02-11-2005 05:35 AM - edited 02-21-2020 01:36 PM
Hello,
i have to configure a vpn tunnel between a vpn 3030 concentrator and a fortinet 50a Firewall. The firewall is connected to an ADSL Router. I have some problems to establish the tunnel. On the ADSL Router the ports for IKE (5000) and NAT-T (4500 and also 10000, although it won´t be necessary) are open and will be forwarded by the router. On the concentrator NAT-T is also configured for the tunnel.
The fortinet reaches the concentrator but there is a problem with ike issues. The configuration is the same on both machines but the following log entry occurs on the vpn concentrator when i try to establish the tunnel from the fortinet:
3559 02/11/2005 14:33:44.730 SEV=4 IKE/100 RPT=374 82.207.215.246
Group [82.207.215.246]
Received encrypted Oakley Main Mode packet with invalid payloads,
MsgId (0x00000000)
13562 02/11/2005 14:33:45.240 SEV=4 IKE/136 RPT=383 82.207.215.246
Group [82.207.215.246]
IKE session establishment timed out [MM_WAIT_MSG5], aborting!
13564 02/11/2005 14:33:50.680 SEV=4 IKE/0 RPT=5109 82.207.215.246
Unsupported message length of 0
Does anybody know what the problem could be?!
Thanks for any help.
Best regards
Christian
02-12-2005 02:07 PM
Chris,
It seems to be a problem with Phase I, I am concerned with the ports you are opening? Why are you opening 5000?
Please open UPD 500 (isakmp)
and also open PROTOCOL 50 which is "ESP"
Hope it helps...
Frank
02-21-2005 05:42 AM
Hello,
sorry that was a typing mistake... It´s not Port 5000 which is open... it is port 500 UDP...
02-21-2005 06:30 AM
Chris,
Is hard to tell, but based on what you are saying, the concentrator is receiving a not expected packet. This could be because:
1) Mismatched encryption keys
2) A truncated pkt
3) A non-conformant implementation
Try this:
0) Disable NAT-T on the concentrator (No UDP no TCP)
1) Save configs on both sides
2) Disable to the tunnel on the CVPN, enable it again
3) Reboot the fortigate
4) Try to bring up the tunnel again
Questions:
1) Is the ADSL router a modem? or a you doing any type of NAT?
2) Is the policy on the Fortigate ACCEPT or ENCRYPT?
If this does not work, I will say the configuration needs to be checked, this seems to be a problem with the configuration assuming the ISP is not blocking traffic.
Let me know...
Frank
11-21-2013 02:34 PM
Received encrypted Oakley Main Mode packet with invalid payloads, MsgId
(0x00000000)
The problem was the Preshared Key in Configuration | System | Tunneling
Protocols | IPSec | LAN-to-LAN |
There was an extra space at the end of the PSK . I think the extra space is interpreted as a character on Cisco 3000. Once the extra space was removed at the end of the PSK the tunnel came up the next day when troubleshooting.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide