IPSEC proposal missmatch

I think it is interesting to know which error you will be facing if you don’t configure correctly your VPN IPSEC phase 1.

You have to enable debug on your appliance at first :

diagnose vpn ike log-filter dst-addr4 10.189.0.182
diagnose debug application ike -1
diagnose debug enable

Example is taken with fortigate appliance

ike 0:d51d5XXXXXX/0000000000000000:65777: responder received SA_INIT msg
 ike 0:d51d5XXXXXX/0000000000000000:65777: received notify type NAT_DETECTION_DESTINATION_IP
 ike 0:d51d5XXXXXX/0000000000000000:65777: received notify type NAT_DETECTION_SOURCE_IP
 ike 0:d51d5XXXXXX/0000000000000000:65777: incoming proposal:
 ike 0:d51d5XXXXXX/0000000000000000:65777: proposal id = 1:
 ike 0:d51d5XXXXXX/0000000000000000:65777:   protocol = IKEv2:
 ike 0:d51d5XXXXXX/0000000000000000:65777:      encapsulation = IKEv2/none
 ike 0:d51d5XXXXXX/0000000000000000:65777:         type=ENCR, val=23
 ike 0:d51d5XXXXXX/0000000000000000:65777:         type=ENCR, val=AES_CBC (key_len = 256)
 ike 0:d51d5XXXXXX/0000000000000000:65777:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
 ike 0:d51d5XXXXXX/0000000000000000:65777:         type=PRF, val=PRF_HMAC_SHA2_256
 ike 0:d51d5XXXXXX/0000000000000000:65777:         type=DH_GROUP, val=MODP2048.
 ike 0:d51d5XXXXXX/0000000000000000:65777: my proposal, gw SAS_4G:
 ike 0:d51d5XXXXXX/0000000000000000:65777: proposal id = 1:
 ike 0:d51d5XXXXXX/0000000000000000:65777:   protocol = IKEv2:
 ike 0:d51d5XXXXXX/0000000000000000:65777:      encapsulation = IKEv2/none
 ike 0:d51d5XXXXXX/0000000000000000:65777:         type=ENCR, val=AES_CBC (key_len = 256)
 ike 0:d51d5XXXXXX/0000000000000000:65777:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
 ike 0:d51d5XXXXXX/0000000000000000:65777:         type=PRF, val=PRF_HMAC_SHA2_256
 ike 0:d51d5XXXXXX/0000000000000000:65777:         type=DH_GROUP, val=MODP1536.
 ike 0:d51d5XXXXXX/0000000000000000:65777: lifetime=86400
 ike 0:d51d5XXXXXX/0000000000000000:65777: no proposal chosen

And find a working example :

ike 0:SAS_4G:65785:SAS_4G_102:471794: dialup
ike 0:SAS_4G:65785:SAS_4G_102:471794: incoming child SA proposal:
ike 0:SAS_4G:65785:SAS_4G_102:471794: proposal id = 1:
ike 0:SAS_4G:65785:SAS_4G_102:471794: protocol = ESP:
ike 0:SAS_4G:65785:SAS_4G_102:471794: encapsulation = TUNNEL
ike 0:SAS_4G:65785:SAS_4G_102:471794: type=ENCR, val=23
ike 0:SAS_4G:65785:SAS_4G_102:471794: type=ENCR, val=20
ike 0:SAS_4G:65785:SAS_4G_102:471794: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:SAS_4G:65785:SAS_4G_102:471794: type=INTEGR, val=SHA256
ike 0:SAS_4G:65785:SAS_4G_102:471794: type=INTEGR, val=SHA512
ike 0:SAS_4G:65785:SAS_4G_102:471794: PFS is disabled
ike 0:SAS_4G:65785:SAS_4G_102:471794: matched proposal id 1
ike 0:SAS_4G:65785:SAS_4G_102:471794: proposal id = 1:
ike 0:SAS_4G:65785:SAS_4G_102:471794: protocol = ESP:
ike 0:SAS_4G:65785:SAS_4G_102:471794: encapsulation = TUNNEL
ike 0:SAS_4G:65785:SAS_4G_102:471794: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:SAS_4G:65785:SAS_4G_102:471794: type=INTEGR, val=SHA256
ike 0:SAS_4G:65785:SAS_4G_102:471794: PFS is disabled
ike 0:SAS_4G:65785:SAS_4G_102:471794: lifetime=86400
ike 0:SAS_4G:65785: responder preparing AUTH msg
ike 0:SAS_4G:65785: established IKE SA b9cbd5d/d735c2ca
ike 0:SAS_4G: adding new dynamic tunnel for 105.105.105.105:4500
ike 0:SAS_4G_0: added new dynamic tunnel for 105.105.105.105:4500
ike 0:SAS_4G_0:65785:SAS_4G_102:471794: src 0 7 0:192.168.10.0-192.168.10.255:0
ike 0:SAS_4G_0:65785:SAS_4G_102:471794: dst 0 7 0:192.168.253.0-192.168.253.255:0
ike 0:SAS_4G_0:65785:SAS_4G_102:471794: add dynamic IPsec SA selectors
ike 0:SAS_4G_0:471794: add route 192.168.253.0/255.255.255.0 oif SAS_4G_0(159) metric 15 priority 0
ike 0:SAS_4G_0:65785:SAS_4G_102:471794: tunnel 1 of VDOM limit 0/0
ike 0:SAS_4G_0:65785:SAS_4G_102:471794: add IPsec SA: SPIs=07d50029/010f0680

Networking-Labs&Co

Author: Kévin SAS

Leave a Reply Cancel reply

Recent Posts

Archives

Categories