:31.622 GMT: ISAKMP:(0:429:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer XXX.XXX.24.253)
Jul  4 16:36:31.622 GMT: ISAKMP:(0:429:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul  4 16:36:31.622 GMT: ISAKMP:(0:429:SW:1):Old State = IKE_R_MM2  New State = IKE_DEST_SA

5 Replies 5

ppucci
Level 1
Level 1

by the way, I am using

Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)

You might want to clear the tunnel on both end and try to re-establish the tunnel. From the debug output, it seems that Fortiget is sending duplicate packet, hence the 3745 complains.

We've tried that couple of times, I even had the 3745 reloaded and it still gives me the same messages. Any other ideas?

Did you get a resolution for this?

filop
Level 1
Level 1

try to configure

no crypto ipsec nat-transparency udp-encaps

on 3745 if possible.