No Obvious Ipsec errors, but no connection either. Fortinet -> Pfsense Ipsec



  • Trying to connect a pfsense firewall to fortinet firewall using ipsec.

    Sanitized IP addresses replaced by 1.1.1.1 (responder / destination) and 2.2.2.2 (initiator / source)

    I don’t see any obvious IPsec errors, am I missing something?

    Error logs below:

    Apr 26 13:08:21	charon		08[NET] <con1000|80>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:08:21	charon		08[IKE] <con1000|80>sending retransmit 1 of response message ID 0, seq 1
    Apr 26 13:08:17	charon		08[IKE] <con1000|80>queueing INFORMATIONAL_V1 request as tasks still active
    Apr 26 13:08:17	charon		08[NET] <con1000|80>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (60 bytes)
    Apr 26 13:08:17	charon		08[CFG] vici client 275 disconnected
    Apr 26 13:08:17	charon		11[CFG] vici client 275 requests: list-sas
    Apr 26 13:08:17	charon		10[CFG] vici client 275 registered for: list-sa
    Apr 26 13:08:17	charon		11[CFG] vici client 275 connected
    Apr 26 13:08:17	charon		10[NET] <con1000|80>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:08:17	charon		10[ENC] <con1000|80>generating AGGRESSIVE response 0 [ SA KE No ID V V V HASH ]
    Apr 26 13:08:17	charon		10[IKE] <con1000|80>sending FRAGMENTATION vendor ID
    Apr 26 13:08:17	charon		10[IKE] <con1000|80>sending DPD vendor ID
    Apr 26 13:08:17	charon		10[IKE] <con1000|80>sending XAuth vendor ID
    Apr 26 13:08:17	charon		10[CFG] <80> selected peer config "con1000"
    Apr 26 13:08:17	charon		10[CFG] <80> candidate "con1000", match: 1/20/3100 (me/other/ike)
    Apr 26 13:08:17	charon		10[CFG] <80> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Apr 26 13:08:17	charon		10[CFG] <80> looking for pre-shared key peer configs matching 2.2.2.2...1.1.1.1[1.1.1.1]
    Apr 26 13:08:17	charon		10[CFG] <80> selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 26 13:08:17	charon		10[CFG] <80> configured proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 26 13:08:17	charon		10[CFG] <80> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 26 13:08:17	charon		10[CFG] <80> proposal matches
    Apr 26 13:08:17	charon		10[CFG] <80> selecting proposal:
    Apr 26 13:08:17	charon		10[IKE] <80> IKE_SA (unnamed)[80] state change: CREATED => CONNECTING
    Apr 26 13:08:17	charon		10[IKE] <80> 1.1.1.1is initiating a Aggressive Mode IKE_SA
    Apr 26 13:08:17	charon		10[ENC] <80> received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:05:01:43
    Apr 26 13:08:17	charon		10[IKE] <80> received FRAGMENTATION vendor ID
    Apr 26 13:08:17	charon		10[IKE] <80> received DPD vendor ID
    Apr 26 13:08:17	charon		10[CFG] <80> found matching ike config: 2.2.2.2...1.1.1.1with prio 3100
    Apr 26 13:08:17	charon		10[CFG] <80> candidate: 2.2.2.2...1.1.1.1, prio 3100
    Apr 26 13:08:17	charon		10[CFG] <80> candidate: %any...%any, prio 24
    Apr 26 13:08:17	charon		10[CFG] <80> looking for an ike config for 2.2.2.2...1.1.1.1
    Apr 26 13:08:17	charon		10[ENC] <80> parsed AGGRESSIVE request 0 [ SA KE No ID V V V ]
    Apr 26 13:08:17	charon		10[NET] <80> received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes)
    Apr 26 13:08:16	charon		10[IKE] <con1000|79>IKE_SA con1000[79] state change: CONNECTING => DESTROYING
    Apr 26 13:08:16	charon		10[JOB] <con1000|79>deleting half open IKE_SA with 1.1.1.1after timeout
    Apr 26 13:08:11	charon		11[CFG] vici client 274 disconnected
    Apr 26 13:08:11	charon		14[CFG] vici client 274 requests: list-sas
    Apr 26 13:08:11	charon		10[CFG] vici client 274 registered for: list-sa
    Apr 26 13:08:11	charon		08[CFG] vici client 274 connected
    Apr 26 13:08:10	charon		08[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:08:10	charon		08[IKE] <con1000|79>sending retransmit 3 of response message ID 0, seq 1
    Apr 26 13:08:05	charon		08[CFG] vici client 273 disconnected
    Apr 26 13:08:05	charon		14[CFG] vici client 273 requests: list-sas
    Apr 26 13:08:05	charon		08[CFG] vici client 273 registered for: list-sa
    Apr 26 13:08:05	charon		14[CFG] vici client 273 connected
    Apr 26 13:08:04	charon		08[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:08:04	charon		08[IKE] <con1000|79>received retransmit of request with ID 0, retransmitting response
    Apr 26 13:08:04	charon		08[NET] <con1000|79>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes)
    Apr 26 13:07:59	charon		08[CFG] vici client 272 disconnected
    Apr 26 13:07:59	charon		14[CFG] vici client 272 requests: list-sas
    Apr 26 13:07:59	charon		15[CFG] vici client 272 registered for: list-sa
    Apr 26 13:07:59	charon		15[CFG] vici client 272 connected
    Apr 26 13:07:57	charon		08[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:57	charon		08[IKE] <con1000|79>sending retransmit 2 of response message ID 0, seq 1
    Apr 26 13:07:53	charon		08[CFG] vici client 271 disconnected
    Apr 26 13:07:53	charon		15[CFG] vici client 271 requests: list-sas
    Apr 26 13:07:53	charon		14[CFG] vici client 271 registered for: list-sa
    Apr 26 13:07:53	charon		08[CFG] vici client 271 connected
    Apr 26 13:07:52	charon		07[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:52	charon		07[IKE] <con1000|79>received retransmit of request with ID 0, retransmitting response
    Apr 26 13:07:52	charon		07[NET] <con1000|79>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes)
    Apr 26 13:07:50	charon		07[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:50	charon		07[IKE] <con1000|79>sending retransmit 1 of response message ID 0, seq 1
    Apr 26 13:07:47	charon		07[CFG] vici client 270 disconnected
    Apr 26 13:07:47	charon		07[CFG] vici client 270 requests: list-sas
    Apr 26 13:07:47	charon		08[CFG] vici client 270 registered for: list-sa
    Apr 26 13:07:47	charon		07[CFG] vici client 270 connected
    Apr 26 13:07:46	charon		07[IKE] <con1000|79>queueing INFORMATIONAL_V1 request as tasks still active
    Apr 26 13:07:46	charon		07[NET] <con1000|79>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (60 bytes)
    Apr 26 13:07:46	charon		05[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:46	charon		05[ENC] <con1000|79>generating AGGRESSIVE response 0 [ SA KE No ID V V V HASH ]
    Apr 26 13:07:46	charon		05[IKE] <con1000|79>sending FRAGMENTATION vendor ID
    Apr 26 13:07:46	charon		05[IKE] <con1000|79>sending DPD vendor ID
    Apr 26 13:07:46	charon		05[IKE] <con1000|79>sending XAuth vendor ID
    Apr 26 13:07:46	charon		05[CFG] <79> selected peer config "con1000"
    Apr 26 13:07:46	charon		05[CFG] <79> candidate "con1000", match: 1/20/3100 (me/other/ike)
    Apr 26 13:07:46	charon		05[CFG] <79> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Apr 26 13:07:46	charon		05[CFG] <79> looking for pre-shared key peer configs matching 2.2.2.2...1.1.1.1[1.1.1.1]
    Apr 26 13:07:46	charon		05[CFG] <79> selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 26 13:07:46	charon		05[CFG] <79> configured proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 26 13:07:46	charon		05[CFG] <79> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 26 13:07:46	charon		05[CFG] <79> proposal matches
    Apr 26 13:07:46	charon		05[CFG] <79> selecting proposal:
    Apr 26 13:07:46	charon		05[IKE] <79> IKE_SA (unnamed)[79] state change: CREATED => CONNECTING
    Apr 26 13:07:46	charon		05[IKE] <79> 1.1.1.1is initiating a Aggressive Mode IKE_SA
    Apr 26 13:07:46	charon		05[ENC] <79> received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:05:01:43
    Apr 26 13:07:46	charon		05[IKE] <79> received FRAGMENTATION vendor ID
    Apr 26 13:07:46	charon		05[IKE] <79> received DPD vendor ID
    Apr 26 13:07:46	charon		05[CFG] <79> found matching ike config: 2.2.2.2...1.1.1.1with prio 3100
    Apr 26 13:07:46	charon		05[CFG] <79> candidate: 2.2.2.2...1.1.1.1, prio 3100
    Apr 26 13:07:46	charon		05[CFG] <79> candidate: %any...%any, prio 24
    Apr 26 13:07:46	charon		05[CFG] <79> looking for an ike config for 2.2.2.2...1.1.1.1
    Apr 26 13:07:46	charon		05[ENC] <79> parsed AGGRESSIVE request 0 [ SA KE No ID V V V ]
    Apr 26 13:07:46	charon		05[NET] <79> received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes)
    Apr 26 13:07:45	charon		05[IKE] <con1000|78>IKE_SA con1000[78] state change: CONNECTING => DESTROYING
    Apr 26 13:07:45	charon		05[JOB] <con1000|78>deleting half open IKE_SA with 1.1.1.1after timeout
    Apr 26 13:07:41	charon		05[CFG] vici client 269 disconnected
    Apr 26 13:07:41	charon		07[CFG] vici client 269 requests: list-sas
    Apr 26 13:07:41	charon		07[CFG] vici client 269 registered for: list-sa
    Apr 26 13:07:41	charon		08[CFG] vici client 269 connected
    Apr 26 13:07:39	charon		07[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:39	charon		07[IKE] <con1000|78>sending retransmit 3 of response message ID 0, seq 1
    Apr 26 13:07:35	charon		16[CFG] vici client 268 disconnected
    Apr 26 13:07:35	charon		07[CFG] vici client 268 requests: list-sas
    Apr 26 13:07:35	charon		16[CFG] vici client 268 registered for: list-sa
    Apr 26 13:07:35	charon		07[CFG] vici client 268 connected
    Apr 26 13:07:33	charon		08[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:33	charon		08[IKE] <con1000|78>received retransmit of request with ID 0, retransmitting response
    Apr 26 13:07:33	charon		08[NET] <con1000|78>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes)
    Apr 26 13:07:29	charon		08[CFG] vici client 267 disconnected
    Apr 26 13:07:29	charon		13[CFG] vici client 267 requests: list-sas
    Apr 26 13:07:29	charon		07[CFG] vici client 267 registered for: list-sa
    Apr 26 13:07:29	charon		13[CFG] vici client 267 connected
    Apr 26 13:07:26	charon		08[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:26	charon		08[IKE] <con1000|78>sending retransmit 2 of response message ID 0, seq 1
    Apr 26 13:07:23	charon		08[CFG] vici client 266 disconnected
    Apr 26 13:07:23	charon		08[CFG] vici client 266 requests: list-sas
    Apr 26 13:07:23	charon		06[CFG] vici client 266 registered for: list-sa
    Apr 26 13:07:23	charon		08[CFG] vici client 266 connected
    Apr 26 13:07:21	charon		13[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:21	charon		13[IKE] <con1000|78>received retransmit of request with ID 0, retransmitting response
    Apr 26 13:07:21	charon		13[NET] <con1000|78>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes)
    Apr 26 13:07:19	charon		13[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:19	charon		13[IKE] <con1000|78>sending retransmit 1 of response message ID 0, seq 1
    Apr 26 13:07:17	charon		13[CFG] vici client 265 disconnected
    Apr 26 13:07:17	charon		13[CFG] vici client 265 requests: list-sas
    Apr 26 13:07:17	charon		12[CFG] vici client 265 registered for: list-sa
    Apr 26 13:07:17	charon		13[CFG] vici client 265 connected
    Apr 26 13:07:15	charon		13[IKE] <con1000|78>queueing INFORMATIONAL_V1 request as tasks still active
    Apr 26 13:07:15	charon		13[NET] <con1000|78>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (60 bytes)
    Apr 26 13:07:15	charon		13[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:15	charon		13[ENC] <con1000|78>generating AGGRESSIVE response 0 [ SA KE No ID V V V HASH ]
    Apr 26 13:07:15	charon		13[IKE] <con1000|78>sending FRAGMENTATION vendor ID
    Apr 26 13:07:15	charon		13[IKE] <con1000|78>sending DPD vendor ID
    Apr 26 13:07:15	charon		13[IKE] <con1000|78>sending XAuth vendor ID
    Apr 26 13:07:15	charon		13[CFG] <78> selected peer config "con1000"
    Apr 26 13:07:15	charon		13[CFG] <78> candidate "con1000", match: 1/20/3100 (me/other/ike)
    Apr 26 13:07:15	charon		13[CFG] <78> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Apr 26 13:07:15	charon		13[CFG] <78> looking for pre-shared key peer configs matching 2.2.2.2...1.1.1.1[1.1.1.1]
    Apr 26 13:07:15	charon		13[CFG] <78> selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 26 13:07:15	charon		13[CFG] <78> configured proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 26 13:07:15	charon		13[CFG] <78> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Apr 26 13:07:15	charon		13[CFG] <78> proposal matches
    Apr 26 13:07:15	charon		13[CFG] <78> selecting proposal:
    Apr 26 13:07:15	charon		13[IKE] <78> IKE_SA (unnamed)[78] state change: CREATED => CONNECTING
    Apr 26 13:07:15	charon		13[IKE] <78> 1.1.1.1is initiating a Aggressive Mode IKE_SA
    Apr 26 13:07:15	charon		13[ENC] <78> received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:05:01:43
    Apr 26 13:07:15	charon		13[IKE] <78> received FRAGMENTATION vendor ID
    Apr 26 13:07:15	charon		13[IKE] <78> received DPD vendor ID
    Apr 26 13:07:15	charon		13[CFG] <78> found matching ike config: 2.2.2.2...1.1.1.1with prio 3100
    Apr 26 13:07:15	charon		13[CFG] <78> candidate: 2.2.2.2...1.1.1.1, prio 3100
    Apr 26 13:07:15	charon		13[CFG] <78> candidate: %any...%any, prio 24
    Apr 26 13:07:15	charon		13[CFG] <78> looking for an ike config for 2.2.2.2...1.1.1.1
    Apr 26 13:07:15	charon		13[ENC] <78> parsed AGGRESSIVE request 0 [ SA KE No ID V V V ]
    Apr 26 13:07:15	charon		13[NET] <78> received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes)
    Apr 26 13:07:14	charon		13[IKE] <con1000|77>IKE_SA con1000[77] state change: CONNECTING => DESTROYING
    Apr 26 13:07:14	charon		13[JOB] <con1000|77>deleting half open IKE_SA with 1.1.1.1after timeout
    Apr 26 13:07:11	charon		13[CFG] vici client 264 disconnected
    Apr 26 13:07:11	charon		13[CFG] vici client 264 requests: list-sas
    Apr 26 13:07:11	charon		12[CFG] vici client 264 registered for: list-sa
    Apr 26 13:07:11	charon		11[CFG] vici client 264 connected
    Apr 26 13:07:08	charon		13[NET] <con1000|77>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:08	charon		13[IKE] <con1000|77>sending retransmit 3 of response message ID 0, seq 1
    Apr 26 13:07:05	charon		13[CFG] vici client 263 disconnected
    Apr 26 13:07:05	charon		11[CFG] vici client 263 requests: list-sas
    Apr 26 13:07:05	charon		11[CFG] vici client 263 registered for: list-sa
    Apr 26 13:07:05	charon		11[CFG] vici client 263 connected
    Apr 26 13:07:02	charon		10[NET] <con1000|77>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes)
    Apr 26 13:07:02	charon		10[IKE] <con1000|77>received retransmit of request with ID 0, retransmitting response
    Apr 26 13:07:02	charon		10[NET] <con1000|77>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes)</con1000|77></con1000|77></con1000|77></con1000|77></con1000|77></con1000|77></con1000|77></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|80></con1000|80></con1000|80></con1000|80></con1000|80></con1000|80></con1000|80></con1000|80></con1000|80> 
    


  • I have the exact same problem. I also see 2 entries in pfsense’s IPsec status, one responder and the other initiator, never seen that before. I’ve configured my connection to be only responder and there’s still no change.
    Logs on Fortinet show that negociation for phase 1 is successful but, not connecting.

    Hope someone has an idea/fix. Restarting service or pfsense, didn’t change anything.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy