VPN Error de Conexión ayuda

Para temas sobre las VPN, incluyendo la configuración, resolución de problemas e interoperabilidad.
Responder
mendocino37
Mensajes: 3
Registrado: 21 Mar 2017, 19:07

VPN Error de Conexión ayuda

Mensaje por mendocino37 »

Estimados expertos buen día, soy novato en este tema del fortigate pero ha llegado el momento de empezar a incursionarse, tengo un fortigate 60E y en el otro extremo un fortigate 500D,

Hay una VPN creada que estuvo funcionado hasta hace unos días, viendo en internet y buscando info sobre troubleshooting de las VPN logre sacar esta info, pero no logro dar cual puede ser el problema.

Si me podrían dar una mano con sus experiencia.

Saludos y Gracias

larfw1 # ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0
ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection
ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found
ike 0:VPN-MZA-1: request is on the queue
ike 0:VPN-MZA-1:2994: negotiation timeout, deleting
ike 0:VPN-MZA-1: connection expiring due to phase1 down
ike 0:VPN-MZA-1: deleting
ike 0:VPN-MZA-1: deleted
ike 0:VPN-MZA-1: schedule auto-negotiate
ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0
ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found
ike 0:VPN-MZA-1: created connection: 0x5545978 5 172.16.10.75->190.113.131.138:500.
ike 0:VPN-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:500 negotiating
ike 0:VPN-MZA-1: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:VPN-MZA-1:2995: out 6DD1F060BF6376DF0000000000000000212022080000000000000210220000C80200002C010100040300000C0100000C800E00800300000802000005030000080300000C00000008040000050200002C020100040300000C0100000C800E01000300000802000005030000080300000C000000080400000502000024030100030300000C01000014800E00800300000802000005000000080400000502000024040100030300000C01000014800E01000300000802000006000000080400000500000024050100030300000C0100001C800E010003000008020000050000000804000005280000C80005000033EB2C6759CE93F4C1AB5E5AB51BECCDAFE02B98F30698E1EE81D9C4479404BF9E10ADE90B4A98CD9E23B6334A15E27001979B20463D853805006178E8BE70D762EC92FB5ADF697B820822A6F090826AE11EFEC36292D7CCE06948DDE4C36132D659AC94CC843EFE9504D3A8EF168D130A7D0C8190052A072362701BD02EA0156FF5B700C83D38D19CED24A2C3B99B64FE6C9B2E90C66F04E72311DFB0D56101F46159FF0EB7F60163E1637E75681D0FC7E6367C81BAD184A95F096388677AC9290000243ED6AE0DF8F0933B27D20F329EEEBBED40ED764A7F0152BE407BAE1F432D37E22900001C0000400448A7109D11C5445E21899990CA679EF2E78B5D9A2900001C0000400565E0C1FDFD9355F26AAEB0153D89E1A0D97D7FEC000000080000402E
ike 0:VPN-MZA-1:2995: sent IKE msg (SA_INIT): 172.16.10.75:500->190.113.131.138:500, len=528, id=6dd1f060bf6376df/0000000000000000
ike 0: comes 190.113.131.138:500->172.16.10.75:500,ifindex=5....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=6dd1f060bf6376df/b948e324ce1113e7 len=360
ike 0: in 6DD1F060BF6376DFB948E324CE1113E7212022200000000000000168220000300000002C010100040300000C0100000C800E00800300000802000005030000080300000C0000000804000005280000C8000500004A42CFAB5E738F606D5460D1038DB0B3D86FBF26808CDD34BB1C8CCAC891972488AEFC55879B32CE7DB67736243DBF8461B71CB21362CE65EA4C4AA4423B5A295D74B6E91A09142ACF6FE4AF391E430460F9479DB854E5FC878A035A82D45C9426FEF57E3F3F3E2C5F3422F489DE09EC6F6552297D3F0DB960E54E886304C82F0AADA54D99C7F0FCD81191E60FC8B906B8F40042EB46077B5B43B81A055B542B5EB79994C23E6946851A4C80E9E3D16BA71A9EC132715F7B258FEECEE671D74629000014A22D0B3811BC6AF97439CB7BE6D5F61F2900001C00004004D86F3AA7A352CB277258832A48411CAA778098062900001C000040050E6309B07BA389287DBFF29F5F81E336A9DBD78A000000080000402E
ike 0:VPN-MZA-1:2995: initiator received SA_INIT response
ike 0:VPN-MZA-1:2995: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:VPN-MZA-1:2995: processing NAT-D payload
ike 0:VPN-MZA-1:2995: NAT not detected
ike 0:VPN-MZA-1:2995: process NAT-D
ike 0:VPN-MZA-1:2995: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:VPN-MZA-1:2995: processing NAT-D payload
ike 0:VPN-MZA-1:2995: NAT detected: ME
ike 0:VPN-MZA-1:2995: process NAT-D
ike 0:VPN-MZA-1:2995: processing notify type FRAGMENTATION_SUPPORTED
ike 0:VPN-MZA-1:2995: incoming proposal:
ike 0:VPN-MZA-1:2995: proposal id = 1:
ike 0:VPN-MZA-1:2995: protocol = IKEv2:
ike 0:VPN-MZA-1:2995: encapsulation = IKEv2/none
ike 0:VPN-MZA-1:2995: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:VPN-MZA-1:2995: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:VPN-MZA-1:2995: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:VPN-MZA-1:2995: type=DH_GROUP, val=MODP1536.
ike 0:VPN-MZA-1:2995: matched proposal id 1
ike 0:VPN-MZA-1:2995: proposal id = 1:
ike 0:VPN-MZA-1:2995: protocol = IKEv2:
ike 0:VPN-MZA-1:2995: encapsulation = IKEv2/none
ike 0:VPN-MZA-1:2995: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:VPN-MZA-1:2995: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:VPN-MZA-1:2995: type=PRF, val=PRF_HMAC_SHA2_256
ike 0:VPN-MZA-1:2995: type=DH_GROUP, val=MODP1536.
ike 0:VPN-MZA-1:2995: lifetime=86400
ike 0:VPN-MZA-1:2995: IKE SA 6dd1f060bf6376df/b948e324ce1113e7 SK_ei 16:9558F001FF686E241F2387C3F8583212
ike 0:VPN-MZA-1:2995: IKE SA 6dd1f060bf6376df/b948e324ce1113e7 SK_er 16:CB047C096C2F517DD391FB4F4A80A4DF
ike 0:VPN-MZA-1:2995: IKE SA 6dd1f060bf6376df/b948e324ce1113e7 SK_ai 32:FA7CDDC84EF12AC0F364E540C411BB3CA498203A4902909CEEE237887517F887
ike 0:VPN-MZA-1:2995: IKE SA 6dd1f060bf6376df/b948e324ce1113e7 SK_ar 32:A78ECFCCB4DF045B94CB820663CB9F38D5C834FF8037C2937A33C204E0689C9C
ike 0:VPN-MZA-1:2995: initiator preparing AUTH msg
ike 0:VPN-MZA-1:2995: sending INITIAL-CONTACT
ike 0:VPN-MZA-1:2995: add INTERFACE-ADDR4 10.254.1.130
ike 0:VPN-MZA-1:2995: enc 2900000C01000000AC100A4B29000008000040002700000C0000F0F90AFE01822900002802000000E8E4C1F6C796124C6D7387A9575AFCAE1B212C253ACA8622D63DA8C22A9A184E21000008000040242C00002C00000028010304038789E46B0300000C0100000C800E0100030000080300000C00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF03020103
ike 0:VPN-MZA-1:2995: detected NAT
ike 0:VPN-MZA-1:2995: NAT-T float port 4500
ike 0:VPN-MZA-1:2995: out 6DD1F060BF6376DFB948E324CE1113E72E20230800000001000000F0230000D4FD1B387EF9DF3B2F3EF4F038B010C743659563F3AF793644EA11EF64EE1E9D544EBF366146F933C4EE17E1BCD364A05649E87985D35DE85EF730371BB8F9C3ACDE7AB860DDB647FAB54B1424D2C17706610E9810F9FF70C373D2849429842F3E42682181A294AED650DB06E38F8706C8FFEAAFAD1C4C6F181FEB29EC42E2B8C0DC5B7890397CF878FBD1BB2CC4AD07BBF2766EC5A9A02070022DD25B52641EF6ABBA5A59C27A18EEAC3BED79E4DEFE430E2FF1F386E9AA5D4E836DBA84555A1C7516A64AFFA334CDEB5335124C4E9FFF
ike 0:VPN-MZA-1:2995: sent IKE msg (AUTH): 172.16.10.75:4500->190.113.131.138:4500, len=240, id=6dd1f060bf6376df/b948e324ce1113e7:00000001
ike shrank heap by 126976 bytes
ike 0:VPN-MZA-1:2995: out 6DD1F060BF6376DFB948E324CE1113E72E20230800000001000000F0230000D4FD1B387EF9DF3B2F3EF4F038B010C743659563F3AF793644EA11EF64EE1E9D544EBF366146F933C4EE17E1BCD364A05649E87985D35DE85EF730371BB8F9C3ACDE7AB860DDB647FAB54B1424D2C17706610E9810F9FF70C373D2849429842F3E42682181A294AED650DB06E38F8706C8FFEAAFAD1C4C6F181FEB29EC42E2B8C0DC5B7890397CF878FBD1BB2CC4AD07BBF2766EC5A9A02070022DD25B52641EF6ABBA5A59C27A18EEAC3BED79E4DEFE430E2FF1F386E9AA5D4E836DBA84555A1C7516A64AFFA334CDEB5335124C4E9FFF
ike 0:VPN-MZA-1:2995: sent IKE msg (RETRANSMIT_AUTH): 172.16.10.75:4500->190.113.131.138:4500, len=240, id=6dd1f060bf6376df/b948e324ce1113e7:00000001
ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0
ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection
ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found
ike 0:VPN-MZA-1: request is on the queue
ike 0:VPN-MZA-1:2995: out 6DD1F060BF6376DFB948E324CE1113E72E20230800000001000000F0230000D4FD1B387EF9DF3B2F3EF4F038B010C743659563F3AF793644EA11EF64EE1E9D544EBF366146F933C4EE17E1BCD364A05649E87985D35DE85EF730371BB8F9C3ACDE7AB860DDB647FAB54B1424D2C17706610E9810F9FF70C373D2849429842F3E42682181A294AED650DB06E38F8706C8FFEAAFAD1C4C6F181FEB29EC42E2B8C0DC5B7890397CF878FBD1BB2CC4AD07BBF2766EC5A9A02070022DD25B52641EF6ABBA5A59C27A18EEAC3BED79E4DEFE430E2FF1F386E9AA5D4E836DBA84555A1C7516A64AFFA334CDEB5335124C4E9FFF
ike 0:VPN-MZA-1:2995: sent IKE msg (RETRANSMIT_AUTH): 172.16.10.75:4500->190.113.131.138:4500, len=240, id=6dd1f060bf6376df/b948e324ce1113e7:00000001
ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0
ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection
ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found
ike 0:VPN-MZA-1: request is on the queue
ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0
ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection
ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found
ike 0:VPN-MZA-1: request is on the queue

larfw1 # ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0
ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection
ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found
ike 0:VPN-MZA-1: request is on the queue
diike 0:VPN-MZA-1:2995: out 6DD1F060BF6376DFB948E324CE1113E72E20230800000001000000F0230000D4FD1B387EF9DF3B2F3EF4F038B010C743659563F3AF793644EA11EF64EE1E9D544EBF366146F933C4EE17E1BCD364A05649E87985D35DE85EF730371BB8F9C3ACDE7AB860DDB647FAB54B1424D2C17706610E9810F9FF70C373D2849429842F3E42682181A294AED650DB06E38F8706C8FFEAAFAD1C4C6F181FEB29EC42E2B8C0DC5B7890397CF878FBD1BB2CC4AD07BBF2766EC5A9A02070022DD25B52641EF6ABBA5A59C27A18EEAC3BED79E4DEFE430E2FF1F386E9AA5D4E836DBA84555A1C7516A64AFFA334CDEB5335124C4E9FFF
ike 0:VPN-MZA-1:2995: sent IKE msg (RETRANSMIT_AUTH): 172.16.10.75:4500->190.113.131.138:4500, len=240, id=6dd1f060bf6376df/b948e324ce1113e7:00000001
dia deb dike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0
ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection
ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found
ike 0:VPN-MZA-1: request is on the queue
i
Avatar de Usuario
gabyrossi
Mensajes: 10898
Registrado: 30 Oct 2007, 19:47

Re: VPN Error de Conexión ayuda

Mensaje por gabyrossi »

Hola, revisa porque intenta armar la conexion de ipsec con una ip privada 172.16.10.75->190.113.131.138:0

revisa dentro d ela vpn si tiene activo el nat traversal.

saludos
NSE 7 – Fortinet Network Security Architect
NSE 5 - Network Security Analyst
MikForti
Mensajes: 1
Registrado: 29 Sep 2023, 10:20

Re: VPN Error de Conexión ayuda

Mensaje por MikForti »

Cómo lo solucionaste?

Yo he probado a activar el NAT trasversal en la config de VPN pero continúa sin funcionar, sigo obteniendo el mismo error.

Tengo la WAN configurada con IP INTERNA del ROUTER a través de DMZ(como parece ser tu caso).

Es necesario hacer alguna referencia adicional en AZURE o en el FORTIGATE?

Muchas gracias y saludos.
AndresW
Mensajes: 452
Registrado: 09 Jun 2014, 17:05

Re: VPN Error de Conexión ayuda

Mensaje por AndresW »

Hola,

¿Puedes compartir el error específico que te está entregando?
Saludos!

_____________________________________________________________

Grupo de Telegram referente a FortiGate --> https://t.me/FortiGate_es
Responder