IPSec VPN Shrew to FortigateCisco VPN Client Behind ASA 5505Cisco 1841 to Netgear FVS318 VPN connectionOpenSwan IPSec phase #2 complicationspfSense IPsec VPN setup (Log error: racoon: INFO: unsupported PF_KEY message REGISTER)Pfsense 2.02 unstable ipsec vpn.Tunnels will come up upon restarting racconSonicOS Enhanced 5.8.1.2 L2TP VPN Authentication FailedSonicwall NSA 2400 Not switching back to Primary VPN after FailoverHow can I connect to a Cisco ASA5540 from Windows Server 2012 over IPSEC?pfSense/strongSwan “deleting half open IKE_SA after timeout” - IPSec connection Android 4.4 to pfSense 2.2.1 failsIPSec VPN Fortigate Phase 2 stuck

Why do the lights go out when someone enters the dining room on this ship?

Will a coyote attack my dog on a leash while I'm on a hiking trail?

Will casting a card from the graveyard with Flashback add a quest counter on Pyromancer Ascension?

Why is it harder to turn a motor/generator with shorted terminals?

Fixed width with p doesn't work

How can we allow remote players to effectively interact with a physical tabletop battle-map?

Why does lemon juice reduce the "fish" odor of sea food — specifically fish?

Is this apt vulnerability (CVE-2019-3462) a security concern for Ubuntu users?

Motorola 6845 and bitwise graphics

Is it wrong to omit object pronouns in these sentences?

Newly installed programs always appear with external drives in Finder

How to disable Two-factor authentication for Apple ID?

Re-testing of regression test bug fixes or re-run regression tests?

Problem in downloading videos using youtube-dl from unsupported sites

Do Life Drain attacks from wights stack?

Source of the Wildfire?

Substring join or additional table, which is faster?

Is Valonqar prophecy unfulfilled?

Is it safe to use two single-pole breakers for a 240v circuit?

After Restoring Log Shipping to Secondary Server, First Stored Procedure Execution is Slow

Polynomial division: Is this trick obvious?

Formal Definition of Dot Product

Wireless headphones interfere with Wi-Fi signal on laptop

Uh oh, the propeller fell off



IPSec VPN Shrew to Fortigate


Cisco VPN Client Behind ASA 5505Cisco 1841 to Netgear FVS318 VPN connectionOpenSwan IPSec phase #2 complicationspfSense IPsec VPN setup (Log error: racoon: INFO: unsupported PF_KEY message REGISTER)Pfsense 2.02 unstable ipsec vpn.Tunnels will come up upon restarting racconSonicOS Enhanced 5.8.1.2 L2TP VPN Authentication FailedSonicwall NSA 2400 Not switching back to Primary VPN after FailoverHow can I connect to a Cisco ASA5540 from Windows Server 2012 over IPSEC?pfSense/strongSwan “deleting half open IKE_SA after timeout” - IPSec connection Android 4.4 to pfSense 2.2.1 failsIPSec VPN Fortigate Phase 2 stuck






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















I'm trying to configure an IPSec VPN on a Fortigate 80C and connect to it using Shrew Soft VPN. I'm stuck with a negotiation failure, even though debugging on the Fortigate unit shows the same values for both proposals, except for the proposal id :



ike 0: comes 213.233.112.182:500->192.168.1.254:500,ifindex=18....
ike 0: IKEv1 exchange=Aggressive id=448542093a752e2a/0000000000000000 len=577
ike 0: in 448542093A752E2A00000000000000000110040000000000000002410400003800000001000000010000002C0101000100000024010100008001000580020002800400058003FDE9800B0001000C0004000070800A0000C498221E8FC2C65CDED61AA7AEEA26562FE6A58F9D4AFD6FB5361DFD380B61C85B2A0BAB6FCD068B69A837868F14CBB06E249CFC82BDD42B2DA1021B6FFE9885F2F8614C4F676E28E5BD8F1967440C4E8381E26E3189DA6491EB3CC8C1E0D7C1F39348D2174B68134CE8214814A8A894FD5B9F268B2F107AF310C1DD3BE84F09486595B9F8C7DEA196250E69F86A85DEEDCADC8AE98D7E1018776DF2D54C8DDD50F52EC27F74751C16CAA51BCDEA17CF3ED65D4116C4F2FFF1F6F27BBFF8DC003805000018F38CC6EAC4E77D031C2ED7E2F509FE65C2E511240D00000D0B000000465341524F0D00000C09002689DFD6B7120D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001416F6CA16E4A4066D83821A0F0AEAA8620D00001490CB80913EBB696E086381B5EC427B1F0D0000147D9419A65310CA6F2C179D9215529D560D0000144A131C81070358455C5728F20E95452F0D0000184048B7D56EBCE88525E7DE7F00D6C2D3800000000D000014AFCAD71368A1F1C96B8696FC775701000D0000143B9031DCE4FCF88B489A923963DD0C490D000014F14B94B7BFF1FEF02773B8C49FEDED260D000018166F932D55EB64D8E4DF4FD37E2313F0D0FD84510D0000148404ADF9CDA05760B2CA292E4BFF537B0000001412F5F28C457168A9702D9FE274CC0100
ike 0:448542093a752e2a/0000000000000000:1314: responder: aggressive mode get 1st message...
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-02n 90CB80913EBB696E086381B5EC427B1F
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:448542093a752e2a/0000000000000000:1314: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:448542093a752e2a/0000000000000000:1314: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:448542093a752e2a/0000000000000000:1314: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 3B9031DCE4FCF88B489A923963DD0C49
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): F14B94B7BFF1FEF02773B8C49FEDED26
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (20): 166F932D55EB64D8E4DF4FD37E2313F0D0FD8451
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 8404ADF9CDA05760B2CA292E4BFF537B
ike 0:448542093a752e2a/0000000000000000:1314: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0: IKEv1 Aggressive, comes 213.233.112.182:500->192.168.1.254 18, peer-id=FSARO
ike 0:448542093a752e2a/0000000000000000:1314: my proposal, gw BKIPSECVPN:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: incoming proposal:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 0:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:448542093a752e2a/0000000000000000:1314: no SA proposal chosen
ike shrank heap by 122880 bytes
ike shrank heap by 20480 bytes


Any idea why this is happening ?



Here's the tunnel configuration :



BKFGT80C-03 # show vpn ipsec phase1-interface BKIPSECVPN 
config vpn ipsec phase1-interface
 edit "BKIPSECVPN"
 set type dynamic
 set interface "WANProsodieDATA"
 set mode aggressive
 set xauthtype pap
 set proposal 3des-sha1 aes128-sha1
 set authusrgrp "vpn-users@SRV3"
 set psksecret ENC nhHJbl/trs/6Fxx383T9wTSrI85maR2cvP2R4N5XD0VyLc/rdzp/QnWFKOEYlXEIBc6ViKqSrb2GCliq5+4y3dxuRG3hurRq5T4Vz1uYf23y/+qE8xMspKvWOJkb2BP8wV7bkNgd7TjJabL/GfOU6pIsuga9J0kknxTdEPl8fWzj3U4g85R9+BO7264YQ/7ZopFZHA==
 set keepalive 15
 next
end

BKFGT80C-03 # show vpn ipsec phase2-interface BKIPSECVPN_Ph2 
config vpn ipsec phase2-interface
 edit "BKIPSECVPN_Ph2"
 set keepalive enable
 set phase1name "BKIPSECVPN"
 set proposal 3des-sha1 aes128-sha1
 next
end


And here's the Shrewsoft VPN config :



n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:0
n:client-dns-suffix-auto:0
n:client-splitdns-used:1
n:client-splitdns-auto:0
n:client-wins-used:0
n:client-wins-auto:0
n:phase1-dhgroup:5
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:1800
n:phase2-life-kbytes:5120
n:policy-nailed:1
n:policy-list-auto:1
n:phase1-keylen:256
s:network-host:213.139.103.131
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:192.168.50.2
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:8.8.8.8
s:client-dns-suffix:bk.local
s:auth-method:mutual-psk-xauth
s:ident-client-type:address
s:ident-server-type:address
b:auth-mutual-psk:YWJjZGVmZ2hpamts
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:5
s:policy-level:auto





vpn fortigate







share|improve this question
























  • dude, you have your public IP up in there AND your PSK....tear that out of your post AND change your PSK right now.

    – Citizen
    Feb 10 '15 at 4:38











  • Not trying to be a jerk, just trying to have your back.

    – Citizen
    Feb 10 '15 at 4:39











  • Thanks for the tip, but calm down, it was just an example :)

    – fsaftoiu
    Feb 10 '15 at 22:09











  • Gotcha, sorry. I thought it was a real config. Apologies.

    – Citizen
    Feb 11 '15 at 8:03

















1















I'm trying to configure an IPSec VPN on a Fortigate 80C and connect to it using Shrew Soft VPN. I'm stuck with a negotiation failure, even though debugging on the Fortigate unit shows the same values for both proposals, except for the proposal id :



ike 0: comes 213.233.112.182:500->192.168.1.254:500,ifindex=18....
ike 0: IKEv1 exchange=Aggressive id=448542093a752e2a/0000000000000000 len=577
ike 0: in 448542093A752E2A00000000000000000110040000000000000002410400003800000001000000010000002C0101000100000024010100008001000580020002800400058003FDE9800B0001000C0004000070800A0000C498221E8FC2C65CDED61AA7AEEA26562FE6A58F9D4AFD6FB5361DFD380B61C85B2A0BAB6FCD068B69A837868F14CBB06E249CFC82BDD42B2DA1021B6FFE9885F2F8614C4F676E28E5BD8F1967440C4E8381E26E3189DA6491EB3CC8C1E0D7C1F39348D2174B68134CE8214814A8A894FD5B9F268B2F107AF310C1DD3BE84F09486595B9F8C7DEA196250E69F86A85DEEDCADC8AE98D7E1018776DF2D54C8DDD50F52EC27F74751C16CAA51BCDEA17CF3ED65D4116C4F2FFF1F6F27BBFF8DC003805000018F38CC6EAC4E77D031C2ED7E2F509FE65C2E511240D00000D0B000000465341524F0D00000C09002689DFD6B7120D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001416F6CA16E4A4066D83821A0F0AEAA8620D00001490CB80913EBB696E086381B5EC427B1F0D0000147D9419A65310CA6F2C179D9215529D560D0000144A131C81070358455C5728F20E95452F0D0000184048B7D56EBCE88525E7DE7F00D6C2D3800000000D000014AFCAD71368A1F1C96B8696FC775701000D0000143B9031DCE4FCF88B489A923963DD0C490D000014F14B94B7BFF1FEF02773B8C49FEDED260D000018166F932D55EB64D8E4DF4FD37E2313F0D0FD84510D0000148404ADF9CDA05760B2CA292E4BFF537B0000001412F5F28C457168A9702D9FE274CC0100
ike 0:448542093a752e2a/0000000000000000:1314: responder: aggressive mode get 1st message...
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-02n 90CB80913EBB696E086381B5EC427B1F
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:448542093a752e2a/0000000000000000:1314: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:448542093a752e2a/0000000000000000:1314: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:448542093a752e2a/0000000000000000:1314: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 3B9031DCE4FCF88B489A923963DD0C49
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): F14B94B7BFF1FEF02773B8C49FEDED26
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (20): 166F932D55EB64D8E4DF4FD37E2313F0D0FD8451
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 8404ADF9CDA05760B2CA292E4BFF537B
ike 0:448542093a752e2a/0000000000000000:1314: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0: IKEv1 Aggressive, comes 213.233.112.182:500->192.168.1.254 18, peer-id=FSARO
ike 0:448542093a752e2a/0000000000000000:1314: my proposal, gw BKIPSECVPN:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: incoming proposal:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 0:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:448542093a752e2a/0000000000000000:1314: no SA proposal chosen
ike shrank heap by 122880 bytes
ike shrank heap by 20480 bytes


Any idea why this is happening ?



Here's the tunnel configuration :



BKFGT80C-03 # show vpn ipsec phase1-interface BKIPSECVPN 
config vpn ipsec phase1-interface
 edit "BKIPSECVPN"
 set type dynamic
 set interface "WANProsodieDATA"
 set mode aggressive
 set xauthtype pap
 set proposal 3des-sha1 aes128-sha1
 set authusrgrp "vpn-users@SRV3"
 set psksecret ENC nhHJbl/trs/6Fxx383T9wTSrI85maR2cvP2R4N5XD0VyLc/rdzp/QnWFKOEYlXEIBc6ViKqSrb2GCliq5+4y3dxuRG3hurRq5T4Vz1uYf23y/+qE8xMspKvWOJkb2BP8wV7bkNgd7TjJabL/GfOU6pIsuga9J0kknxTdEPl8fWzj3U4g85R9+BO7264YQ/7ZopFZHA==
 set keepalive 15
 next
end

BKFGT80C-03 # show vpn ipsec phase2-interface BKIPSECVPN_Ph2 
config vpn ipsec phase2-interface
 edit "BKIPSECVPN_Ph2"
 set keepalive enable
 set phase1name "BKIPSECVPN"
 set proposal 3des-sha1 aes128-sha1
 next
end


And here's the Shrewsoft VPN config :



n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:0
n:client-dns-suffix-auto:0
n:client-splitdns-used:1
n:client-splitdns-auto:0
n:client-wins-used:0
n:client-wins-auto:0
n:phase1-dhgroup:5
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:1800
n:phase2-life-kbytes:5120
n:policy-nailed:1
n:policy-list-auto:1
n:phase1-keylen:256
s:network-host:213.139.103.131
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:192.168.50.2
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:8.8.8.8
s:client-dns-suffix:bk.local
s:auth-method:mutual-psk-xauth
s:ident-client-type:address
s:ident-server-type:address
b:auth-mutual-psk:YWJjZGVmZ2hpamts
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:5
s:policy-level:auto





vpn fortigate







share|improve this question
























  • dude, you have your public IP up in there AND your PSK....tear that out of your post AND change your PSK right now.

    – Citizen
    Feb 10 '15 at 4:38











  • Not trying to be a jerk, just trying to have your back.

    – Citizen
    Feb 10 '15 at 4:39











  • Thanks for the tip, but calm down, it was just an example :)

    – fsaftoiu
    Feb 10 '15 at 22:09











  • Gotcha, sorry. I thought it was a real config. Apologies.

    – Citizen
    Feb 11 '15 at 8:03













1












1








1








I'm trying to configure an IPSec VPN on a Fortigate 80C and connect to it using Shrew Soft VPN. I'm stuck with a negotiation failure, even though debugging on the Fortigate unit shows the same values for both proposals, except for the proposal id :



ike 0: comes 213.233.112.182:500->192.168.1.254:500,ifindex=18....
ike 0: IKEv1 exchange=Aggressive id=448542093a752e2a/0000000000000000 len=577
ike 0: in 448542093A752E2A00000000000000000110040000000000000002410400003800000001000000010000002C0101000100000024010100008001000580020002800400058003FDE9800B0001000C0004000070800A0000C498221E8FC2C65CDED61AA7AEEA26562FE6A58F9D4AFD6FB5361DFD380B61C85B2A0BAB6FCD068B69A837868F14CBB06E249CFC82BDD42B2DA1021B6FFE9885F2F8614C4F676E28E5BD8F1967440C4E8381E26E3189DA6491EB3CC8C1E0D7C1F39348D2174B68134CE8214814A8A894FD5B9F268B2F107AF310C1DD3BE84F09486595B9F8C7DEA196250E69F86A85DEEDCADC8AE98D7E1018776DF2D54C8DDD50F52EC27F74751C16CAA51BCDEA17CF3ED65D4116C4F2FFF1F6F27BBFF8DC003805000018F38CC6EAC4E77D031C2ED7E2F509FE65C2E511240D00000D0B000000465341524F0D00000C09002689DFD6B7120D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001416F6CA16E4A4066D83821A0F0AEAA8620D00001490CB80913EBB696E086381B5EC427B1F0D0000147D9419A65310CA6F2C179D9215529D560D0000144A131C81070358455C5728F20E95452F0D0000184048B7D56EBCE88525E7DE7F00D6C2D3800000000D000014AFCAD71368A1F1C96B8696FC775701000D0000143B9031DCE4FCF88B489A923963DD0C490D000014F14B94B7BFF1FEF02773B8C49FEDED260D000018166F932D55EB64D8E4DF4FD37E2313F0D0FD84510D0000148404ADF9CDA05760B2CA292E4BFF537B0000001412F5F28C457168A9702D9FE274CC0100
ike 0:448542093a752e2a/0000000000000000:1314: responder: aggressive mode get 1st message...
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-02n 90CB80913EBB696E086381B5EC427B1F
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:448542093a752e2a/0000000000000000:1314: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:448542093a752e2a/0000000000000000:1314: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:448542093a752e2a/0000000000000000:1314: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 3B9031DCE4FCF88B489A923963DD0C49
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): F14B94B7BFF1FEF02773B8C49FEDED26
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (20): 166F932D55EB64D8E4DF4FD37E2313F0D0FD8451
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 8404ADF9CDA05760B2CA292E4BFF537B
ike 0:448542093a752e2a/0000000000000000:1314: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0: IKEv1 Aggressive, comes 213.233.112.182:500->192.168.1.254 18, peer-id=FSARO
ike 0:448542093a752e2a/0000000000000000:1314: my proposal, gw BKIPSECVPN:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: incoming proposal:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 0:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:448542093a752e2a/0000000000000000:1314: no SA proposal chosen
ike shrank heap by 122880 bytes
ike shrank heap by 20480 bytes


Any idea why this is happening ?



Here's the tunnel configuration :



BKFGT80C-03 # show vpn ipsec phase1-interface BKIPSECVPN 
config vpn ipsec phase1-interface
 edit "BKIPSECVPN"
 set type dynamic
 set interface "WANProsodieDATA"
 set mode aggressive
 set xauthtype pap
 set proposal 3des-sha1 aes128-sha1
 set authusrgrp "vpn-users@SRV3"
 set psksecret ENC nhHJbl/trs/6Fxx383T9wTSrI85maR2cvP2R4N5XD0VyLc/rdzp/QnWFKOEYlXEIBc6ViKqSrb2GCliq5+4y3dxuRG3hurRq5T4Vz1uYf23y/+qE8xMspKvWOJkb2BP8wV7bkNgd7TjJabL/GfOU6pIsuga9J0kknxTdEPl8fWzj3U4g85R9+BO7264YQ/7ZopFZHA==
 set keepalive 15
 next
end

BKFGT80C-03 # show vpn ipsec phase2-interface BKIPSECVPN_Ph2 
config vpn ipsec phase2-interface
 edit "BKIPSECVPN_Ph2"
 set keepalive enable
 set phase1name "BKIPSECVPN"
 set proposal 3des-sha1 aes128-sha1
 next
end


And here's the Shrewsoft VPN config :



n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:0
n:client-dns-suffix-auto:0
n:client-splitdns-used:1
n:client-splitdns-auto:0
n:client-wins-used:0
n:client-wins-auto:0
n:phase1-dhgroup:5
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:1800
n:phase2-life-kbytes:5120
n:policy-nailed:1
n:policy-list-auto:1
n:phase1-keylen:256
s:network-host:213.139.103.131
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:192.168.50.2
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:8.8.8.8
s:client-dns-suffix:bk.local
s:auth-method:mutual-psk-xauth
s:ident-client-type:address
s:ident-server-type:address
b:auth-mutual-psk:YWJjZGVmZ2hpamts
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:5
s:policy-level:auto





vpn fortigate







share|improve this question
















I'm trying to configure an IPSec VPN on a Fortigate 80C and connect to it using Shrew Soft VPN. I'm stuck with a negotiation failure, even though debugging on the Fortigate unit shows the same values for both proposals, except for the proposal id :



ike 0: comes 213.233.112.182:500->192.168.1.254:500,ifindex=18....
ike 0: IKEv1 exchange=Aggressive id=448542093a752e2a/0000000000000000 len=577
ike 0: in 448542093A752E2A00000000000000000110040000000000000002410400003800000001000000010000002C0101000100000024010100008001000580020002800400058003FDE9800B0001000C0004000070800A0000C498221E8FC2C65CDED61AA7AEEA26562FE6A58F9D4AFD6FB5361DFD380B61C85B2A0BAB6FCD068B69A837868F14CBB06E249CFC82BDD42B2DA1021B6FFE9885F2F8614C4F676E28E5BD8F1967440C4E8381E26E3189DA6491EB3CC8C1E0D7C1F39348D2174B68134CE8214814A8A894FD5B9F268B2F107AF310C1DD3BE84F09486595B9F8C7DEA196250E69F86A85DEEDCADC8AE98D7E1018776DF2D54C8DDD50F52EC27F74751C16CAA51BCDEA17CF3ED65D4116C4F2FFF1F6F27BBFF8DC003805000018F38CC6EAC4E77D031C2ED7E2F509FE65C2E511240D00000D0B000000465341524F0D00000C09002689DFD6B7120D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001416F6CA16E4A4066D83821A0F0AEAA8620D00001490CB80913EBB696E086381B5EC427B1F0D0000147D9419A65310CA6F2C179D9215529D560D0000144A131C81070358455C5728F20E95452F0D0000184048B7D56EBCE88525E7DE7F00D6C2D3800000000D000014AFCAD71368A1F1C96B8696FC775701000D0000143B9031DCE4FCF88B489A923963DD0C490D000014F14B94B7BFF1FEF02773B8C49FEDED260D000018166F932D55EB64D8E4DF4FD37E2313F0D0FD84510D0000148404ADF9CDA05760B2CA292E4BFF537B0000001412F5F28C457168A9702D9FE274CC0100
ike 0:448542093a752e2a/0000000000000000:1314: responder: aggressive mode get 1st message...
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-02n 90CB80913EBB696E086381B5EC427B1F
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:448542093a752e2a/0000000000000000:1314: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:448542093a752e2a/0000000000000000:1314: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:448542093a752e2a/0000000000000000:1314: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 3B9031DCE4FCF88B489A923963DD0C49
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): F14B94B7BFF1FEF02773B8C49FEDED26
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (20): 166F932D55EB64D8E4DF4FD37E2313F0D0FD8451
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 8404ADF9CDA05760B2CA292E4BFF537B
ike 0:448542093a752e2a/0000000000000000:1314: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0: IKEv1 Aggressive, comes 213.233.112.182:500->192.168.1.254 18, peer-id=FSARO
ike 0:448542093a752e2a/0000000000000000:1314: my proposal, gw BKIPSECVPN:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: incoming proposal:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 0:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:448542093a752e2a/0000000000000000:1314: no SA proposal chosen
ike shrank heap by 122880 bytes
ike shrank heap by 20480 bytes


Any idea why this is happening ?



Here's the tunnel configuration :



BKFGT80C-03 # show vpn ipsec phase1-interface BKIPSECVPN 
config vpn ipsec phase1-interface
 edit "BKIPSECVPN"
 set type dynamic
 set interface "WANProsodieDATA"
 set mode aggressive
 set xauthtype pap
 set proposal 3des-sha1 aes128-sha1
 set authusrgrp "vpn-users@SRV3"
 set psksecret ENC nhHJbl/trs/6Fxx383T9wTSrI85maR2cvP2R4N5XD0VyLc/rdzp/QnWFKOEYlXEIBc6ViKqSrb2GCliq5+4y3dxuRG3hurRq5T4Vz1uYf23y/+qE8xMspKvWOJkb2BP8wV7bkNgd7TjJabL/GfOU6pIsuga9J0kknxTdEPl8fWzj3U4g85R9+BO7264YQ/7ZopFZHA==
 set keepalive 15
 next
end

BKFGT80C-03 # show vpn ipsec phase2-interface BKIPSECVPN_Ph2 
config vpn ipsec phase2-interface
 edit "BKIPSECVPN_Ph2"
 set keepalive enable
 set phase1name "BKIPSECVPN"
 set proposal 3des-sha1 aes128-sha1
 next
end


And here's the Shrewsoft VPN config :



n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:0
n:client-dns-suffix-auto:0
n:client-splitdns-used:1
n:client-splitdns-auto:0
n:client-wins-used:0
n:client-wins-auto:0
n:phase1-dhgroup:5
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:1800
n:phase2-life-kbytes:5120
n:policy-nailed:1
n:policy-list-auto:1
n:phase1-keylen:256
s:network-host:213.139.103.131
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:192.168.50.2
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:8.8.8.8
s:client-dns-suffix:bk.local
s:auth-method:mutual-psk-xauth
s:ident-client-type:address
s:ident-server-type:address
b:auth-mutual-psk:YWJjZGVmZ2hpamts
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:5
s:policy-level:auto





vpn fortigate




vpn fortigate






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 4 '14 at 15:21







fsaftoiu

















asked Jul 25 '14 at 14:38









fsaftoiufsaftoiu

10614




10614












  • dude, you have your public IP up in there AND your PSK....tear that out of your post AND change your PSK right now.

    – Citizen
    Feb 10 '15 at 4:38











  • Not trying to be a jerk, just trying to have your back.

    – Citizen
    Feb 10 '15 at 4:39











  • Thanks for the tip, but calm down, it was just an example :)

    – fsaftoiu
    Feb 10 '15 at 22:09











  • Gotcha, sorry. I thought it was a real config. Apologies.

    – Citizen
    Feb 11 '15 at 8:03

















  • dude, you have your public IP up in there AND your PSK....tear that out of your post AND change your PSK right now.

    – Citizen
    Feb 10 '15 at 4:38











  • Not trying to be a jerk, just trying to have your back.

    – Citizen
    Feb 10 '15 at 4:39











  • Thanks for the tip, but calm down, it was just an example :)

    – fsaftoiu
    Feb 10 '15 at 22:09











  • Gotcha, sorry. I thought it was a real config. Apologies.

    – Citizen
    Feb 11 '15 at 8:03
















dude, you have your public IP up in there AND your PSK....tear that out of your post AND change your PSK right now.

– Citizen
Feb 10 '15 at 4:38





dude, you have your public IP up in there AND your PSK....tear that out of your post AND change your PSK right now.

– Citizen
Feb 10 '15 at 4:38













Not trying to be a jerk, just trying to have your back.

– Citizen
Feb 10 '15 at 4:39





Not trying to be a jerk, just trying to have your back.

– Citizen
Feb 10 '15 at 4:39













Thanks for the tip, but calm down, it was just an example :)

– fsaftoiu
Feb 10 '15 at 22:09





Thanks for the tip, but calm down, it was just an example :)

– fsaftoiu
Feb 10 '15 at 22:09













Gotcha, sorry. I thought it was a real config. Apologies.

– Citizen
Feb 11 '15 at 8:03





Gotcha, sorry. I thought it was a real config. Apologies.

– Citizen
Feb 11 '15 at 8:03










3 Answers
3






active

oldest

votes


















0














Could you paste the fortigate configuration of the tunnel ? (will edit with an answer but without the configuration I can't help you)






share|improve this answer























  • Hi, thanks for the attention. I've edited the question to add the tunnel config.

    – fsaftoiu
    Jul 26 '14 at 19:08


















0














Can you also include the Shrew Soft config? Clearly there is a mis-match in config. Local-ID? DH Groups? What happens if you de-select XAUTH and just use PSK?






share|improve this answer























  • Hi, I added that too

    – fsaftoiu
    Aug 4 '14 at 15:21











  • And I have the same problem without XAUTH

    – fsaftoiu
    Aug 4 '14 at 15:22


















0














I can see in your configuration you have different cipher types for phase2:



set proposal 3des-sha1 aes128-sha1


and for Shrewsoft VPN



s:phase2-transform:esp-3des
s:phase2-hmac:sha1


Pur both either AES-128 or 3DES. This should solve the problem.






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f615504%2fipsec-vpn-shrew-to-fortigate%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Could you paste the fortigate configuration of the tunnel ? (will edit with an answer but without the configuration I can't help you)






    share|improve this answer























    • Hi, thanks for the attention. I've edited the question to add the tunnel config.

      – fsaftoiu
      Jul 26 '14 at 19:08















    0














    Could you paste the fortigate configuration of the tunnel ? (will edit with an answer but without the configuration I can't help you)






    share|improve this answer























    • Hi, thanks for the attention. I've edited the question to add the tunnel config.

      – fsaftoiu
      Jul 26 '14 at 19:08













    0












    0








    0







    Could you paste the fortigate configuration of the tunnel ? (will edit with an answer but without the configuration I can't help you)






    share|improve this answer













    Could you paste the fortigate configuration of the tunnel ? (will edit with an answer but without the configuration I can't help you)







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Jul 26 '14 at 8:57









    VovorVovor

    623




    623












    • Hi, thanks for the attention. I've edited the question to add the tunnel config.

      – fsaftoiu
      Jul 26 '14 at 19:08

















    • Hi, thanks for the attention. I've edited the question to add the tunnel config.

      – fsaftoiu
      Jul 26 '14 at 19:08
















    Hi, thanks for the attention. I've edited the question to add the tunnel config.

    – fsaftoiu
    Jul 26 '14 at 19:08





    Hi, thanks for the attention. I've edited the question to add the tunnel config.

    – fsaftoiu
    Jul 26 '14 at 19:08













    0














    Can you also include the Shrew Soft config? Clearly there is a mis-match in config. Local-ID? DH Groups? What happens if you de-select XAUTH and just use PSK?






    share|improve this answer























    • Hi, I added that too

      – fsaftoiu
      Aug 4 '14 at 15:21











    • And I have the same problem without XAUTH

      – fsaftoiu
      Aug 4 '14 at 15:22















    0














    Can you also include the Shrew Soft config? Clearly there is a mis-match in config. Local-ID? DH Groups? What happens if you de-select XAUTH and just use PSK?






    share|improve this answer























    • Hi, I added that too

      – fsaftoiu
      Aug 4 '14 at 15:21











    • And I have the same problem without XAUTH

      – fsaftoiu
      Aug 4 '14 at 15:22













    0












    0








    0







    Can you also include the Shrew Soft config? Clearly there is a mis-match in config. Local-ID? DH Groups? What happens if you de-select XAUTH and just use PSK?






    share|improve this answer













    Can you also include the Shrew Soft config? Clearly there is a mis-match in config. Local-ID? DH Groups? What happens if you de-select XAUTH and just use PSK?







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Aug 1 '14 at 14:34









    miblo69miblo69

    1




    1












    • Hi, I added that too

      – fsaftoiu
      Aug 4 '14 at 15:21











    • And I have the same problem without XAUTH

      – fsaftoiu
      Aug 4 '14 at 15:22

















    • Hi, I added that too

      – fsaftoiu
      Aug 4 '14 at 15:21











    • And I have the same problem without XAUTH

      – fsaftoiu
      Aug 4 '14 at 15:22
















    Hi, I added that too

    – fsaftoiu
    Aug 4 '14 at 15:21





    Hi, I added that too

    – fsaftoiu
    Aug 4 '14 at 15:21













    And I have the same problem without XAUTH

    – fsaftoiu
    Aug 4 '14 at 15:22





    And I have the same problem without XAUTH

    – fsaftoiu
    Aug 4 '14 at 15:22











    0














    I can see in your configuration you have different cipher types for phase2:



    set proposal 3des-sha1 aes128-sha1


    and for Shrewsoft VPN



    s:phase2-transform:esp-3des
    s:phase2-hmac:sha1


    Pur both either AES-128 or 3DES. This should solve the problem.






    share|improve this answer



























      0














      I can see in your configuration you have different cipher types for phase2:



      set proposal 3des-sha1 aes128-sha1


      and for Shrewsoft VPN



      s:phase2-transform:esp-3des
      s:phase2-hmac:sha1


      Pur both either AES-128 or 3DES. This should solve the problem.






      share|improve this answer

























        0












        0








        0







        I can see in your configuration you have different cipher types for phase2:



        set proposal 3des-sha1 aes128-sha1


        and for Shrewsoft VPN



        s:phase2-transform:esp-3des
        s:phase2-hmac:sha1


        Pur both either AES-128 or 3DES. This should solve the problem.






        share|improve this answer













        I can see in your configuration you have different cipher types for phase2:



        set proposal 3des-sha1 aes128-sha1


        and for Shrewsoft VPN



        s:phase2-transform:esp-3des
        s:phase2-hmac:sha1


        Pur both either AES-128 or 3DES. This should solve the problem.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 10 '15 at 4:13









        DalerDaler

        1263




        1263



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f615504%2fipsec-vpn-shrew-to-fortigate%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to write a 12-bar blues melodyI-IV-V blues progressionHow to play the bridges in a standard blues progressionHow does Gdim7 fit in C# minor?question on a certain chord progressionMusicology of Melody12 bar blues, spread rhythm: alternative to 6th chord to avoid finger stretchChord progressions/ Root key/ MelodiesHow to put chords (POP-EDM) under a given lead vocal melody (starting from a good knowledge in music theory)Are there “rules” for improvising with the minor pentatonic scale over 12-bar shuffle?Confusion about blues scale and chords

            Image
            Why is a set not a partition of itself? Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Labeling matrices/rectangles and drawing Sigma inside rectangle Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Missouri raptors have wild hairdos Can someone explain homicide-related death rates? Why is tomato paste so cheap? What are the implications of the new alleged key recovery attack preprint on SIMON? Effects of ~10atm pressure on engine design Is taking modulus on both sides of an equation valid? Jumping frame contents with beamer and pgfplots Are there any established rules for splitting books into parts, chapters, sections etc? Anatomically Correct Carnivorous Tree Why do I get two different answers when solvi...
            Read more

            What if the end-user didn't have the required library?What is setup.py?What is a clean, pythonic way to have multiple constructors in Python?What does Ruby have that Python doesn't, and vice versa?What is the reason for having '//' in Python?How do I create a namespace package in Python?How to package shared objects that python modules depend on?setuptools vs. distutils: why is distutils still a thing?Navigation in Windows 10 vs code not going to virtualenv library when the same library is installed at user levelPython create package for local usePackaging a project that uses multiple python versionsWhy is permission denied on pip install except for when “--user” is included at end of command?

            Image
            Can a tourist shoot a gun in the USA? Will a coyote attack my dog on a leash while I'm on a hiking trail? Labeling matrices/rectangles and drawing Sigma inside rectangle How can I answer high-school writing prompts without sounding weird and fake? Is there ever any indication in the MCU as to how Spider-Man got his powers? Jumping frame contents with beamer and pgfplots Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Is it possible to create different colors in rocket exhaust? German characters on US-International keyboard layout Does gravity affect the time evolution of a QM wave function? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Why are solar panels kept tilted? Is Germany still exporting arms to countries involved in Yemen? Unexpected Netflix account registered to my Gmail address - any wa...
            Read more

            Esgonzo ibérico Índice Descrición Distribución Hábitat Ameazas Notas Véxase tamén "Acerca dos nomes dos anfibios e réptiles galegos""Chalcides bedriagai"Chalcides bedriagai en Carrascal, L. M. Salvador, A. (Eds). Enciclopedia virtual de los vertebrados españoles. Museo Nacional de Ciencias Naturales, Madrid. España.Fotos

            Image
            escíncidospenínsula Ibéricaesgonzo comúnJacques von Bedriagaesgonzo comúndimorfismo sexualovovivíparaendémicaPenínsula IbéricaCordilleira CantábricaAsturiasPaís VascoGaliciaRías BaixasMurosCarnotaillas CíesOnsAtlánticoIllas CíesIlla de Onsilla do PesegueiroIlla de Sancti PetriMediterráneoMar MenorIlla de TabarcaGaliciaCantabriaBurgossolosdestrución do hábitatIUCN Abrir o menú principal Procurar Esgonzo ibérico Ler noutra lingua Vixiar esta páxina Editar function mfTempOpenSection(id)var block=document.getElementById("mf-section-"+id);block.className+=" open-block";block.previousSibling.className+=" open-block"; Esgonzo ibérico Estado de conservación Case ameazada Clasificaci...
            Read more