cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2053
Views
0
Helpful
4
Replies

SIte to Site VPN between fortinet 50A and VPN 3030 Concentrator

VesoTeam
Level 1
Level 1

Hello,

i have to configure a vpn tunnel between a vpn 3030 concentrator and a fortinet 50a Firewall. The firewall is connected to an ADSL Router. I have some problems to establish the tunnel. On the ADSL Router the ports for IKE (5000) and NAT-T (4500 and also 10000, although it won´t be necessary) are open and will be forwarded by the router. On the concentrator NAT-T is also configured for the tunnel.

The fortinet reaches the concentrator but there is a problem with ike issues. The configuration is the same on both machines but the following log entry occurs on the vpn concentrator when i try to establish the tunnel from the fortinet:

3559 02/11/2005 14:33:44.730 SEV=4 IKE/100 RPT=374 82.207.215.246

Group [82.207.215.246]

Received encrypted Oakley Main Mode packet with invalid payloads,

MsgId (0x00000000)

13562 02/11/2005 14:33:45.240 SEV=4 IKE/136 RPT=383 82.207.215.246

Group [82.207.215.246]

IKE session establishment timed out [MM_WAIT_MSG5], aborting!

13564 02/11/2005 14:33:50.680 SEV=4 IKE/0 RPT=5109 82.207.215.246

Unsupported message length of 0

Does anybody know what the problem could be?!

Thanks for any help.

Best regards

Christian

4 Replies 4

fragomez
Level 1
Level 1

Chris,

It seems to be a problem with Phase I, I am concerned with the ports you are opening? Why are you opening 5000?

Please open UPD 500 (isakmp)

and also open PROTOCOL 50 which is "ESP"

Hope it helps...

Frank

Hello,

sorry that was a typing mistake... It´s not Port 5000 which is open... it is port 500 UDP...

Chris,

Is hard to tell, but based on what you are saying, the concentrator is receiving a not expected packet. This could be because:

1) Mismatched encryption keys

2) A truncated pkt

3) A non-conformant implementation

Try this:

0) Disable NAT-T on the concentrator (No UDP no TCP)

1) Save configs on both sides

2) Disable to the tunnel on the CVPN, enable it again

3) Reboot the fortigate

4) Try to bring up the tunnel again

Questions:

1) Is the ADSL router a modem? or a you doing any type of NAT?

2) Is the policy on the Fortigate ACCEPT or ENCRYPT?

If this does not work, I will say the configuration needs to be checked, this seems to be a problem with the configuration assuming the ISP is not blocking traffic.

Let me know...

Frank

bcbabloo86
Level 1
Level 1

Received encrypted Oakley Main Mode packet with invalid payloads, MsgId

(0x00000000)

The problem was the Preshared Key in Configuration | System | Tunneling

Protocols | IPSec | LAN-to-LAN |

There was an extra space at the end of the PSK . I think the extra space is interpreted as a character on Cisco 3000. Once the extra space was removed at the end of the PSK the tunnel came up the next day when troubleshooting.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: