0

Hi all,

I'm in the process of attempting to set up an IPSec tunnel between two LAN's.

Here's an ASCII diagram (IP's changed):

(Lan1: 192.168.0.0/24)
|
[D-Link NetDefend
DFL-800 Firewall]
|
(Public IP1: 111.111.111.111)
|/|
|/|
|/| <-IPSec Tunnel
|/|
|/|
(Public IP2: 222.222.222.222)
|
[Fortinet Fortigate
Firewall]
(Lan2: 10.0.0.0/24)


I've configured both firewalls according to their respective manuals. This has been tricky because both vendors have varied terminology and default settings. There are also some minor variations in what extra options you have at each end.

I've added rules to both firewalls to allow traffic to pass both directions between the LAN and the IPSec interface and I've added routes to both firewalls to direct traffic intended for the remote LAN over the IPSec interface.

Here's a rough list of settings:
Authentication: Pre-shared key
IKE Encryption/Auth proposals: AES256/SHA1
IKE Life Time: 28800 sec
IKE Mode: Main, DH Group 2
IPSec Encryption/Auth proposals: AES256/SHA1
IPSec Life Time: 3600 sec/5120 KB
XAuth: Disabled
Perfect Forward Secrecy: Enabled, DH Group 5
Keep-alive: On (sends pings regularly to keep the tunnel up)

At the moment, I can see the 2 active IKE security authorities (SA's) coming up.

The IPSec tunnel however isn't coming up. The errors I'm getting from the D-Link box are:

2009-07-31 14:42:49	Warning	IPSEC	1803020	ipsec_sa_failed no_ipsec_sa	statusmsg="Timeout"
2009-07-31 14:42:49	Warning	IPSEC	1800109	ike_quickmode_failed	local_ip=111.111.111.111 remote_ip=222.222.222.222 cookies=<HEX String Edited Out> reason="Timeout"

Fortigate Errors attached (remove .txt extension).

So the errors look like something to do with IKE, "Quick Mode" failing, but I don't know much else. Any help or suggestions would be highly appreciated.

Cheers,

Chris
Perth, Australia

Attachments
#,Date,Time,Level,Action,Message
1,31/07/2009,3:02:42,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
2,31/07/2009,3:02:34,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
3,31/07/2009,3:02:30,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
4,31/07/2009,3:02:28,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
5,31/07/2009,3:02:27,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
6,31/07/2009,3:02:27,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
7,31/07/2009,3:02:26,notice,negotiate,Responder: sent 111.111.111.111 main mode message #3 (DONE)
8,31/07/2009,3:02:26,notice,negotiate,Responder: parsed 111.111.111.111 main mode message #3 (DONE)
9,31/07/2009,3:02:26,notice,negotiate,Responder: sent 111.111.111.111 main mode message #2 (OK)
10,31/07/2009,3:02:26,notice,negotiate,Responder: sent 111.111.111.111 main mode message #1 (OK)
11,31/07/2009,3:02:25,notice,delete_phase1_sa,Deleted an Isakmp SA on the tunnel to 111.111.111.111:500
16,31/07/2009,3:01:57,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
17,31/07/2009,3:01:41,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
18,31/07/2009,3:01:33,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
19,31/07/2009,3:01:29,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
20,31/07/2009,3:01:27,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
21,31/07/2009,3:01:26,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
22,31/07/2009,3:01:26,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
23,31/07/2009,3:01:25,notice,negotiate,Responder: sent 111.111.111.111 main mode message #3 (DONE)
24,31/07/2009,3:01:25,notice,negotiate,Responder: parsed 111.111.111.111 main mode message #3 (DONE)
25,31/07/2009,3:01:25,notice,negotiate,Responder: sent 111.111.111.111 main mode message #2 (OK)
26,31/07/2009,3:01:25,notice,negotiate,Responder: sent 111.111.111.111 main mode message #1 (OK)
27,31/07/2009,3:00:56,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
28,31/07/2009,3:00:40,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
29,31/07/2009,3:00:32,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
30,31/07/2009,3:00:28,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
31,31/07/2009,3:00:26,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
32,31/07/2009,3:00:25,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
33,31/07/2009,3:00:25,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
34,31/07/2009,3:00:24,information,interface-stat-change,Link monitor: Interface IpSec_Tunnel was turned up
35,31/07/2009,3:00:24,notice,negotiate,Initiator: parsed 111.111.111.111 main mode message #3 (DONE)
36,31/07/2009,3:00:24,notice,negotiate,Initiator: sent 111.111.111.111 main mode message #3 (OK)
37,31/07/2009,3:00:23,notice,negotiate,Initiator: sent 111.111.111.111 main mode message #2 (OK)
38,31/07/2009,3:00:23,notice,negotiate,Initiator: sent 111.111.111.111 main mode message #1 (OK)
39,31/07/2009,3:00:23,notice,delete_phase1_sa,Deleted an Isakmp SA on the tunnel to 111.111.111.111:500
40,31/07/2009,3:00:23,notice,delete_phase1_sa,Deleted an Isakmp SA on the tunnel to 111.111.111.111:500
41,31/07/2009,3:00:23,notice,tunnel_down,IPsec tunnel to 111.111.111.111:500 is down
42,31/07/2009,3:00:23,error,dpd,IPsec DPD detected a failure on the tunnel to 111.111.111.111:500
43,31/07/2009,3:00:23,information,interface-stat-change,Link monitor: Interface IpSec_Tunnel was turned down
44,31/07/2009,3:00:19,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
45,31/07/2009,3:00:11,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
46,31/07/2009,3:00:07,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
47,31/07/2009,3:00:05,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
48,31/07/2009,3:00:04,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
49,31/07/2009,3:00:04,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
50,31/07/2009,2:59:35,notice,negotiate,Responder: parsed 111.111.111.111 quick mode message #1 (ERROR)
2
Contributors
2
Replies
4
Views
8 Years
Discussion Span
Last Post by medren
0

For anyone interested or who runs into the same issue;

It was indeed a "Quick Mode" problem - the Fortigate firewall (LAN2 firewall) required Quick Mode selectors.

The Fortigate settings required based on the example are (0 indicates any/default):

Source Address: 10.0.0.0/24
Source port: 0
Destination address: 192.168.0.0/24
Destination port: 0
Protocol: 0

I also read some people have had problems with Dead Peer Detection. For the record, it is enabled in my case and not causing any issues.

The tunnel's up, firewall hardened and everything working now, so I'm happy.

Hope this relieves someone of the headache I had.

0

I had almost exactly the same problem and this solved my problem - Thank You!
/Mikael

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.