VPN sitio remoto.

Para temas sobre las VPN, incluyendo la configuración, resolución de problemas e interoperabilidad.
Responder
Avatar de Usuario
j.urena
Mensajes: 113
Registrado: 04 Mar 2013, 20:52
Ubicación: Republica Dominicana

VPN sitio remoto.

Mensaje por j.urena »

Buenas tardes,

Recientemente configuré un FG60C para una localidad remota (bien remota), para que se conecte via VPN IPSec a un FG620B.

Antes de enviar el equipo a la localidad el VPN funcionó bien, cuando se conectó allá funcionó bien, pero hubo un momento cómo que perdió la conexión, por un apagón electrico. Hoy cuando lo iniciaron el equipo, la VPN no subio, por ende no tengo conexión.

Al hacer un debug app ike -1, veo que hay algun tipo de negociación, pero la VPN no ha subio en el día completo, más de 5 horas, qué podría ser??? Será que el internet del sitio remoto es muy inestable??

El sitio remoto tiene configurado el vpn con static IP del sitio principal, el sitio principal está en modo dial up.

Aquí el debug log (uso en ambos equipos FortiOS 4 MR3 Parch 12.)

Código: Seleccionar todo

HA1 (root) # ike 0:vpnSD-R:17432: negotiation timeout, deleting
ike 0:vpnSD-R: connection expiring due to phase1 down
ike 0:vpnSD-R: deleting
ike 0:vpnSD-R: flushing
ike 0:vpnSD-R: sending SNMP tunnel DOWN trap
ike 0:vpnSD-R: flushed
ike 0:vpnSD-R: deleted
ike 0: comes 186.6.219.103:500->190.80.144.213:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=524823bc39d43441/0000000000000000 len=276
ike 0: in 524823BC39D434410000000000000000011002000000000000000110E000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0:Dial-In VPN:17433: responder: main mode get 1st message...
ike 0:Dial-In VPN:17433: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:Dial-In VPN:17433: VID draft-ietf-ipsec-nat-t-ike-03 75310CA6F2C179D9215529D56
ike 0:Dial-In VPN:17433: VID draft-ietf-ipsec-nat-t-ike-02 CD60464CFDB2FC68B6A448
ike 0:Dial-In VPN:17433: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E5EC427B1F
ike 0:Dial-In VPN:17433: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A40660AEAA862
ike 0:Dial-In VPN:17433: VID draft-ietf-ipsec-nat-t-ike-00 448515BCD0BE8A8469579DDCC
ike 0:Dial-In VPN:17433: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:Dial-In VPN:17433: DPD negotiated
ike 0:Dial-In VPN:17433: VID FORTIGATE 8299031757A321DE00040290
ike 0:Dial-In VPN:17433: peer is FortiGate/FortiOS (v4 b656)
ike 0:vpnSD-R:17433: negotiation result
ike 0:vpnSD-R:17433: proposal id = 1:
ike 0:vpnSD-R:17433:   protocol id = ISAKMP:
ike 0:vpnSD-R:17433:      trans_id = KEY_IKE.
ike 0:vpnSD-R:17433:      encapsulation = IKE/none
ike 0:vpnSD-R:17433:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:vpnSD-R:17433:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:vpnSD-R:17433:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:vpnSD-R:17433:         type=OAKLEY_GROUP, val=1536.
ike 0:vpnSD-R:17433: ISKAMP SA lifetime=28800
ike 0:vpnSD-R:17433: selected NAT-T version: RFC 3947
ike 0:vpnSD-R:17433: cookie 524823bc39d43441/a7874b8c842b0084
ike 0:vpnSD-R:17433: out 524823BC39D43441A7874B8C842B0084011002005728F20E95452F0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0:vpnSD-R:17433: sent IKE msg (ident_r1send): 190.80.144.213:500->186.6.219.103:500, len=140, id=524823bc39d43441/a7874b8c842b0084
ike 0: comes 186.6.219.103:500->190.80.144.213:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=524823bc39d43441/0000000000000000 len=276
ike 0: in 524823BC39D4344100000000000000005529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BB0148299031757A36082C6A621DE00040290
ike 0:vpnSD-R:17433: retransmission, re-send last message
ike 0:vpnSD-R:17433: out 524823BC39D43441A7874B8C842B0084011002000052F0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0:vpnSD-R:17433: sent IKE msg (retransmit): 190.80.144.213:500->186.6.219.103:500, len=140, id=524823bc39d43441/a7874b8c842b0084
ike 0:vpnSD-R:17433: out 524823BC39D43441A7874B8C842B008401100200000000000000008C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0:vpnSD-R:17433: sent IKE msg (P1_RETRANSMIT): 190.80.144.213:500->186.6.219.103:500, len=140, id=524823bc39d43441/a7874b8c842b0084
ike 0: comes 186.6.219.103:500->190.80.144.213:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=524823bc39d43441/0000000000000000 len=276
ike 0: in 524823BC39D4344100000000000000000110020000000000000001140D00005800000001000000010000004C010100020300002001010000800B0001800C7080800100058003000180020002800400050000002402010000800B0001800C7080800C68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0:vpnSD-R:17433: retransmission, re-send last message
ike 0:vpnSD-R:17433: out 524823BC39100200000000000000008C0D000034000000010000000000002001010000800B0001800C7080800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC7757A36082C6A621DE00040290
ike 0:vpnSD-R:17433: sent IKE msg (retransmit): 190.80.144.213:500->186.6.219.103:500, len=140, id=524823bc39d43441/a7874b8c842b0084
ike 0:vpnSD-R:17433: out 524823BC39D43441A7874B8C842B008401100200000000000010000000100000028010100010000002000800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F014AFCAD71368A1F1C96B8696FC77570100000C6A621DE00040290
ike 0:vpnSD-R:17433: sent IKE msg (P1_RETRANSMIT): 190.80.144.213:500->186.6.219.103:500, len=140, id=524823bc39d43441/a7874b8c842b0084


Uso FG620B
FortiOS v.4 MR3 Parch 12
Arriba
Avatar de Usuario
gabyrossi
Mensajes: 10899
Registrado: 30 Oct 2007, 19:47

Re: VPN sitio remoto.

Mensaje por gabyrossi »

proba de armar la vpn en modo agresivo, colocando local id .

saludos.
NSE 7 – Fortinet Network Security Architect
NSE 5 - Network Security Analyst
Arriba
Avatar de Usuario
j.urena
Mensajes: 113
Registrado: 04 Mar 2013, 20:52
Ubicación: Republica Dominicana

Re: VPN sitio remoto.

Mensaje por j.urena »

gabyrossi escribió:proba de armar la vpn en modo agresivo, colocando local id .

saludos.


Acabo de configurar según lo que me dijiste:

FG620B

Código: Seleccionar todo

config vpn ipsec phase1-interface
    edit "vpnSD-R-2"
        set type dynamic
        set interface "port18"
        set peertype one
        set mode aggressive
        set proposal 3des-sha1 aes128-sha1
        set localid "gcnewhorizons.net"
        set peerid "ranchodonrey"
        set psksecret ENC AAZUVDQ+3Nq2CsRf/I6+JpQEOI6g4KF750jML/F7mgoAD4HoM427f0gdaPQpqdMm7Imhf5CduWKa7Nvl8b8Dl5X0tM+TIRV2H2UjkYQfoI7pTbqS
    next
end


Código: Seleccionar todo

config vpn ipsec phase2-interface
    edit "vpnSD-Rp2-2"
        set keepalive enable
        set phase1name "vpnSD-R-2"
        set proposal 3des-sha1 aes128-sha1
    next
end


FG60C

Código: Seleccionar todo

config vpn ipsec phase1-interface

    edit "vpnR-SD-2"
        set interface "wan1"
        set peertype one
        set mode aggressive
        set proposal 3des-sha1 aes128-sha1
        set localid "ranchodonrey"
        set remote-gw 190.80.144.213
        set peerid "gcnewhorizons.net"
        set psksecret ENC QR3rN3Cw3haTRaTM2/Tj/jbwo/xTHgym7/72oCAkTS0Mhh9++6ZHyDt5pBQdokULD9Da3gdSZyjX7Z/iImvOEc7VaanqYe0j+wMkVmSCls0q9gdt
    next
end


Código: Seleccionar todo

config vpn ipsec phase2-interface
    edit "vpnR-SDp2-2"
        set keepalive enable
        set phase1name "vpnR-SD-2"
        set proposal 3des-sha1 aes128-sha1
    next
end


Debug application ike -1 (FG620B)

Código: Seleccionar todo

HA1 (root) #
HA1 (root) # ike 0:vpnSD-R-2:18101: negotiation timeout, deleting
ike 0:vpnSD-R-2: connection expiring due to phase1 down
ike 0:vpnSD-R-2: deleting
ike 0:vpnSD-R-2: flushing
ike 0:vpnSD-R-2: sending SNMP tunnel DOWN trap
ike 0:vpnSD-R-2: flushed
ike 0:vpnSD-R-2: deleted
ike 0: comes 186.6.203.40:500->190.80.144.213:500,ifindex=3....
ike 0: IKEv1 exchange=Aggressive id=a946891f77b/000000000000 len=512
ike 0: in A946891B3DA5F77B00000000000000000110040000000000000002000400005800000001000000010000009419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0: IKEv1 Aggressive, comes 186.6.203.40:500->190.80.144.213 3, peer-id=ranchodonrey.
ike 0:vpnSD-R-2:18102: responder: aggressive mode get 1st message...
ike 0:vpnSD-R-2:18102: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:vpnSD-R-2:18102: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:vpnSD-R-2:18102: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:vpnSD-R-2:18102: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:vpnSD-R-2:18102: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:vpnSD-R-2:18102: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:vpnSD-R-2:18102: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:vpnSD-R-2:18102: DPD negotiated
ike 0:vpnSD-R-2:18102: VID FORTIGATE 8299031757A36082C6A621DE00040290
ike 0:vpnSD-R-2:18102: peer is FortiGate/FortiOS (v4 b656)
ike 0:vpnSD-R-2:18102: negotiation result
ike 0:vpnSD-R-2:18102: proposal id = 1:
ike 0:vpnSD-R-2:18102:   protocol id = ISAKMP:
ike 0:vpnSD-R-2:18102:      trans_id = KEY_IKE.
ike 0:vpnSD-R-2:18102:      encapsulation = IKE/none
ike 0:vpnSD-R-2:18102:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:vpnSD-R-2:18102:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:vpnSD-R-2:18102:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:vpnSD-R-2:18102:         type=OAKLEY_GROUP, val=1536.
ike 0:vpnSD-R-2:18102: ISKAMP SA lifetime=28800
ike 0:vpnSD-R-2:18102: selected NAT-T version: RFC 3947
ike 0:vpnSD-R-2:18102: cookie a946891b3da5f77b/d63c167977c53106
ike 0:vpnSD-R-2:18102: ISAKMP SA a946891b3da5f77b/d63c167977c53106 key 24:8D48672377C344840F4073C65F98FEA99CF6BEE5278B27F6
ike 0:vpnSD-R-2:18102: out A946891B3DA5F77BD63C167977C531060110040000000000000001C5040000340000005C4F22A7118DA45B0506E5FB080000190200000067636E6577686F72697A6F6E732E6E65740D000018DCBFE7B48AF7966B5E0CD6188D6EB8EA0E8D41E0140000144A131C81070358455C5728F20E95452F140000187AD487747546AA04948184EEF08E422F6031055F0D0000188062ED80CB719838C7BDE273D823BDA54526AFF10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0:vpnSD-R-2:18102: retransmission, re-send last message
ike 0:vpnSD-R-2:18102: out A946891B3DA5F77BD63C167977C531060110040000000000000001C50400003400E5D5C4F22A7118DA45B0506E5FB080000190200000067636E6577686F72697A6F6E732E6E65740D000018DCBFE7B48AF7966B5E0CD6188D6EB8EA0E8D41E0140000144A131C81070358455C5728F20E95452F140000187AD487747546AA04948184EEF08E422F6031055F0D0000188062ED80CB719838C7BDE273D823BDA54526AFF10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0:vpnSD-R-2:18102: sent IKE msg (retransmit): 190.80.144.213:500->186.6.203.40:500, len=453, id=a946891b3da5f77b/d63c167977c53106
ike 0:vpnSD-R-2:18102: out A946891B3DA5F77BD63C167977C531060110040000000000000001C504000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050A0000C4C1CA3C310DBDAD343A2EF1E3DD4C9C5523D8B20604AEF783245D28136DE2D7DE0000187AD487747546AA04948184EEF08E422F6031055F0D0000188062ED80CB719838C7BDE273D823BDA54526AFF10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0:vpnSD-R-2:18102: sent IKE msg (P1_RETRANSMIT): 190.80.144.213:500->186.6.203.40:500, len=453, id=a946891b3da5f77b/d63c167977c53106
ike 0: comes 186.6.203.40:500->190.80.144.213:500,ifindex=3....
ike 0: IKEv1 exchange=Aggressive id=a946891b3da5f77b/0000000000000000 len=512
ike 0: in A946891B3DA5F77B00000000000000000110040000000000000002000400005800000001000000010000004C010100020300002001010000800B0001800C7080800100058003000180020002800400050000002402010000800B0001800C708080010007800E008080030001800200028004000EAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0:vpnSD-R-2:18102: retransmission, re-send last message
ike 0:vpnSD-R-2:18102: out A946891B3DA5F77BD63C167977C531060110040000000000000001C504000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050A0000C4C1CA3C310DBDAD343A2EF1E3DD4C9C5523D8B20604AEF783245D2813452F140000187AD487747546AA04948184EEF08E422F6031055F0D0000188062ED80CB719838C7BDE273D823BDA54526AFF10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0:vpnSD-R-2:18102: sent IKE msg (retransmit): 190.80.144.213:500->186.6.203.40:500, len=453, id=a946891b3da5f77b/d63c167977c53106
ike 0:vpnSD-R-2:18102: out A946891B3DA5F77BD63C167977C531060110040000000000000001C504000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050A0000C4C1CA3C310DBDAD343A2EF1E3DD4C9C5523D8B20604AEF783245D28136DE2F140000187AD487747546AA04948184EEF08E422F6031055F0D0000188062ED80CB719838C7BDE273D823BDA54526AFF10D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290
ike 0:vpnSD-R-2:18102: sent IKE msg (P1_RETRANSMIT): 190.80.144.213:500->186.6.203.40:500, len=453, id=a946891b3da5f77b/d63c167977c53106



dia deb app ike -1 (FG60C)

Código: Seleccionar todo

FGT60C3G11021210 # ike 0:vpnR-SD-2:289: negotiation timeout, deleting

ike 0:vpnR-SD-2: connection expiring due to phase1 down

ike 0:vpnR-SD-2: deleting

ike 0:vpnR-SD-2: flushing 

ike 0:vpnR-SD-2: flushed 

ike 0:vpnR-SD-2: deleted

ike 0:vpnR-SD-2: schedule auto-negotiate

ike 0:vpnR-SD-2: auto-negotiate connection

ike 0:vpnR-SD-2: created connection: 0x1d1d4d0 4 10.0.0.10->190.80.144.213:500.

ike 0:vpnR-SD-2:290: initiator: aggressive mode is sending 1st message...

ike 0:vpnR-SD-2:290: cookie 150b10347ff43f35/0000000000000000

ike 0:vpnR-SD-2:290: out 150B10347FF43F3500000000000000000110040000000000000002000400005800000001000000010000004C010100020300002001010000800B0001800C7080800100058003000180020002800400050000002402010000800B0001800C708080010007800E00808003000180020002800400050A0000C4CF2\464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290

ike 0:vpnR-SD-2:290: sent IKE msg (agg_i1send): 10.0.0.10:500->190.80.144.213:500, len=512, id=150b10ff43f35/0000000000

ike 0:vpnR-SD-2:290: out 150B10347FF43F3500000000000000000110040000000000000002000400005800000001000000010000004C010100020300002001010000800B0001800C7080800100058003000180020002800400050000002402010000800B0001800C708080010007800E00808003000180020002800400050A0000C4CF21C\DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290

ike 0:vpnR-SD-2:290: sent IKE msg (P1_RETRANSMIT): 10.0.0.10:500->190.80.144.213:500, len=512, id=150b1f43f35/00000000000000

ike 0:vpnR-SD-2:290: out 150B10347FF43F3500000000000000000110040000000000000002000400005800000001000000010000004C010100020300002001010000800B0001800C7080800100058003000180020002800400050000002402010000800B0001800C708080010007800E00808003000180020002800400050A0000C4CF21CBCB454567BBAFC4BA46F57F7DA69DE44B3E89E9F04AC7E447F3EBDB29BF9E6B3BE189550AB4F9DE479384847A027F973C9189B1021D569B9DA06D555A946935C75F73DDDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040290

ike 0:vpnR-SD-2:290: sent IKE msg (P1_RETRANSMIT): 10.0.0.10:500->190.80.144.213:500, len=512, id=150b10347ff43f35/0000000000000000

 


Alguna idea??
Uso FG620B
FortiOS v.4 MR3 Parch 12
Arriba
Avatar de Usuario
gabyrossi
Mensajes: 10899
Registrado: 30 Oct 2007, 19:47

Re: VPN sitio remoto.

Mensaje por gabyrossi »

hola, revisa porque muestra ip privada... 10.0.0.10:500->190.80.144.213:500

saludos.
NSE 7 – Fortinet Network Security Architect
NSE 5 - Network Security Analyst
Arriba
Avatar de Usuario
j.urena
Mensajes: 113
Registrado: 04 Mar 2013, 20:52
Ubicación: Republica Dominicana

Re: VPN sitio remoto.

Mensaje por j.urena »

gabyrossi escribió:hola, revisa porque muestra ip privada... 10.0.0.10:500->190.80.144.213:500

saludos.

Esa IP es la de mi Interface Wan1, del lado que no tiene IP Pública.
Uso FG620B
FortiOS v.4 MR3 Parch 12
Arriba
Avatar de Usuario
j.urena
Mensajes: 113
Registrado: 04 Mar 2013, 20:52
Ubicación: Republica Dominicana

Re: VPN sitio remoto.

Mensaje por j.urena »

j.urena escribió:
gabyrossi escribió:hola, revisa porque muestra ip privada... 10.0.0.10:500->190.80.144.213:500

saludos.

Esa IP es la de mi Interface Wan1, del lado que no tiene IP Pública.

Jejeje, la costumbre de trabajar con Routers me traicionó.

El problema era que en la localidad externa tenía un modem, ese moden no dejaba pasar todas las solicitudes directamente al FG, por lo que tuve que abrir los puertos UDP 500 Y 4500-4501.

Gracias por la ayuda, la VPN está arriba y lista :D

Ahora, lo extraño es... cómo funcionó la 1ra vez sin tener los puertos redireccionados???? :?:
Uso FG620B
FortiOS v.4 MR3 Parch 12
Arriba
Responder

Volver a “VPN”