Fortigate IKEv2 troubleshooting

on

 









FG-86 Configuration:
































object for remote subnet, specify  tunnel interface and enabled "Static route configuration" 













Create static route with Named Address


FG-86 is initiator, capture on FG-86 before VPN is configured on FG-84



















When FG84 configured VPN with mismatch Phase 1 proposal


















Both ends keep sending INIT_SA, no notification packets.

GUI log has no proposal detail, only can bee seen from debug 

diagnose vpn ike log-filter dst-addr4 192.168.2.84

# diagnose debug application ike -1

# diagnose debug enable



















After fix phase 1 mismatch on FG84, but have phase 2 mismatch, we see  Phase 1 is up







GUI log has phase 2 error
















only debug has proposal detail























When Pre-shard key mismatch, phase 1 is down.

GUI log:



















debug messages
















https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955


=========================

ASA <> Fortigate


Pre-share key mismatch

Fortigate is initiator

ASA:

%ASA-4-750003: Local:192.168.2.50:500 Remote:192.168.2.33:500 Username:192.168.2.33 IKEv2 Negotiation aborted due to ERROR: Failed to authenticate the IKE SA

Fortigate:

no useful info in Event VPN log, diag debug has following info:

ike 0:ASAv:45878: initiator received AUTH msg

ike 0:ASAv:45878: received notify type AUTHENTICATION_FAILED


Comments

Post a Comment