Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec VPN With Fortigate Failed

    IPsec
    1
    2
    915
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lnhquang1993
      last edited by

      Hi Everyone,

      I'm currently using Pfsense and want to open a VPN Site2Site to My partner. My Partner using Fortigate and behind NAT, My Pfense device have Internet access directly on it (PPPoE).

      We was check all the configure and make sure it match but some how the tunnel still not work. Here is the log on Pfense:

      
Jun 18 15:30:04	charon		15[NET] <1783402> received packet: from 113.x.x.x[4500] to 203.x.x.x[4500] (224 bytes)
Jun 18 15:30:04	charon		15[ENC] <1783402> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH SA TSi TSr ]
Jun 18 15:30:04	charon		15[CFG] <1783402> looking for peer configs matching 203.x.x.x[%any]...113.x.x.x[10.10.40.1]
Jun 18 15:30:04	charon		15[CFG] <1783402> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Jun 18 15:30:04	charon		15[CFG] <1783402> ignore candidate 'bypasslan' without matching IKE proposal
Jun 18 15:30:04	charon		15[CFG] <1783402> no matching peer config found
Jun 18 15:30:04	charon		15[ENC] <1783402> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jun 18 15:30:04	charon		15[NET] <1783402> sending packet: from 203.x.x.x[4500] to 113.x.x.x[4500] (80 bytes)
Jun 18 15:30:04	charon		15[IKE] <1783402> IKE_SA (unnamed)[1783402] state change: CONNECTING => DESTROYING
Jun 18 15:30:04	charon		15[NET] <1783403> received packet: from 113.x.x.x[500] to 203.x.x.x[500] (352 bytes)
Jun 18 15:30:04	charon		15[ENC] <1783403> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 18 15:30:04	charon		15[CFG] <1783403> looking for an IKEv2 config for 203.x.x.x...113.x.x.x
Jun 18 15:30:04	charon		15[CFG] <1783403> candidate: %any...%any, prio 24
Jun 18 15:30:04	charon		15[CFG] <1783403> candidate: 203.x.x.x...113.x.x.x, prio 3100
Jun 18 15:30:04	charon		15[CFG] <1783403> found matching ike config: 203.x.x.x...113.x.x.x with prio 3100
Jun 18 15:30:04	charon		15[IKE] <1783403> 113.x.x.x is initiating an IKE_SA
Jun 18 15:30:04	charon		15[IKE] <1783403> IKE_SA (unnamed)[1783403] state change: CREATED => CONNECTING
Jun 18 15:30:04	charon		15[CFG] <1783403> selecting proposal:
Jun 18 15:30:04	charon		15[CFG] <1783403> proposal matches
Jun 18 15:30:04	charon		15[CFG] <1783403> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:04	charon		15[CFG] <1783403> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:04	charon		15[CFG] <1783403> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:04	charon		15[IKE] <1783403> remote host is behind NAT
Jun 18 15:30:04	charon		15[ENC] <1783403> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 18 15:30:04	charon		15[NET] <1783403> sending packet: from 203.x.x.x[500] to 113.x.x.x[500] (384 bytes)
Jun 18 15:30:04	charon		15[NET] <1783403> received packet: from 113.x.x.x[4500] to 203.x.x.x[4500] (224 bytes)
Jun 18 15:30:04	charon		15[ENC] <1783403> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH SA TSi TSr ]
Jun 18 15:30:04	charon		15[CFG] <1783403> looking for peer configs matching 203.x.x.x[%any]...113.x.x.x[10.10.40.1]
Jun 18 15:30:04	charon		15[CFG] <1783403> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Jun 18 15:30:04	charon		15[CFG] <1783403> ignore candidate 'bypasslan' without matching IKE proposal
Jun 18 15:30:04	charon		15[CFG] <1783403> no matching peer config found
Jun 18 15:30:04	charon		15[ENC] <1783403> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jun 18 15:30:04	charon		15[NET] <1783403> sending packet: from 203.x.x.x[4500] to 113.x.x.x[4500] (80 bytes)
Jun 18 15:30:04	charon		15[IKE] <1783403> IKE_SA (unnamed)[1783403] state change: CONNECTING => DESTROYING
Jun 18 15:30:04	charon		11[NET] <1783404> received packet: from 113.x.x.x[500] to 203.x.x.x[500] (352 bytes)
Jun 18 15:30:04	charon		11[ENC] <1783404> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 18 15:30:04	charon		11[CFG] <1783404> looking for an IKEv2 config for 203.x.x.x...113.x.x.x
Jun 18 15:30:04	charon		11[CFG] <1783404> candidate: %any...%any, prio 24
Jun 18 15:30:04	charon		11[CFG] <1783404> candidate: 203.x.x.x...113.x.x.x, prio 3100
Jun 18 15:30:04	charon		11[CFG] <1783404> found matching ike config: 203.x.x.x...113.x.x.x with prio 3100
Jun 18 15:30:04	charon		11[IKE] <1783404> 113.x.x.x is initiating an IKE_SA
Jun 18 15:30:04	charon		11[IKE] <1783404> IKE_SA (unnamed)[1783404] state change: CREATED => CONNECTING
Jun 18 15:30:04	charon		11[CFG] <1783404> selecting proposal:
Jun 18 15:30:04	charon		11[CFG] <1783404> proposal matches
Jun 18 15:30:04	charon		11[CFG] <1783404> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:04	charon		11[CFG] <1783404> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:04	charon		11[CFG] <1783404> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:04	charon		11[IKE] <1783404> remote host is behind NAT
Jun 18 15:30:04	charon		11[ENC] <1783404> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 18 15:30:04	charon		11[NET] <1783404> sending packet: from 203.x.x.x[500] to 113.x.x.x[500] (384 bytes)
Jun 18 15:30:04	charon		11[NET] <1783404> received packet: from 113.x.x.x[4500] to 203.x.x.x[4500] (224 bytes)
Jun 18 15:30:04	charon		11[ENC] <1783404> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH SA TSi TSr ]
Jun 18 15:30:04	charon		11[CFG] <1783404> looking for peer configs matching 203.x.x.x[%any]...113.x.x.x[10.10.40.1]
Jun 18 15:30:04	charon		11[CFG] <1783404> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Jun 18 15:30:04	charon		11[CFG] <1783404> ignore candidate 'bypasslan' without matching IKE proposal
Jun 18 15:30:04	charon		11[CFG] <1783404> no matching peer config found
Jun 18 15:30:04	charon		11[ENC] <1783404> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jun 18 15:30:04	charon		11[NET] <1783404> sending packet: from 203.x.x.x[4500] to 113.x.x.x[4500] (80 bytes)
Jun 18 15:30:04	charon		11[IKE] <1783404> IKE_SA (unnamed)[1783404] state change: CONNECTING => DESTROYING
Jun 18 15:30:04	charon		11[NET] <1783405> received packet: from 113.x.x.x[500] to 203.x.x.x[500] (352 bytes)
Jun 18 15:30:04	charon		11[ENC] <1783405> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 18 15:30:04	charon		11[CFG] <1783405> looking for an IKEv2 config for 203.x.x.x...113.x.x.x
Jun 18 15:30:04	charon		11[CFG] <1783405> candidate: %any...%any, prio 24
Jun 18 15:30:04	charon		11[CFG] <1783405> candidate: 203.x.x.x...113.x.x.x, prio 3100
Jun 18 15:30:04	charon		11[CFG] <1783405> found matching ike config: 203.x.x.x...113.x.x.x with prio 3100
Jun 18 15:30:04	charon		11[IKE] <1783405> 113.x.x.x is initiating an IKE_SA
Jun 18 15:30:04	charon		11[IKE] <1783405> IKE_SA (unnamed)[1783405] state change: CREATED => CONNECTING
Jun 18 15:30:04	charon		11[CFG] <1783405> selecting proposal:
Jun 18 15:30:04	charon		11[CFG] <1783405> proposal matches
Jun 18 15:30:04	charon		11[CFG] <1783405> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:04	charon		11[CFG] <1783405> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:04	charon		11[CFG] <1783405> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:04	charon		11[IKE] <1783405> remote host is behind NAT
Jun 18 15:30:04	charon		11[ENC] <1783405> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 18 15:30:04	charon		11[NET] <1783405> sending packet: from 203.x.x.x[500] to 113.x.x.x[500] (384 bytes)
Jun 18 15:30:04	charon		11[NET] <1783405> received packet: from 113.x.x.x[4500] to 203.x.x.x[4500] (224 bytes)
Jun 18 15:30:04	charon		11[ENC] <1783405> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH SA TSi TSr ]
Jun 18 15:30:04	charon		11[CFG] <1783405> looking for peer configs matching 203.x.x.x[%any]...113.x.x.x[10.10.40.1]
Jun 18 15:30:04	charon		11[CFG] <1783405> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Jun 18 15:30:04	charon		11[CFG] <1783405> ignore candidate 'bypasslan' without matching IKE proposal
Jun 18 15:30:04	charon		11[CFG] <1783405> no matching peer config found
Jun 18 15:30:04	charon		11[ENC] <1783405> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jun 18 15:30:04	charon		11[NET] <1783405> sending packet: from 203.x.x.x[4500] to 113.x.x.x[4500] (80 bytes)
Jun 18 15:30:04	charon		11[IKE] <1783405> IKE_SA (unnamed)[1783405] state change: CONNECTING => DESTROYING
Jun 18 15:30:11	charon		10[NET] <1783406> received packet: from 113.x.x.x[500] to 203.x.x.x[500] (352 bytes)
Jun 18 15:30:11	charon		10[ENC] <1783406> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 18 15:30:11	charon		10[CFG] <1783406> looking for an IKEv2 config for 203.x.x.x...113.x.x.x
Jun 18 15:30:11	charon		10[CFG] <1783406> candidate: %any...%any, prio 24
Jun 18 15:30:11	charon		10[CFG] <1783406> candidate: 203.x.x.x...113.x.x.x, prio 3100
Jun 18 15:30:11	charon		10[CFG] <1783406> found matching ike config: 203.x.x.x...113.x.x.x with prio 3100
Jun 18 15:30:11	charon		10[IKE] <1783406> 113.x.x.x is initiating an IKE_SA
Jun 18 15:30:11	charon		10[IKE] <1783406> IKE_SA (unnamed)[1783406] state change: CREATED => CONNECTING
Jun 18 15:30:11	charon		10[CFG] <1783406> selecting proposal:
Jun 18 15:30:11	charon		10[CFG] <1783406> proposal matches
Jun 18 15:30:11	charon		10[CFG] <1783406> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:11	charon		10[CFG] <1783406> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:11	charon		10[CFG] <1783406> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Jun 18 15:30:11	charon		10[IKE] <1783406> remote host is behind NAT
Jun 18 15:30:11	charon		10[ENC] <1783406> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 18 15:30:11	charon		10[NET] <1783406> sending packet: from 203.x.x.x[500] to 113.x.x.x[500] (384 bytes)

      Everything seem ok but somehow Phase 1 still Failed. I'm not sure why. Please help advice!

      L 1 Reply Last reply Reply Quote 0
      • L
        lnhquang1993 @lnhquang1993
        last edited by

        Hi team, for update:

        I just change the Encryption method on both site and now the Pfsense Generate new log:

        J
Jun 18 16:32:19	charon		11[CFG] constraint requires public key authentication, but pre-shared key was used
Jun 18 16:32:19	charon		11[CFG] <bypasslan|1812639> constraint requires public key authentication, but pre-shared key was used
Jun 18 16:32:19	charon		11[CFG] selected peer config 'bypasslan' unacceptable: non-matching authentication done
Jun 18 16:32:19	charon		11[CFG] <bypasslan|1812639> selected peer config 'bypasslan' unacceptable: non-matching authentication done

        Both site configure to use PSk and based on the log it authentication ok but also some other log require Public key authentication. Not sure what it is. Please help advices

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.