Problemas Vpn Ipsec
Publicado: 09 Oct 2008, 19:23
Hola a todos.
Me estoy volviendo loco configurando una vpn por ipsec en un fortinet (Fortigate-60B 3.00-b5101(MR5 Patch 2).
He de decir que ya tengo una Vpn configurado en el fortinet por ssl mediante la web y me va perfectamente, pero ahora para unos pc´s necesito configurar el ipsec (no se si las dos funcionan a la vez).
He seguido el manual de Fortinet y he seguido el manual que hay en la página [Debes identificarte para poder ver enlaces.] y pese hacerlo igual tampoco me funciona.
Bien cuando dentro de el cliente intento conectarme se me corta tras el proceso 2.
Oct 9 19:20:18: Initiator: sent 80.xx.xx.xx main mode message #1 (OK)
Oct 9 19:20:18: Initiator: sent 80.xx.xx.xx main mode message #2 (OK)
He realizado un test y me da el log que os muestro abajo. ¿Alguna idea?¿Que hago mal?
Lo que quiero hacer es muy sencillo que dos equipos que estarán fuera de mis oficinas conectadas con el rango 192.168.10.X se conecten a mi firewall con ip publica fija 80.xx.xx.xx y este les rediriga a la red interna 172.26.0.x
El log que deja
In run_timer_list, jiffies=00000000, skipped = 0
tvecs[1]->bits is 3, tvecs[n]->index is 0
Detect local gateway for peer: 80.XX.XX.XX
Get sa_connect message...192.168.10.152->80.XX.XX.XX:65535, natt_mode=0
Using new connection...natt_mode=0
Set connection name = Conexion a VPN.
Adding timer #1... expiry=3600, data=16519384
Adding to bucket 3 at index 1
Tunnel 192.168.10.152 ---> 80.XX.XX.XX:500,natt_en=1 is starting negotiation
Will negotiate a DHCP SA
Initiator:main mode is sending 1st message...
Sending DPD VID payload....
Sending VID payload....
Sending NATT VID payload (RFC 3947)....
Sending NATT VID payload (draft3)....
Sending NATT VID payload (draft3 and draft1)....
Initiator: sent 80.XX.XX.XX main mode message #1 (OK)
Adding timer #2... expiry=28800, data=16521216
Adding to bucket 4 at index 1
set retransmit: st=1, timeout=10.
Adding timer #2... expiry=10, data=16521216
Adding to bucket 1 at index 10
Next_time = 10 sec
In run_timer_list, jiffies=00000000, skipped = 0
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 80.XX.XX.XX:500->192.168.10.152:500,ifindex=2, ....
Exchange Mode = 2, I_COOKIE = 0x0952465867A3BBFF, Len = 180
Received Payloads= SA VID VID VID VID VID
Initiator:main mode get 1st response...
test the peer keepalive status....
The peer is non-keepalive fortigate.
Proposal_id = 1:
Protocol_id = ISAKMP:
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
type=OAKLEY_HASH_ALG, val=MD5.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
Proposal_id = 1:
Protocol_id = ISAKMP:
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
type=OAKLEY_HASH_ALG, val=MD5.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
type=OAKLEY_HASH_ALG, val=SHA.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
type=14, val=128.
type=OAKLEY_HASH_ALG, val=MD5.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
type=14, val=128.
type=OAKLEY_HASH_ALG, val=SHA.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
Negotiate Result
Proposal_id = 1:
Protocol_id = ISAKMP:
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
type=OAKLEY_HASH_ALG, val=MD5.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
Phase1 lifetimes=28800
Negotiate Success.(No echo).
testing the peer DPD status....
The peer supports DPD draft 2.
test the peer natt status....
The peer supports natt RFC 3947.
Initiator: sent 80.XX.XX.XX main mode message #2 (OK)
set retransmit: st=1, timeout=10.
Adding timer #2... expiry=10, data=16521216
Adding to bucket 1 at index 10
Next_time = 10 sec
In run_timer_list, jiffies=00000000, skipped = 0
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 80.XX.XX.XX:500->192.168.10.152:500,ifindex=2, ....
Exchange Mode = 2, I_COOKIE = 0x0952465867A3BBFF, Len = 284
Bad syntax, payload=20,1415.
Next_time = 10 sec
In run_timer_list, jiffies=00000004, skipped = 4
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 80.XX.XX.XX:500->192.168.10.152:500,ifindex=2, ....
Exchange Mode = 2, I_COOKIE = 0x3F771F837261CF96, Len = 284
Can not find state, 1023
Next_time = 6 sec
In run_timer_list, jiffies=00000006, skipped = 2
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 80.XX.XX.XX:500->192.168.10.152:500,ifindex=2, ....
Exchange Mode = 2, I_COOKIE = 0x0952465867A3BBFF, Len = 284
Bad syntax, payload=20,1415.
Next_time = 4 sec
In run_timer_list, jiffies=0000000A, skipped = 4
tvecs[1]->bits is 3, tvecs[n]->index is 0
Retransmit reaches maximum count (st=1)...delete it!
Next_time = 3590 sec
In run_timer_list, jiffies=00000012, skipped = 8
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 80.XX.XX.XX:500->192.168.10.152:500,ifindex=2, ....
Exchange Mode = 2, I_COOKIE = 0x0952465867A3BBFF, Len = 284
Ignored Incoming Message (a straggler from an already deleted exchange).
Next_time = 3582 sec
Me estoy volviendo loco configurando una vpn por ipsec en un fortinet (Fortigate-60B 3.00-b5101(MR5 Patch 2).
He de decir que ya tengo una Vpn configurado en el fortinet por ssl mediante la web y me va perfectamente, pero ahora para unos pc´s necesito configurar el ipsec (no se si las dos funcionan a la vez).
He seguido el manual de Fortinet y he seguido el manual que hay en la página [Debes identificarte para poder ver enlaces.] y pese hacerlo igual tampoco me funciona.
Bien cuando dentro de el cliente intento conectarme se me corta tras el proceso 2.
Oct 9 19:20:18: Initiator: sent 80.xx.xx.xx main mode message #1 (OK)
Oct 9 19:20:18: Initiator: sent 80.xx.xx.xx main mode message #2 (OK)
He realizado un test y me da el log que os muestro abajo. ¿Alguna idea?¿Que hago mal?
Lo que quiero hacer es muy sencillo que dos equipos que estarán fuera de mis oficinas conectadas con el rango 192.168.10.X se conecten a mi firewall con ip publica fija 80.xx.xx.xx y este les rediriga a la red interna 172.26.0.x
El log que deja
In run_timer_list, jiffies=00000000, skipped = 0
tvecs[1]->bits is 3, tvecs[n]->index is 0
Detect local gateway for peer: 80.XX.XX.XX
Get sa_connect message...192.168.10.152->80.XX.XX.XX:65535, natt_mode=0
Using new connection...natt_mode=0
Set connection name = Conexion a VPN.
Adding timer #1... expiry=3600, data=16519384
Adding to bucket 3 at index 1
Tunnel 192.168.10.152 ---> 80.XX.XX.XX:500,natt_en=1 is starting negotiation
Will negotiate a DHCP SA
Initiator:main mode is sending 1st message...
Sending DPD VID payload....
Sending VID payload....
Sending NATT VID payload (RFC 3947)....
Sending NATT VID payload (draft3)....
Sending NATT VID payload (draft3 and draft1)....
Initiator: sent 80.XX.XX.XX main mode message #1 (OK)
Adding timer #2... expiry=28800, data=16521216
Adding to bucket 4 at index 1
set retransmit: st=1, timeout=10.
Adding timer #2... expiry=10, data=16521216
Adding to bucket 1 at index 10
Next_time = 10 sec
In run_timer_list, jiffies=00000000, skipped = 0
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 80.XX.XX.XX:500->192.168.10.152:500,ifindex=2, ....
Exchange Mode = 2, I_COOKIE = 0x0952465867A3BBFF, Len = 180
Received Payloads= SA VID VID VID VID VID
Initiator:main mode get 1st response...
test the peer keepalive status....
The peer is non-keepalive fortigate.
Proposal_id = 1:
Protocol_id = ISAKMP:
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
type=OAKLEY_HASH_ALG, val=MD5.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
Proposal_id = 1:
Protocol_id = ISAKMP:
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
type=OAKLEY_HASH_ALG, val=MD5.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
type=OAKLEY_HASH_ALG, val=SHA.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
type=14, val=128.
type=OAKLEY_HASH_ALG, val=MD5.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
type=14, val=128.
type=OAKLEY_HASH_ALG, val=SHA.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
Negotiate Result
Proposal_id = 1:
Protocol_id = ISAKMP:
trans_id = KEY_IKE.
encapsulation = 0 (unknown)
type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
type=OAKLEY_HASH_ALG, val=MD5.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1536.
Phase1 lifetimes=28800
Negotiate Success.(No echo).
testing the peer DPD status....
The peer supports DPD draft 2.
test the peer natt status....
The peer supports natt RFC 3947.
Initiator: sent 80.XX.XX.XX main mode message #2 (OK)
set retransmit: st=1, timeout=10.
Adding timer #2... expiry=10, data=16521216
Adding to bucket 1 at index 10
Next_time = 10 sec
In run_timer_list, jiffies=00000000, skipped = 0
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 80.XX.XX.XX:500->192.168.10.152:500,ifindex=2, ....
Exchange Mode = 2, I_COOKIE = 0x0952465867A3BBFF, Len = 284
Bad syntax, payload=20,1415.
Next_time = 10 sec
In run_timer_list, jiffies=00000004, skipped = 4
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 80.XX.XX.XX:500->192.168.10.152:500,ifindex=2, ....
Exchange Mode = 2, I_COOKIE = 0x3F771F837261CF96, Len = 284
Can not find state, 1023
Next_time = 6 sec
In run_timer_list, jiffies=00000006, skipped = 2
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 80.XX.XX.XX:500->192.168.10.152:500,ifindex=2, ....
Exchange Mode = 2, I_COOKIE = 0x0952465867A3BBFF, Len = 284
Bad syntax, payload=20,1415.
Next_time = 4 sec
In run_timer_list, jiffies=0000000A, skipped = 4
tvecs[1]->bits is 3, tvecs[n]->index is 0
Retransmit reaches maximum count (st=1)...delete it!
Next_time = 3590 sec
In run_timer_list, jiffies=00000012, skipped = 8
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 80.XX.XX.XX:500->192.168.10.152:500,ifindex=2, ....
Exchange Mode = 2, I_COOKIE = 0x0952465867A3BBFF, Len = 284
Ignored Incoming Message (a straggler from an already deleted exchange).
Next_time = 3582 sec