No Obvious Ipsec errors, but no connection either. Fortinet -> Pfsense Ipsec
-
Trying to connect a pfsense firewall to fortinet firewall using ipsec.
Sanitized IP addresses replaced by 1.1.1.1 (responder / destination) and 2.2.2.2 (initiator / source)
I don't see any obvious IPsec errors, am I missing something?
Error logs below:
Apr 26 13:08:21 charon 08[NET] <con1000|80>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:08:21 charon 08[IKE] <con1000|80>sending retransmit 1 of response message ID 0, seq 1 Apr 26 13:08:17 charon 08[IKE] <con1000|80>queueing INFORMATIONAL_V1 request as tasks still active Apr 26 13:08:17 charon 08[NET] <con1000|80>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (60 bytes) Apr 26 13:08:17 charon 08[CFG] vici client 275 disconnected Apr 26 13:08:17 charon 11[CFG] vici client 275 requests: list-sas Apr 26 13:08:17 charon 10[CFG] vici client 275 registered for: list-sa Apr 26 13:08:17 charon 11[CFG] vici client 275 connected Apr 26 13:08:17 charon 10[NET] <con1000|80>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:08:17 charon 10[ENC] <con1000|80>generating AGGRESSIVE response 0 [ SA KE No ID V V V HASH ] Apr 26 13:08:17 charon 10[IKE] <con1000|80>sending FRAGMENTATION vendor ID Apr 26 13:08:17 charon 10[IKE] <con1000|80>sending DPD vendor ID Apr 26 13:08:17 charon 10[IKE] <con1000|80>sending XAuth vendor ID Apr 26 13:08:17 charon 10[CFG] <80> selected peer config "con1000" Apr 26 13:08:17 charon 10[CFG] <80> candidate "con1000", match: 1/20/3100 (me/other/ike) Apr 26 13:08:17 charon 10[CFG] <80> candidate "bypasslan", match: 1/1/24 (me/other/ike) Apr 26 13:08:17 charon 10[CFG] <80> looking for pre-shared key peer configs matching 2.2.2.2...1.1.1.1[1.1.1.1] Apr 26 13:08:17 charon 10[CFG] <80> selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 26 13:08:17 charon 10[CFG] <80> configured proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 26 13:08:17 charon 10[CFG] <80> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 26 13:08:17 charon 10[CFG] <80> proposal matches Apr 26 13:08:17 charon 10[CFG] <80> selecting proposal: Apr 26 13:08:17 charon 10[IKE] <80> IKE_SA (unnamed)[80] state change: CREATED => CONNECTING Apr 26 13:08:17 charon 10[IKE] <80> 1.1.1.1is initiating a Aggressive Mode IKE_SA Apr 26 13:08:17 charon 10[ENC] <80> received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:05:01:43 Apr 26 13:08:17 charon 10[IKE] <80> received FRAGMENTATION vendor ID Apr 26 13:08:17 charon 10[IKE] <80> received DPD vendor ID Apr 26 13:08:17 charon 10[CFG] <80> found matching ike config: 2.2.2.2...1.1.1.1with prio 3100 Apr 26 13:08:17 charon 10[CFG] <80> candidate: 2.2.2.2...1.1.1.1, prio 3100 Apr 26 13:08:17 charon 10[CFG] <80> candidate: %any...%any, prio 24 Apr 26 13:08:17 charon 10[CFG] <80> looking for an ike config for 2.2.2.2...1.1.1.1 Apr 26 13:08:17 charon 10[ENC] <80> parsed AGGRESSIVE request 0 [ SA KE No ID V V V ] Apr 26 13:08:17 charon 10[NET] <80> received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes) Apr 26 13:08:16 charon 10[IKE] <con1000|79>IKE_SA con1000[79] state change: CONNECTING => DESTROYING Apr 26 13:08:16 charon 10[JOB] <con1000|79>deleting half open IKE_SA with 1.1.1.1after timeout Apr 26 13:08:11 charon 11[CFG] vici client 274 disconnected Apr 26 13:08:11 charon 14[CFG] vici client 274 requests: list-sas Apr 26 13:08:11 charon 10[CFG] vici client 274 registered for: list-sa Apr 26 13:08:11 charon 08[CFG] vici client 274 connected Apr 26 13:08:10 charon 08[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:08:10 charon 08[IKE] <con1000|79>sending retransmit 3 of response message ID 0, seq 1 Apr 26 13:08:05 charon 08[CFG] vici client 273 disconnected Apr 26 13:08:05 charon 14[CFG] vici client 273 requests: list-sas Apr 26 13:08:05 charon 08[CFG] vici client 273 registered for: list-sa Apr 26 13:08:05 charon 14[CFG] vici client 273 connected Apr 26 13:08:04 charon 08[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:08:04 charon 08[IKE] <con1000|79>received retransmit of request with ID 0, retransmitting response Apr 26 13:08:04 charon 08[NET] <con1000|79>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes) Apr 26 13:07:59 charon 08[CFG] vici client 272 disconnected Apr 26 13:07:59 charon 14[CFG] vici client 272 requests: list-sas Apr 26 13:07:59 charon 15[CFG] vici client 272 registered for: list-sa Apr 26 13:07:59 charon 15[CFG] vici client 272 connected Apr 26 13:07:57 charon 08[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:57 charon 08[IKE] <con1000|79>sending retransmit 2 of response message ID 0, seq 1 Apr 26 13:07:53 charon 08[CFG] vici client 271 disconnected Apr 26 13:07:53 charon 15[CFG] vici client 271 requests: list-sas Apr 26 13:07:53 charon 14[CFG] vici client 271 registered for: list-sa Apr 26 13:07:53 charon 08[CFG] vici client 271 connected Apr 26 13:07:52 charon 07[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:52 charon 07[IKE] <con1000|79>received retransmit of request with ID 0, retransmitting response Apr 26 13:07:52 charon 07[NET] <con1000|79>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes) Apr 26 13:07:50 charon 07[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:50 charon 07[IKE] <con1000|79>sending retransmit 1 of response message ID 0, seq 1 Apr 26 13:07:47 charon 07[CFG] vici client 270 disconnected Apr 26 13:07:47 charon 07[CFG] vici client 270 requests: list-sas Apr 26 13:07:47 charon 08[CFG] vici client 270 registered for: list-sa Apr 26 13:07:47 charon 07[CFG] vici client 270 connected Apr 26 13:07:46 charon 07[IKE] <con1000|79>queueing INFORMATIONAL_V1 request as tasks still active Apr 26 13:07:46 charon 07[NET] <con1000|79>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (60 bytes) Apr 26 13:07:46 charon 05[NET] <con1000|79>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:46 charon 05[ENC] <con1000|79>generating AGGRESSIVE response 0 [ SA KE No ID V V V HASH ] Apr 26 13:07:46 charon 05[IKE] <con1000|79>sending FRAGMENTATION vendor ID Apr 26 13:07:46 charon 05[IKE] <con1000|79>sending DPD vendor ID Apr 26 13:07:46 charon 05[IKE] <con1000|79>sending XAuth vendor ID Apr 26 13:07:46 charon 05[CFG] <79> selected peer config "con1000" Apr 26 13:07:46 charon 05[CFG] <79> candidate "con1000", match: 1/20/3100 (me/other/ike) Apr 26 13:07:46 charon 05[CFG] <79> candidate "bypasslan", match: 1/1/24 (me/other/ike) Apr 26 13:07:46 charon 05[CFG] <79> looking for pre-shared key peer configs matching 2.2.2.2...1.1.1.1[1.1.1.1] Apr 26 13:07:46 charon 05[CFG] <79> selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 26 13:07:46 charon 05[CFG] <79> configured proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 26 13:07:46 charon 05[CFG] <79> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 26 13:07:46 charon 05[CFG] <79> proposal matches Apr 26 13:07:46 charon 05[CFG] <79> selecting proposal: Apr 26 13:07:46 charon 05[IKE] <79> IKE_SA (unnamed)[79] state change: CREATED => CONNECTING Apr 26 13:07:46 charon 05[IKE] <79> 1.1.1.1is initiating a Aggressive Mode IKE_SA Apr 26 13:07:46 charon 05[ENC] <79> received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:05:01:43 Apr 26 13:07:46 charon 05[IKE] <79> received FRAGMENTATION vendor ID Apr 26 13:07:46 charon 05[IKE] <79> received DPD vendor ID Apr 26 13:07:46 charon 05[CFG] <79> found matching ike config: 2.2.2.2...1.1.1.1with prio 3100 Apr 26 13:07:46 charon 05[CFG] <79> candidate: 2.2.2.2...1.1.1.1, prio 3100 Apr 26 13:07:46 charon 05[CFG] <79> candidate: %any...%any, prio 24 Apr 26 13:07:46 charon 05[CFG] <79> looking for an ike config for 2.2.2.2...1.1.1.1 Apr 26 13:07:46 charon 05[ENC] <79> parsed AGGRESSIVE request 0 [ SA KE No ID V V V ] Apr 26 13:07:46 charon 05[NET] <79> received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes) Apr 26 13:07:45 charon 05[IKE] <con1000|78>IKE_SA con1000[78] state change: CONNECTING => DESTROYING Apr 26 13:07:45 charon 05[JOB] <con1000|78>deleting half open IKE_SA with 1.1.1.1after timeout Apr 26 13:07:41 charon 05[CFG] vici client 269 disconnected Apr 26 13:07:41 charon 07[CFG] vici client 269 requests: list-sas Apr 26 13:07:41 charon 07[CFG] vici client 269 registered for: list-sa Apr 26 13:07:41 charon 08[CFG] vici client 269 connected Apr 26 13:07:39 charon 07[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:39 charon 07[IKE] <con1000|78>sending retransmit 3 of response message ID 0, seq 1 Apr 26 13:07:35 charon 16[CFG] vici client 268 disconnected Apr 26 13:07:35 charon 07[CFG] vici client 268 requests: list-sas Apr 26 13:07:35 charon 16[CFG] vici client 268 registered for: list-sa Apr 26 13:07:35 charon 07[CFG] vici client 268 connected Apr 26 13:07:33 charon 08[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:33 charon 08[IKE] <con1000|78>received retransmit of request with ID 0, retransmitting response Apr 26 13:07:33 charon 08[NET] <con1000|78>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes) Apr 26 13:07:29 charon 08[CFG] vici client 267 disconnected Apr 26 13:07:29 charon 13[CFG] vici client 267 requests: list-sas Apr 26 13:07:29 charon 07[CFG] vici client 267 registered for: list-sa Apr 26 13:07:29 charon 13[CFG] vici client 267 connected Apr 26 13:07:26 charon 08[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:26 charon 08[IKE] <con1000|78>sending retransmit 2 of response message ID 0, seq 1 Apr 26 13:07:23 charon 08[CFG] vici client 266 disconnected Apr 26 13:07:23 charon 08[CFG] vici client 266 requests: list-sas Apr 26 13:07:23 charon 06[CFG] vici client 266 registered for: list-sa Apr 26 13:07:23 charon 08[CFG] vici client 266 connected Apr 26 13:07:21 charon 13[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:21 charon 13[IKE] <con1000|78>received retransmit of request with ID 0, retransmitting response Apr 26 13:07:21 charon 13[NET] <con1000|78>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes) Apr 26 13:07:19 charon 13[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:19 charon 13[IKE] <con1000|78>sending retransmit 1 of response message ID 0, seq 1 Apr 26 13:07:17 charon 13[CFG] vici client 265 disconnected Apr 26 13:07:17 charon 13[CFG] vici client 265 requests: list-sas Apr 26 13:07:17 charon 12[CFG] vici client 265 registered for: list-sa Apr 26 13:07:17 charon 13[CFG] vici client 265 connected Apr 26 13:07:15 charon 13[IKE] <con1000|78>queueing INFORMATIONAL_V1 request as tasks still active Apr 26 13:07:15 charon 13[NET] <con1000|78>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (60 bytes) Apr 26 13:07:15 charon 13[NET] <con1000|78>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:15 charon 13[ENC] <con1000|78>generating AGGRESSIVE response 0 [ SA KE No ID V V V HASH ] Apr 26 13:07:15 charon 13[IKE] <con1000|78>sending FRAGMENTATION vendor ID Apr 26 13:07:15 charon 13[IKE] <con1000|78>sending DPD vendor ID Apr 26 13:07:15 charon 13[IKE] <con1000|78>sending XAuth vendor ID Apr 26 13:07:15 charon 13[CFG] <78> selected peer config "con1000" Apr 26 13:07:15 charon 13[CFG] <78> candidate "con1000", match: 1/20/3100 (me/other/ike) Apr 26 13:07:15 charon 13[CFG] <78> candidate "bypasslan", match: 1/1/24 (me/other/ike) Apr 26 13:07:15 charon 13[CFG] <78> looking for pre-shared key peer configs matching 2.2.2.2...1.1.1.1[1.1.1.1] Apr 26 13:07:15 charon 13[CFG] <78> selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 26 13:07:15 charon 13[CFG] <78> configured proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 26 13:07:15 charon 13[CFG] <78> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Apr 26 13:07:15 charon 13[CFG] <78> proposal matches Apr 26 13:07:15 charon 13[CFG] <78> selecting proposal: Apr 26 13:07:15 charon 13[IKE] <78> IKE_SA (unnamed)[78] state change: CREATED => CONNECTING Apr 26 13:07:15 charon 13[IKE] <78> 1.1.1.1is initiating a Aggressive Mode IKE_SA Apr 26 13:07:15 charon 13[ENC] <78> received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:05:01:43 Apr 26 13:07:15 charon 13[IKE] <78> received FRAGMENTATION vendor ID Apr 26 13:07:15 charon 13[IKE] <78> received DPD vendor ID Apr 26 13:07:15 charon 13[CFG] <78> found matching ike config: 2.2.2.2...1.1.1.1with prio 3100 Apr 26 13:07:15 charon 13[CFG] <78> candidate: 2.2.2.2...1.1.1.1, prio 3100 Apr 26 13:07:15 charon 13[CFG] <78> candidate: %any...%any, prio 24 Apr 26 13:07:15 charon 13[CFG] <78> looking for an ike config for 2.2.2.2...1.1.1.1 Apr 26 13:07:15 charon 13[ENC] <78> parsed AGGRESSIVE request 0 [ SA KE No ID V V V ] Apr 26 13:07:15 charon 13[NET] <78> received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes) Apr 26 13:07:14 charon 13[IKE] <con1000|77>IKE_SA con1000[77] state change: CONNECTING => DESTROYING Apr 26 13:07:14 charon 13[JOB] <con1000|77>deleting half open IKE_SA with 1.1.1.1after timeout Apr 26 13:07:11 charon 13[CFG] vici client 264 disconnected Apr 26 13:07:11 charon 13[CFG] vici client 264 requests: list-sas Apr 26 13:07:11 charon 12[CFG] vici client 264 registered for: list-sa Apr 26 13:07:11 charon 11[CFG] vici client 264 connected Apr 26 13:07:08 charon 13[NET] <con1000|77>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:08 charon 13[IKE] <con1000|77>sending retransmit 3 of response message ID 0, seq 1 Apr 26 13:07:05 charon 13[CFG] vici client 263 disconnected Apr 26 13:07:05 charon 11[CFG] vici client 263 requests: list-sas Apr 26 13:07:05 charon 11[CFG] vici client 263 registered for: list-sa Apr 26 13:07:05 charon 11[CFG] vici client 263 connected Apr 26 13:07:02 charon 10[NET] <con1000|77>sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (336 bytes) Apr 26 13:07:02 charon 10[IKE] <con1000|77>received retransmit of request with ID 0, retransmitting response Apr 26 13:07:02 charon 10[NET] <con1000|77>received packet: from 1.1.1.1[500] to 2.2.2.2[500] (304 bytes)</con1000|77></con1000|77></con1000|77></con1000|77></con1000|77></con1000|77></con1000|77></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|78></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|79></con1000|80></con1000|80></con1000|80></con1000|80></con1000|80></con1000|80></con1000|80></con1000|80></con1000|80>
-
I have the exact same problem. I also see 2 entries in pfsense's IPsec status, one responder and the other initiator, never seen that before. I've configured my connection to be only responder and there's still no change.
Logs on Fortinet show that negociation for phase 1 is successful but, not connecting.Hope someone has an idea/fix. Restarting service or pfsense, didn't change anything.
-
I have IPSEC working very reliably between Fortinet and pfSense. Here are some notes:
I have set a Maximum MMS on the pfSense end (IPSEC -> Advanced) mine is currently 1390.
I use MAIN mode, I can see AGGRESSIVE mode mentioned in your log. I also use IKEv2 not v1. Also, if you have multiple P2s then tick "Split Connections".
If you use CARP then ensure you are not outbound NATting your IPSEC traffic.
DPD is enabled.
I also once "fixed" a problem with a reboot at both ends.
-
Bonjour,
je rencontre actuellement le meme probleme entre un pfsense et un fortinet. J'ai appliqué les propositions de gerdesj (hormis le reboot coté fortinet).
Pour le moment le probleme persiste.
Si quelqu'un a une idée.
MerciHello,
I currently encounter the same problem between a pfsense and a fortinet. I applied the proposals of gerdesj (apart from the reboot on the fortinet side).
For the moment the problem persists.
If someone has an idea.
Thank youOct 11 09:46:30 charon 55488 06[NET] <con100000|1> sending packet: from 10.10.10.254[500] to 84.14.183.243[500] (336 bytes)
Oct 11 09:46:30 charon 55488 06[IKE] <con100000|1> retransmit 1 of request with message ID 0
Oct 11 09:46:30 charon 55488 06[CFG] ignoring acquire, connection attempt pending
Oct 11 09:46:30 charon 55488 06[KNL] creating acquire job for policy 10.10.10.254/32|/0 === 84.14.183.243/32|/0 with reqid {1}
Oct 11 09:46:29 charon 55488 06[CFG] ignoring acquire, connection attempt pending
Oct 11 09:46:29 charon 55488 06[KNL] creating acquire job for policy 10.10.10.254/32|/0 === 84.14.183.243/32|/0 with reqid {1}
Oct 11 09:46:28 charon 55488 07[CFG] vici client 2 disconnected
Oct 11 09:46:28 charon 55488 07[CFG] vici client 2 requests: list-sas
Oct 11 09:46:28 charon 55488 07[CFG] vici client 2 registered for: list-sa
Oct 11 09:46:28 charon 55488 07[CFG] vici client 2 connected
Oct 11 09:46:26 charon 55488 06[NET] <con100000|1> sending packet: from 10.10.10.254[500] to 84.14.183.243[500] (336 bytes)
Oct 11 09:46:26 charon 55488 06[ENC] <con100000|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 11 09:46:26 charon 55488 06[CFG] <con100000|1> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Oct 11 09:46:26 charon 55488 06[CFG] <con100000|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 11 09:46:26 charon 55488 06[IKE] <con100000|1> IKE_SA con100000[1] state change: CREATED => CONNECTING