Vpn ipsec down

Para temas sobre las VPN, incluyendo la configuración, resolución de problemas e interoperabilidad.
Responder
bugati26
Mensajes: 2
Registrado: 27 Nov 2013, 12:03

Vpn ipsec down

Mensaje por bugati26 »

Hola,

Estoy teniendo problemas con una vpn ipsec nueva que tengo que hacer funcionar en un cliente y no consigo que levante, he seguido muchos de los consejos que indicais en el foro y sigue sin funcionar, no tengo acceso al otro firewall ya que pertenece a otra empresa y tengo que adaptar la config de mi forti a la de su stonegate.

He creado las 2 fases siguiendo los requisitos que me indica (en modo interface), no me ha facilitad todos, he creado la ruta estatica a su lan interna y las dos politicas de lan a vpn y de vpn a lan, voy a vpn -> monitor -> ipsec y no consigo levantar la vpn, el forti tiene firm v4 mr3 v11, os copio la config de las dos fases por si se os ocurre algo, no se que mas probar.

saludetes y gracias.

Fase 1:
Ip estatica: la wan de la otra empresa
Prehared key:
Ike versión: 1
Local Gateway: Main interface
Encriptacion: aes128
Autenticacion: md5
Grupo Diffie-Hellman: 2
Keylife: le he puesto 86400
Nat transversal: desactivado
Dead peer detection: activado

Fase 2:
Encriptacion: aes128
Autenticacion: md5
Enable replay detection: activado
Pfs (perfect forwar secrecy): desactivado / grupo dh: desactivado
Keylife: 86400
Autokey keep alive: activado
Source address: 172.17.2.0/28 (nuestra subred, la hesubneteado en una mas pequeña por si acaso)
La vuestra: 192.168.221.0/24
Arriba
Avatar de Usuario
gabyrossi
Mensajes: 10899
Registrado: 30 Oct 2007, 19:47

Re: Vpn ipsec down

Mensaje por gabyrossi »

hola, sin conocer como tiene armado las phases de vpn en otro equipo no podremos ayudarte demasiado....


realizaste algun debug de la vpn ?

diag vpn ike filter name nombre_phase1

diag vpn ike log-filter name nombre_phase1
diag vpn ike log-filter dst-addr4 ip_gw_remoto

Para ver los filtros:

diag vpn ike filter list
diag vpn ike log-filte list


para habilitar el debug:

diagno debug appli ike -1
diagn debug enable

----

para deshabilitar el debug:

diag deb dis
diagnose vpn ike log-filter clear
NSE 7 – Fortinet Network Security Architect
NSE 5 - Network Security Analyst
Arriba
bugati26
Mensajes: 2
Registrado: 27 Nov 2013, 12:03

Re: Vpn ipsec down

Mensaje por bugati26 »

Hola,

Gracias por responder, he hablado con el tecnico de la otra empresa y la config queda de la siguiente manera:

Fase1:
Ike v1
Main
Aes 128 md5
dh 2
keylife 7200
Xauth no
nat traversal no
dead peer detection si

Fase 2:
aes 128 md5
enable replay detection no
enable pfs no
dh group nada
keylife 28800

mi subred
la suya
source port 0
dest port 0
protocol 0

Pego el ultimo debug (es la vpn vpn_gob_vasco2):
2013-11-26 13:29:17 ike 0:vpn_gob_vasco2: schedule auto-negotiate

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2: auto-negotiate connection

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2: created connection: 0x9f459a0 26 192.168.0.2->212.55.15.22:500.

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: initiator: main mode is sending 1st message...

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: cookie 50b72d42e0b57e45/0000000000000000

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: out 50B72D42E0B57E4500000000000000000110020000000000000000800D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020001800400020D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00040286

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: sent IKE msg (ident_i1send): 192.168.0.2:500->212.55.15.22:500, len=128, id=50b72d42e0b57e45/0000000000000000

2013-11-26 13:29:17 ike 0: comes 212.55.15.22:500->192.168.0.2:500,ifindex=26....

2013-11-26 13:29:17 ike 0: IKEv1 exchange=Identity Protection id=50b72d42e0b57e45/0faa585749fe8b6b len=324

2013-11-26 13:29:17 ike 0: in 50B72D42E0B57E450FAA585749FE8B6B0110020000000000000001440D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020001800400020D0000241082A1C3D2DD1755015AEBB766B5819000000001020221F100010401000000000D0000145C8F1743DCCC474D73B41106367726550D000014DD477B3D56B7720CB4210571F6D205300D000014F4B5F16943B84BA919E00E5AFA43567D0D000014645AF885467F08A68619C60E77BDB6050D000014431CFC9292A0595D7592FEBEA586AD190D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D0000147D9419A65310CA6F2C179D9215529D560D0000144A131C81070358455C5728F20E95452F00000014AFCAD71368A1F1C96B8696FC77570100

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: initiator: main mode get 1st response...

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: VID unknown (32): 1082A1C3D2DD1755015AEBB766B5819000000001020221F10001040100000000

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: VID unknown (16): 5C8F1743DCCC474D73B4110636772655

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: VID unknown (16): DD477B3D56B7720CB4210571F6D20530

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: VID unknown (16): F4B5F16943B84BA919E00E5AFA43567D

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: VID unknown (16): 645AF885467F08A68619C60E77BDB605

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: VID unknown (16): 431CFC9292A0595D7592FEBEA586AD19

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: VID RFC 3947 4A131C81070358455C5728F20E95452F

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: VID DPD AFCAD71368A1F1C96B8696FC77570100

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: DPD negotiated

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: negotiation result

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: proposal id = 1:

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: protocol id = ISAKMP:

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: trans_id = KEY_IKE.

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: encapsulation = IKE/none

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: type=OAKLEY_HASH_ALG, val=MD5.

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: type=AUTH_METHOD, val=PRESHARED_KEY.

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: type=OAKLEY_GROUP, val=1024.

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: ISKAMP SA lifetime=86400

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: out 50B72D42E0B57E450FAA585749FE8B6B0410020000000000000000B40A000084260FB824577BE0523D16616B0723F6CC8568F7B406C7DD011102569AAE45E6ADAFC062F3E67CCA4C87D6AA9E43A21E25374AB608B7859EDC0EF18B13BDB66D720E30CE42422EFDD2B69C5ACE2922F7DC91C2180F294CDA9720A33C36704D68DD0306EA35E2E236DB29DF046BB4D106757581672FFBA71572FD8E49547691C21200000014BF22562823D6F76D592127AC89629D5E

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: sent IKE msg (ident_i2send): 192.168.0.2:500->212.55.15.22:500, len=180, id=50b72d42e0b57e45/0faa585749fe8b6b

2013-11-26 13:29:17 ike 0: comes 212.55.15.22:500->192.168.0.2:500,ifindex=26....

2013-11-26 13:29:17 ike 0: IKEv1 exchange=Identity Protection id=50b72d42e0b57e45/0faa585749fe8b6b len=180

2013-11-26 13:29:17 ike 0: in 50B72D42E0B57E450FAA585749FE8B6B0410020000000000000000B40A000084554A42825995B2651A1D776307A45DD3E0797CC01B8E80CDB2D7100CC2026D2F46E817D4CA9A37429F4D0F14E2AF0CC0BB8040AC6FC2C8C7ABDE0340D2B0A80F45F9D174A73F12DF1B44E1AEA724DD7F8F62760978CD4C32F62712EB4A54A5859D2F2BA8E8EBF83E1C3093C6077C5F2BDE615F114E9889512B4096DDDEBDB9C400000014C5656102E9A978A2490E5F619B313023

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: initiator: main mode get 2nd response...

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: ISAKMP SA 50b72d42e0b57e45/0faa585749fe8b6b key 16:D549523536AEA824D2F8C4848A373782

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: add INITIAL-CONTACT

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: enc 50B72D42E0B57E450FAA585749FE8B6B0510020100000000000000580800000C01000000C0A800020B000014255E0297E0634987BB5CD4171F0F92190000001C000000010110600250B72D42E0B57E450FAA585749FE8B6B

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: out 50B72D42E0B57E450FAA585749FE8B6B05100201000000000000005C81E27EA08465049F0869ED7382C51FFD872544AC394E19289415F3B9854CE62FA5CE888DD1A82E6D16C430D89FE307FBC7511C178462FDDCCE1AFAC92583EE26

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: sent IKE msg (ident_i3send): 192.168.0.2:500->212.55.15.22:500, len=92, id=50b72d42e0b57e45/0faa585749fe8b6b

2013-11-26 13:29:17 ike 0: comes 212.55.15.22:500->192.168.0.2:500,ifindex=26....

2013-11-26 13:29:17 ike 0: IKEv1 exchange=Informational id=50b72d42e0b57e45/0faa585749fe8b6b:11998502 len=197

2013-11-26 13:29:17 ike 0: in 50B72D42E0B57E450FAA585749FE8B6B0B10050011998502000000C5000000A9000000010110000150B72D42E0B57E450FAA585749FE8B6B800C0001800300A100030040A1D1F7E0339A3959A61B49A9F2F088144C75CF23D17AD843A8547A8AA90C415C65E1C09C85E9846DD9B3C5ADDCED4F649DCB0131D92152285D9EE1FC6227EC688005000000060035496E636F7272656374207072652D736861726564206B65792028496E76616C6964206E657874207061796C6F61642076616C75652980080000

2013-11-26 13:29:17 ike 0:vpn_gob_vasco2:22449: ignoring unencrypted INVALID-PAYLOAD-TYPE message from 212.55.15.22:500.

2013-11-26 13:29:22 ike shrank heap by 126976 bytes

2013-11-26 13:29:22 ike 0: comes 94.205.240.206:4500->192.168.0.2:4500,ifindex=26....

2013-11-26 13:29:22 ike 0: IKEv1 exchange=Informational id=854d8b8327a3d1d7/75d7fa44f5aff295:6aab8939 len=108

2013-11-26 13:29:22 ike 0: in 854D8B8327A3D1D775D7FA44F5AFF295081005016AAB89390000006C85DC6B18572C61F641C8463E6419E395E4654B21581243DC11D8983D97CFDEBFE6A532FAD76279C4774D5C8A0DF3F204E7F8644C6B023AA47F6A197508F1AE3AECFF30E05BD46C2E99DD01CAE78002D9

2013-11-26 13:29:22 ike 0:VPN_DUBAI:17047: dec 854D8B8327A3D1D775D7FA44F5AFF295081005016AAB89390000006C0B0000241678D733DA4C4A600E1686D9A405C91CE3D1CEBE54022272020AAAD8D58D08B9000000200000000101108D28854D8B8327A3D1D775D7FA44F5AFF29500020620A6A40B76AF5C8366F9036D0B

2013-11-26 13:29:22 ike 0:VPN_DUBAI:17047: notify msg received: R-U-THERE

2013-11-26 13:29:22 ike 0:VPN_DUBAI:17047: enc 854D8B8327A3D1D775D7FA44F5AFF29508100501E0038EA5000000600B0000245557852401F4F864447DC8E52D29E54E58183EB697AEB03C0886CA2CF5877571000000200000000101108D29854D8B8327A3D1D775D7FA44F5AFF29500020620

2013-11-26 13:29:22 ike 0:VPN_DUBAI:17047: out 854D8B8327A3D1D775D7FA44F5AFF29508100501E0038EA50000006C040A6BB867FA301AC5895D78A3D665ED1655E76B39F22B5BBCFA5553D4B69F7DC908AA80CDA8354BFCDF2AAD578514860FE297C82F811FFEAE29712EED268DBF0E15347BB99EACAE634F2B5B4FE02DC4

2013-11-26 13:29:22 ike 0:VPN_DUBAI:17047: sent IKE msg (R-U-THERE-ACK): 192.168.0.2:4500->94.205.240.206:4500, len=108, id=854d8b8327a3d1d7/75d7fa44f5aff295:e0038ea5

2013-11-26 13:29:23 ike 0:vpn_gob_vasco2:22449: out 50B72D42E0B57E450FAA585749FE8B6B05100201000000000000005C81E27EA08465049F0869ED7382C51FFD872544AC394E19289415F3B9854CE62FA5CE888DD1A82E6D16C430D89FE307FBC7511C178462FDDCCE1AFAC92583EE26

2013-11-26 13:29:23 ike 0:vpn_gob_vasco2:22449: sent IKE msg (P1_RETRANSMIT): 192.168.0.2:500->212.55.15.22:500, len=92, id=50b72d42e0b57e45/0faa585749fe8b6b

2013-11-26 13:29:24 ike 0:PARIS_F1:22448: negotiation timeout, deleting

2013-11-26 13:29:24 ike 0:PARIS_F1: connection expiring due to phase1 down

2013-11-26 13:29:24 ike 0:PARIS_F1: deleting

2013-11-26 13:29:24 ike 0:PARIS_F1: flushing

2013-11-26 13:29:24 ike 0:PARIS_F1: flushed

2013-11-26 13:29:24 ike 0:PARIS_F1: deleted
Arriba
Avatar de Usuario
gabyrossi
Mensajes: 10899
Registrado: 30 Oct 2007, 19:47

Re: Vpn ipsec down

Mensaje por gabyrossi »

hola,
prueben de cambiar por diferentes encriptacion.... y revisa bien el DH group en cada phase
saludos.
NSE 7 – Fortinet Network Security Architect
NSE 5 - Network Security Analyst
Arriba
Responder

Volver a “VPN”