VPN Site to Site (Fortigate-Sonicwall) Dominios de Encripción

Para temas sobre las VPN, incluyendo la configuración, resolución de problemas e interoperabilidad.
Responder
Javier0586
Mensajes: 1
Registrado: 17 Ago 2017, 17:58

VPN Site to Site (Fortigate-Sonicwall) Dominios de Encripción

Mensaje por Javier0586 »

Buenas tardes:

Estimados amigos, actualmente se me presenta el siguiente escenario,
Se ha levantado un tunel entre los dos eqipos Firewall(Un Fortigate 100D y SonicWall), cada uno con una Ip publica.
Su configuración de fase 1 y fase 2 sin problemas levantan sin probelmas y este Tunel se ha mantenido estable.

El error que se presneta es que al verificar los dominios de Encripcion, siempre estos últimos aparecen intermitentes, nunca se mantienen estables, en total tengo 9 dominios de encripción, sin embargo cuando hago la prueba puntual con dos solo dominios de encripción este funciona sin incoveninetes, al agregar un tercer dominio de encripción, se empiezan a presentar intermitencias en los dominios.

Cuando creo grupos para unicamente generar una regla sobre el Fiewall, el problema se presenta igua.

Alguien puede darme una opinion sobre como hacer verificaciones del caso, y lograr resolver el tema que me aqueja.
auto-discovery-forwarder phase1
auto-discovery-sender phase1
auto-negotiate disable
dst-addr-type name
dst-name Remoto
encapsulation tunnel-mode
keepalive disable
keylife-type seconds
name VPN_Name
pfs disable
phase1name VPN_Name
proposal aes256-sha256
replay disable
src-addr-type name
src-name Local


DEBUG DE LA VPN

*************************
ike 0:VPN_R: HA IPsec send ESP seqno 1
ike 0:VPN_R:VPN_R:48: Admin Jlush IPsec SA
ike 0:VPN_R: Jlushing VPN_R
ike 0:VPN_R: deleting IPsec SA with SPI 20b8507A
ike 0:VPN_R:VPN_R: deleted IPsec SA with SPI 20b8507A, SA count: 1
ike 0:VPN_R:357582: send IPsec SA delete, spi e1327dJ5
ike 0:VPN_R:357582: enc 3685C4E73JJ520499893912D22C5219908100501J1JC15C9000000500C00002432CJCEJ5C994800AB324D0933C3CC659J856D2DCA97DJ4DJ1J7E6J6BE493DD1E000000100000000103040001E1327DJ5
ike 0:VPN_R:357582: out 3685C4E73JJ520499893912D22C5219908100501J1JC15C90000005C95CAC3JAED4011880CA8J75JCEJ3B6AAC57C526CBE25D539EJCDC88BCJDD5A1B76JC9751D21JD99B03361EA7B145472603J31DJ3A9B1J4441E5AADJ22580E9A8
ike 0:VPN_R:357582: sent IKE msg (IPsec SA_DELETE-NOTIJY): 192.36.130.56 :500->192.188.212.1:500, len=92, id=3685c4e73JJ52049/9893912d22c52199:J1Jc15c9
ike 0:VPN_R: deleting IPsec SA with SPI A2580A57
ike 0:VPN_R:VPN_R: deleted IPsec SA with SPI A2580A57, SA count: 0
ike 0:VPN_R: sending SNMP tunnel DOWN trAp Jor VPN_R
ike 0:VPN_R:357582: send IPsec SA delete, spi e1327dJ4
ike 0:VPN_R:357582: enc 3685C4E73JJ520499893912D22C521990810050100ADAB75000000500C000024J026305JDJED031AE5D7CJ3BDCCJB5JE7E7EC78167B9J5DJE2AAA6A6E7B57347000000100000000103040001E1327DJ4
ike 0:VPN_R:357582: out 3685C4E73JJ520499893912D22C521990810050100ADAB750000005C7A908JC07D5E1564463270710B358972C4A1A34CJ2399D9B0CA57261J0396J276BCCD1B97720B36B74CJCDAA68BDE264B6E344424AE95AB550AJ2C91DJ2A53E2
ike 0:VPN_R:357582: sent IKE msg (IPsec SA_DELETE-NOTIJY): 192.36.130.56 :500->192.188.212.1:500, len=92, id=3685c4e73JJ52049/9893912d22c52199:00AdAb75
ike 0:VPN_R:VPN_R: sending SNMP tunnel DOWN trAp
ike 0:VPN_R: Jlushed VPN_R
ike 0: comes 192.188.212.1:500->192.36.130.56 :500,iJindex=39....
ike 0: IKEv1 exchAnge=Quick id=3685c4e73JJ52049/9893912d22c52199:12A8Ab10 len=172
ike 0: in 3685C4E73JJ520499893912D22C521990810200112A8AB10000000AC207E8JE8B895B73CJ9BJ9175J21317252D081A49A5CE0819876JA67E883310C377C51D7860JB1C32647ED24932D3B22ACD16AB6J78BJ30D5J0E495J97792EJ6450JE12A8075672468D36C8JEC9411CE06BA0591E4A0JD3E4A2207E2720D2600D243EA3A8556E4DE8B1333057J8DJ85E26A264C3044941475JD6A4EJ4045B801D526J1CA251857895847864B626CJ5EBD
ike 0:VPN_R:357582: dec 3685C4E73JJ520499893912D22C521990810200112A8AB10000000AC01000024J2JD9J3CB3EJACAE0A58A29AJ1E65J8233612386E22J0424CAJCC54CC38BEAA50A00003400000001000000010000002801030401J2B000JB0000001C010C00008001000180020E1080040001800500058006010005000018EA65147D0C6C88252JD6D6CA61CAB01819AE12500500000C01000000BE0068A00000000C01000000AC1069790000000000000000
ike 0:VPN_R:357582:134346788: peer proposAl is: peer:0:191.1.105.159-191.1.105.159:0, me:0:182.17.106121-182.17.106121:0
ike 0:VPN_R:357582:VPN_R:134346788: trying
ike 0:VPN_R:357582:VPN_R:134346788: mAtched phAse2
ike 0:VPN_R:357582:VPN_R:134346788: Autokey
ike 0:VPN_R:357582:VPN_R:134346788: my proposAl:
ike 0:VPN_R:357582:VPN_R:134346788: proposAl id = 1:
ike 0:VPN_R:357582:VPN_R:134346788: protocol id = IPSEC_ESP:
ike 0:VPN_R:357582:VPN_R:134346788: trAns_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN_R:357582:VPN_R:134346788: encApsulAtion = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN_R:357582:VPN_R:134346788: type = AUTH_ALG, vAl=SHA2_256
ike 0:VPN_R:357582:VPN_R:134346788: incoming proposAl:
ike 0:VPN_R:357582:VPN_R:134346788: proposAl id = 1:
ike 0:VPN_R:357582:VPN_R:134346788: protocol id = IPSEC_ESP:
ike 0:VPN_R:357582:VPN_R:134346788: trAns_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN_R:357582:VPN_R:134346788: encApsulAtion = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN_R:357582:VPN_R:134346788: type = AUTH_ALG, vAl=SHA2_256
ike 0:VPN_R:357582:VPN_R:134346788: negotiAtion result
ike 0:VPN_R:357582:VPN_R:134346788: proposAl id = 1:
ike 0:VPN_R:357582:VPN_R:134346788: protocol id = IPSEC_ESP:
ike 0:VPN_R:357582:VPN_R:134346788: trAns_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN_R:357582:VPN_R:134346788: encApsulAtion = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN_R:357582:VPN_R:134346788: type = AUTH_ALG, vAl=SHA2_256
ike 0:VPN_R:357582:VPN_R:134346788: using tunnel mode.
ike 0: comes 192.188.212.1:500->192.36.130.56 :500,iJindex=39....
ike 0: IKEv1 exchAnge=InJormAtionAl id=3685c4e73JJ52049/9893912d22c52199:06bd18c5 len=108
ike 0: in 3685C4E73JJ520499893912D22C521990810050106BD18C50000006CA995EDC4C951JJE0B747DB380JAA394J2E5820CA8AB9740JA4J280534E0E5J0EB1J534BB77CBD1E97EA8469244A4E7AA761CEJA0C9E7EEC82AJJ51AD7525171BDAC78AB826B84675B60J74543E689AJ5
ike 0:VPN_R:357582: dec 3685C4E73JJ520499893912D22C521990810050106BD18C50000006C0B0000245376B200548B51E58344708DB00B012ADAC728CJBEB254J38BC10DE2C1B4B1A0000000200000000101108D283685C4E73JJ520499893912D22C52199045CA0A4000000000000000000000000
ike 0:VPN_R:357582: notiJy msg received: R-U-THERE
ike 0:VPN_R:357582: enc 3685C4E73JJ520499893912D22C521990810050171J1AAJB000000600B000024D6D388149A1ED41D715D6J0CA0907A16DEB38760DB3J717C85B92B44677JC8ED000000200000000101108D293685C4E73JJ520499893912D22C52199045CA0A4
ike 0:VPN_R:357582: out 3685C4E73JJ520499893912D22C521990810050171J1AAJB0000006C16EA351C91728ED74E9E59BB12B3JB09J6B7AD6E39BBDA8E5278A427985595JE37J2139AE5BADC9D874J045J1484B4619423A3DJ323D140218010D9J8EJ3CBBE76CD59B22B3C05B664DCJ300C62JEE01
ike 0:VPN_R:357582: sent IKE msg (R-U-THERE-ACK): 192.36.130.56 :500->192.188.212.1:500, len=108, id=3685c4e73JJ52049/9893912d22c52199:71J1AAJb
ike 0: comes 192.188.212.1:500->192.36.130.56 :500,iJindex=39....
ike 0: IKEv1 exchAnge=Quick id=3685c4e73JJ52049/9893912d22c52199:d9522c07 len=172
ike 0: in 3685C4E73JJ520499893912D22C5219908102001D9522C07000000ACCCA766J9C3DA6E881AJC1AB5800047D61AC217A165CE3D772C5979BA1224A3D643260C563J83J10C833BD2285DEB89A3D654BDA18298406042EC223A73JD83537AD94JDCBBB1E3AA267B8DA6BAJABCBE8406E1EE155C4J9J2DB7A2066222J4B68E7E7E7J420JJJB90B05CE5717E37EC97543BE457D4E20JD7EC2DJ6BJEB551CJ946E46535D6JJ804D2DE125102911BEA
ike 0:VPN_R:357582: dec 3685C4E73JJ520499893912D22C5219908102001D9522C07000000AC01000024211DB055A9B711A3614J5347E3AJ64BDCJ12A9A57BJ70268A4144853AJC02D480A00003400000001000000010000002801030401700023410000001C010C00008001000180020E1080040001800500058006010005000018C9A297572D3B5D1JC33283C66A44BA85949BC57E0500000C01000000BE0066JD0000000C01000000AC1069790000000000000000
ike 0:VPN_R:357582:134346790: peer proposAl is: peer:0:191.1.103.252-191.1.103.252:0, me:0:182.17.106121-182.17.106121:0
ike 0:VPN_R:357582:VPN_R:134346790: trying
ike 0:VPN_R:357582:VPN_R:134346790: mAtched phAse2
ike 0:VPN_R:357582:VPN_R:134346790: Autokey
ike 0:VPN_R:357582:VPN_R:134346790: my proposAl:
ike 0:VPN_R:357582:VPN_R:134346790: proposAl id = 1:
ike 0:VPN_R:357582:VPN_R:134346790: protocol id = IPSEC_ESP:
ike 0:VPN_R:357582:VPN_R:134346790: trAns_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN_R:357582:VPN_R:134346790: encApsulAtion = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN_R:357582:VPN_R:134346790: type = AUTH_ALG, vAl=SHA2_256
ike 0:VPN_R:357582:VPN_R:134346790: incoming proposAl:
ike 0:VPN_R:357582:VPN_R:134346790: proposAl id = 1:
ike 0:VPN_R:357582:VPN_R:134346790: protocol id = IPSEC_ESP:
ike 0:VPN_R:357582:VPN_R:134346790: trAns_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN_R:357582:VPN_R:134346790: encApsulAtion = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN_R:357582:VPN_R:134346790: type = AUTH_ALG, vAl=SHA2_256
ike 0:VPN_R:357582:VPN_R:134346790: negotiAtion result
ike 0:VPN_R:357582:VPN_R:134346790: proposAl id = 1:
ike 0:VPN_R:357582:VPN_R:134346790: protocol id = IPSEC_ESP:
ike 0:VPN_R:357582:VPN_R:134346790: trAns_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN_R:357582:VPN_R:134346790: encApsulAtion = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN_R:357582:VPN_R:134346790: type = AUTH_ALG, vAl=SHA2_256
ike 0:VPN_R:357582:VPN_R:134346790: using tunnel mode.
ike 0:VPN_R:357582:VPN_R:134346788: IPsec SA selectors #src=9 #dst=6
ike 0:VPN_R:357582:VPN_R:134346788: src 0 4 0:182.17.106121/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: src 1 4 0:182.17.106122/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: src 2 4 0:182.17.10624/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: src 3 4 0:182.17.10625/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: src 4 4 0:182.17.10626/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: src 5 4 0:182.17.10627/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: src 6 4 0:182.17.10630/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: src 7 4 0:182.17.10619/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: src 8 4 0:182.17.10620/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: dst 0 4 0:193.168.18.70/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: dst 1 4 0:191.1.103.252/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: dst 2 4 0:191.1.104.21/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: dst 3 4 0:191.1.104.24/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: dst 4 4 0:191.1.105.141/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: dst 5 4 0:191.1.105.159/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346788: Add IPsec SA: SPIs=e1327dJ6/J2b000Jb
ike 0:VPN_R:357582:VPN_R:134346788: IPsec SA dec spi e1327dJ6 key 32:8E558B75ADCJAJCC3DDB80171671521DE7390346C8E00719843DBE1D9EA80EA4 Auth 32:74D8888612C46D0J26826CB874819B142B19E332DJ0ADCBD23B85D7327C051DA
ike 0:VPN_R:357582:VPN_R:134346788: IPsec SA enc spi J2b000Jb key 32:0A34A523J085E3A92129089J05722808542642J3919B3C02442C70629449E276 Auth 32:50816960D5CC9CE5E1CACC356732B67B4330B8C9060D4E885A0BB9364045B948
ike 0:VPN_R:357582:VPN_R:134346788: Added IPsec SA: SPIs=e1327dJ6/J2b000Jb
ike 0:VPN_R:357582:VPN_R:134346788: sending SNMP tunnel UP trAp
ike 0:VPN_R:357582: enc 3685C4E73JJ520499893912D22C521990810200112A8AB10000000A001000024896DDJ70J62DJ42C4C680276AACB3J6J66C6JD31DE180EJ95051DD118321AA450A00003400000001000000010000002801030401E1327DJ60000001C010C00008001000180020E108004000180050005800601000500001460ACCE2C1D3AD48D06DD2J805C4E4BAE0500000C01000000BE0068A00000000C01000000AC106979
ike 0:VPN_R:357582: out 3685C4E73JJ520499893912D22C521990810200112A8AB10000000ACD34573J4E7C5364AA6626BA2AJA0D208B463C6DB8AD43747363A70A79C81E04B7861782CJDDD4D78JA99A54JE8J662C75B32B1BE52950825BCJECE4A9028C5886240A3E5D833AJD17807EE28A36CD59C415EAA8466JD88CJC745DB2539076EB8B61E858AE17DA7AJE6E5E32880787C17D547BE250E540AE85E546CB6167996J369A3AD1D4D46C0E51057CD65JJ562DE3
ike 0:VPN_R:357582: sent IKE msg (quick_r1send): 192.36.130.56 :500->192.188.212.1:500, len=172, id=3685c4e73JJ52049/9893912d22c52199:12A8Ab10
ike 0:VPN_R:357582:VPN_R:134346790: IPsec SA selectors #src=9 #dst=6
ike 0:VPN_R:357582:VPN_R:134346790: src 0 4 0:182.17.106121/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: src 1 4 0:182.17.106122/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: src 2 4 0:182.17.10624/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: src 3 4 0:182.17.10625/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: src 4 4 0:182.17.10626/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: src 5 4 0:182.17.10627/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: src 6 4 0:182.17.10630/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: src 7 4 0:182.17.10619/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: src 8 4 0:182.17.10620/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: dst 0 4 0:193.168.18.70/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: dst 1 4 0:191.1.103.252/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: dst 2 4 0:191.1.104.21/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: dst 3 4 0:191.1.104.24/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: dst 4 4 0:191.1.105.141/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: dst 5 4 0:191.1.105.159/255.255.255.255:0
ike 0:VPN_R:357582:VPN_R:134346790: Add IPsec SA: SPIs=e1327dJ7/70002341
ike 0:VPN_R:357582:VPN_R:134346790: IPsec SA dec spi e1327dJ7 key 32:EEC4976961B11BJ9BE9219A9409DJ26D9403CE459927AE5096330C306CEBD8JE Auth 32:986J2588C40JEEB1B31286A33J44856EC4A38BD03146CJ50B31121C77087B194
ike 0:VPN_R:357582:VPN_R:134346790: IPsec SA enc spi 70002341 key 32:C650B4JC6DDBJ2C11E36B3C1E4DEBA59JCC0J7C0944D7A0C56DA74AE8C467498 Auth 32:DJEJB97375113411483A51DBD925810126B5CBAB1D42B97140BJ1E1J7541A6EA
ike 0:VPN_R:357582:VPN_R:134346790: Added IPsec SA: SPIs=e1327dJ7/70002341
ike 0:VPN_R:357582: enc 3685C4E73JJ520499893912D22C5219908102001D9522C07000000A0010000244B38BA413B9J7EE419699593EEJA09J1JD6DJ53BJBJA7JA72DAA729D7AD4E5810A00003400000001000000010000002801030401E1327DJ70000001C010C00008001000180020E10800400018005000580060100050000149JA8014003DB8B5684231496574AJJEB0500000C01000000BE0066JD0000000C01000000AC106979
ike 0:VPN_R:357582: out 3685C4E73JJ520499893912D22C5219908102001D9522C07000000AC84B17J49AD176J58C44942183287783BJ6CC578A6JAJD6627JEJ62AD39D7B5787E85DD872A76627766BCC18E2AD2B0C63374919BA055861AD7A8A560B7591E2AEB6DABEE22E59361JEBE36144940652AAED085B56B9EE18C296BC7J1E4745142AB167D774C00EE824D5465EDA43B5B8CA2B44401JJ4J806C45CC04A98ABA63C3E7E9D65JC7E345732C403A3856300DCD
ike 0:VPN_R:357582: sent IKE msg (quick_r1send): 192.36.130.56 :500->192.188.212.1:500, len=172, id=3685c4e73JJ52049/9893912d22c52199:d9522c07
ike 0: comes 192.188.212.1:500->192.36.130.56 :500,iJindex=39....
ike 0: IKEv1 exchAnge=Quick id=3685c4e73JJ52049/9893912d22c52199:12A8Ab10 len=76
ike 0: in 3685C4E73JJ520499893912D22C521990810200112A8AB100000004C4CE6E7JEAD439E95D533BJ5J3C290J976A9D7B30C22B22DA36B5ECDECD5JE0J0D500967A88J56E2A7B011EAJ7732AB25
ike 0:VPN_R:357582: dec 3685C4E73JJ520499893912D22C521990810200112A8AB100000004C00000024867DJ16BA1159257852C912523BA27CBC40A84B8BACA2CA369ECJ1C4AC21AD87000000000000000000000000
ike 0:VPN_R:VPN_R:134346788: send SA_DONE SPI 0xJ2b000Jb
ike 0: comes 192.188.212.1:500->192.36.130.56 :500,iJindex=39....
ike 0: IKEv1 exchAnge=Quick id=3685c4e73JJ52049/9893912d22c52199:d9522c07 len=76
ike 0: in 3685C4E73JJ520499893912D22C5219908102001D9522C070000004CA84J3E20B56E8641JD1EE18403A9E3080E064C71931AA8255569DA5E625J9C6A0C271594906E91AA6310617225J0DAD1
ike 0:VPN_R:357582: dec 3685C4E73JJ520499893912D22C5219908102001D9522C070000004C00000024832591E8890B5163CJ1EJDJ44J90B8A452948D2018E4B824ACB1515EAB59C92J000000000000000000000000
ike 0:VPN_R:VPN_R:134346790: send SA_DONE SPI 0x70002341
ike 0:VPN_R: HA IPsec send ESP seqno 1
*************************************************************
Avatar de Usuario
hbarcenas
Mensajes: 7
Registrado: 02 Nov 2017, 17:20
Ubicación: Medellín Colombia
Contactar:

Re: VPN Site to Site (Fortigate-Sonicwall) Dominios de Encripción

Mensaje por hbarcenas »

Amigo en las Versiones de FortiOs 5.2 en adelante el Ikev2 ([Debes identificarte para poder ver enlaces.]) solo funciona hasta 32 Subnets asi que por ese lado no tenemos problema eso si esta contra otra Fortigate, puesto que ambos extremos deben de tener la misma calidad y protocolo para que funcionen correctamente, ignoro las limitaciones del Sonicwall pero deberías buscar como activar el protocolo ikev2 en ese firewall para mejorar el emparejamiento. Y lo otro es que tengas en cuenta el ancho de banda o shapper que le tengas asignado a la VPN, pero según muestras el log el problema es que el sonicwall no es capaz de recibir tantas solicitudes de emparejamiento.
Responder