Scribd
Upload
134 views

Console Output CLI Console

The document discusses the configuration of an IPsec VPN tunnel between two FortiGate devices located at 192.8.202.121 and 192.8.197.17. It shows the phase 1 and phase 2 interfaces being configured and debug messages showing the establishment of the IKE SA and IPsec tunnel. However, the tunnel fails to establish fully due to errors processing the response from the remote peer.

Uploaded by

javed.rafik.1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
134 views

Console Output CLI Console

The document discusses the configuration of an IPsec VPN tunnel between two FortiGate devices located at 192.8.202.121 and 192.8.197.17. It shows the phase 1 and phase 2 interfaces being configured and debug messages showing the establishment of the IKE SA and IPsec tunnel. However, the tunnel fails to establish fully due to errors processing the response from the remote peer.

Uploaded by

javed.rafik.1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

FortiGate-2601F # config vdom

FortiGate-2601F (vdom) # edit vsys3


current vf=vsys3:2

FortiGate-2601F (vsys3) # show vpn ipsec phase1-interface Pune-197.17


config vpn ipsec phase1-interface
edit "Pune-197.17"
set interface "port1"
set ike-version 2
set local-gw 192.8.202.121
set peertype any
set net-device disable
set proposal aes256-sha256
set dpd disable
set dhgrp 20
set nattraversal disable
set remote-gw 192.8.197.17
set psksecret ENC
UBIuoJAVJU1D0VcNQLG2tmpLpcY584bT7g0FHpTQLPE3ntfViGooTpkKx9IAfNbDuV8karkcyftCLIsi0Tp
gh8ilWotwc14eKkDVw7azKPxCkojQ
63dgT6OMsf41vBAk8DYEULc/
YXQiMsueZtN4GN0iduiipeDFZJJIlj5Val+AElTCGkeEeDsjAz3rCrCiJ2VlmA==
next
end

FortiGate-2601F (vsys3) # show vpn ipsec phase2-interface | grep -f Pune-197.17^M


config vpn ipsec phase2-interface
edit "Karle-Pune_ODC"
set phase1name "Pune-197.17" <---
set proposal aes256-sha256
set dhgrp 20
set replay disable
set auto-negotiate enable
set keylifeseconds 3600
next
end

FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) # diag vpn ike log-filter dst-addr4 192.8.197.17

FortiGate-2601F (vsys3) # diag debug application ike -1


Debug messages will be on for 4 minutes.

FortiGate-2601F (vsys3) # diag debug enable

FortiGate-2601F (vsys3) # ike 2:Pune-197.17:Karle-Pune_ODC: IPsec SA connect 9


192.8.202.121->192.8.197.17:0
ike 2:Pune-197.17:Karle-Pune_ODC: using existing connection
ike 2:Pune-197.17:Karle-Pune_ODC: config found
ike 2:Pune-197.17: request is on the queue
ike 2:Pune-197.17:Karle-Pune_ODC: IPsec SA connect 9 192.8.202.121->192.8.197.17:0
ike 2:Pune-197.17:Karle-Pune_ODC: using existing connection
ike 2:Pune-197.17:Karle-Pune_ODC: config found
ike 2:Pune-197.17: request is on the queue
ike shrank heap by 159744 bytes
ike 2:Pune-197.17:Karle-Pune_ODC: IPsec SA connect 9 192.8.202.121->192.8.197.17:0
ike 2:Pune-197.17:Karle-Pune_ODC: using existing connection
ike 2:Pune-197.17:Karle-Pune_ODC: config found
ike 2:Pune-197.17: request is on the queue
ike 2:Pune-197.17:1805551: negotiation timeout, deleting
ike 2:Pune-197.17: connection expiring due to phase1 down
ike 2:Pune-197.17: deleting
ike 2:Pune-197.17: deleted
ike 2:Pune-197.17: schedule auto-negotiate
ike 2:Pune-197.17:Karle-Pune_ODC: IPsec SA connect 9 192.8.202.121->192.8.197.17:0
ike 2:Pune-197.17:Karle-Pune_ODC: config found
ike 2:Pune-197.17: created connection: 0x10d13410 9 192.8.202.121-
>192.8.197.17:500.
ike 2:Pune-197.17: HA start as master
ike 2:Pune-197.17: IPsec SA connect 9 192.8.202.121->192.8.197.17:500 negotiating
ike 2:Pune-197.17: no suitable IKE_SA, queuing CHILD_SA request and initiating
IKE_SA negotiation
ike 2:Pune-197.17:1806157: generate DH public value request queued
ike 2:Pune-197.17:1806157: out
A688411E74091A3A00000000000000002120220800000000000000E0220000300000002C01010004030
0000C0100000C800E0100030
0000802000005030000080300000C000000080400001428000068001400006B76D9B0234E3AC2B9BC22
2939AD848E02AB4FF191B67F94A0E9D4D0910D089E85CE326AAEB9F
8BF74A9161180B568D4CDA9EF813955FCDEE6AF14D3AACEF05F9E794EBF3FAAE712D99FA22161BE7C2B
875674EAC596FD7FD1C3543EABA4A6672900002494194E6D8F9E15A
B67094C77ADC29899D55B8E9E3336EF28CBB9F3A44560B314000000080000402E
ike 2:Pune-197.17:1806157: sent IKE msg (SA_INIT): 192.8.202.121:500-
>192.8.197.17:500, len=224, vrf=0, id=a688411e74091a3a/00000000000000
00
ike 2: comes 192.8.197.17:500->192.8.202.121:500,ifindex=9,vrf=0....
ike 2: IKEv2 exchange=SA_INIT_RESPONSE id=a688411e74091a3a/0000000000000000 len=36
ike 2: in A688411E74091A3A0000000000000000292022200000000000000024000000080000000E
ike 2:Pune-197.17:1806157: initiator received SA_INIT response
ike 2:Pune-197.17:1806157: processing notify type NO_PROPOSAL_CHOSEN
ike 2:Pune-197.17:1806157: malformed message
ike 2:Pune-197.17:Karle-Pune_ODC: IPsec SA connect 9 192.8.202.121->192.8.197.17:0
ike 2:Pune-197.17:Karle-Pune_ODC: using existing connection
ike 2:Pune-197.17:Karle-Pune_ODC: config found
ike 2:Pune-197.17: request is on the queue
ike 2:Pune-197.17:Karle-Pune_ODC: IPsec SA connect 9 192.8.202.121->192.8.197.17:0
ike 2:Pune-197.17:Karle-Pune_ODC: using existing connection
ike 2:Pune-197.17:Karle-Pune_ODC: config found
ike 2:Pune-197.17: request is on the queue
ike 2:Pune-197.17:Karle-Pune_ODC: IPsec SA connect 9 192.8.202.121->192.8.197.17:0
ike 2:Pune-197.17:Karle-Pune_ODC: using existing connection
ike 2:Pune-197.17:Karle-Pune_ODC: config found
ike 2:Pune-197.17: request is on the queue
ike 2:Pune-197.17:Karle-Pune_ODC: IPsec SA connect 9 192.8.202.121->192.8.197.17:0
ike 2:Pune-197.17:Karle-Pune_ODC: using existing connection
ike 2:Pune-197.17:Karle-Pune_ODC: config found
ike 2:Pune-197.17: request is on the queue
ike 2:Pune-197.17:Karle-Pune_ODC: IPsec SA connect 9 192.8.202.121->192.8.197.17:0
ike 2:Pune-197.17:Karle-Pune_ODC: using existing connection
ike 2:Pune-197.17:Karle-Pune_ODC: config found
ike 2:Pune-197.17: request is on the queue
ike 2:Pune-197.17:Karle-Pune_ODC: IPsec SA connect 9 192.8.202.121->192.8.197.17:0
ike 2:Pune-197.17:Karle-Pune_ODC: using existing connection
ike 2:Pune-197.17:Karle-Pune_ODC: config found
ike 2:Pune-197.17: request is on the queue

FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) # ike 2:Pune-197.17:1806157: negotiation timeout, deleting
ike 2:Pune-197.17: connection expiring due to phase1 down
ike 2:Pune-197.17: deleting
ike 2:Pune-197.17: deleted
ike 2:Pune-197.17: schedule auto-negotiate
ike 2:Pune-197.17:Karle-Pune_ODC: chosen to populate IKE_SA traffic-selectors
ike 2:Pune-197.17: no suitable IKE_SA, queuing CHILD_SA request and initiating
IKE_SA negotiation
ike 2:Pune-197.17:1806758: generate DH public value request queued
ike 2:Pune-197.17:1806758: out
3B46BC83143BFFAC00000000000000002120220800000000000000E0220000300000002C01010004030
0000C0100000C800E0100030
0000802000005030000080300000C00000008040000142800006800140000B6E9377DEF1D2B7E694C79
5D0D079C73FF4811D05BAA360341D7CFD8013518A408D10119C3F16
96543543D5594C51258DED0DB9E298A5AB4316EDE2E74FF08E24773717938E9D03779EE90922DF3D9F4
615C55FD849D79B733FC5CAAE5B3536229000024BE74A25C15662E0
6C281CF5E414830299AE930CF04BBB88DB059924F4FE50823000000080000402E
ike 2:Pune-197.17:1806758: sent IKE msg (SA_INIT): 192.8.202.121:500-
>192.8.197.17:500, len=224, vrf=0, id=3b46bc83143bffac/00000000000000
00
ike 2: comes 192.8.197.17:500->192.8.202.121:500,ifindex=9,vrf=0....
ike 2: IKEv2 exchange=SA_INIT_RESPONSE id=3b46bc83143bffac/0000000000000000 len=36
ike 2: in 3B46BC83143BFFAC0000000000000000292022200000000000000024000000080000000E
ike 2:Pune-197.17:1806758: initiator received SA_INIT response
ike 2:Pune-197.17:1806758: processing notify type NO_PROPOSAL_CHOSEN
ike 2:Pune-197.17:1806758: malformed message
di dike 2:Pune-197.17:Karle-Pune_ODC: IPsec SA connect 9 192.8.202.121-
>192.8.197.17:0
ike 2:Pune-197.17:Karle-Pune_ODC: using existing connection
ike 2:Pune-197.17:Karle-Pune_ODC: config found
ike 2:Pune-197.17: request is on the queue
e di

FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) #
FortiGate-2601F (vsys3) # get vpn ike
gateway List gateways.

FortiGate-2601F (vsys3) # get vpn ike gateway


<name> Name of IKE gateway to list.

FortiGate-2601F (vsys3) # get vpn ike gateway Pune-197.17

vd: vsys3/2
name: Pune-197.17
version: 2
interface: port1 9
addr: 192.8.202.121:500 -> 192.8.197.17:500
created: 6s ago
IKE SA created: 1/1
IPsec SA created: 1/1

id/spi: 1814338 ac7119e682f94e5a/0000000000000000


direction: initiator
status: connecting, state 3, started 6s ago

FortiGate-2601F (vsys3) # get vpn ike gateway Israel-127.13

FortiGate-2601F (vsys3) #
Connection lost. Press Enter to start a new session.

You might also like