IPSEC协商失败举例

网络拓扑

image-20240102113949000

收不到对端IPSEC UDP port 500的协商报文

在FGT-BJ端抓包可以看出FGT-BJ已经发送IPSEC协商报文给FGT-SH,但是FGT-BJ没有收到FGT-SH的协商报文,因此问题可能是运营商阻断了UDP port 500端口的通信,也可能是FGT-SH的配置问题。同理可在FGT-SH端抓包查看。

FGT-BJ# diagnose sniffer packet any 'host 200.1.1.2 and udp port 500' 4
interfaces=[any]
filters=[host 200.1.1.2 and udp port 500]
8.239752 port2 out 100.1.1.2.500 -> 200.1.1.2.500: udp 192
8.240249 port2 out 100.1.1.2.500 -> 200.1.1.2.500: udp 380
8.240778 port2 out 100.1.1.2.500 -> 200.1.1.2.500: udp 92

NAT环境下收不到对端IPSEC UDP port 4500的协商报文

在FGT-BJ端抓包可以看出两端有UDP port 500的IPSEC报文交互,但是FGT-BJ没有收到FGT-SH IPSEC UDP port 4500的协商报文,因此问题可能是运营商阻断了UDP port 4500端口的通信,也可能是FGT-SH的配置问题。同理可在FGT-SH端抓包查看。

FGT-BJ# diagnose sniffer packet any 'host 200.1.1.2 and (udp port 500 or udp port 4500)' 4
interfaces=[any]
filters=[host 200.1.1.2 and (udp port 500 or udp port 4500)]
6.097481 port2 out 100.1.1.2.500 -> 200.1.1.2.500: udp 380
6.098041 port2 in 200.1.1.2.500 -> 100.1.1.2.500: udp 380
6.098294 port2 out 100.1.1.2.4500 -> 200.1.1.2.4500: udp 112
6.098780 port2 out 100.1.1.2.4500 -> 200.1.1.2.4500: udp 624

阶段一Proposal秘钥集不匹配

从Debug显示ike Negotiate ISAKMP SA Error: ike 0:f0d8d95cbf3e993e/0000000000000000:13: no SA proposal chosen,对比incoming proposal和my proposal可以看出IPSEC阶段一(ike Negotiate ISAKMP SA)没有匹配的加密算法。

FGT-BJ# diagnose debug application ike -1
FGT-BJ# diagnose debug  enable

ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=f0d8d95cbf3e993e/0000000000000000 len=332 vrf=0
ike 0: in F0D8D95CBF3E993E000000000000000001100200000000000000014C0D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E008080030001800200068004000E0000002802010000800B0001000C00040001518080010007800E00808003000180020006800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:f0d8d95cbf3e993e/0000000000000000:13: responder: main mode get 1st message...
ike 0:f0d8d95cbf3e993e/0000000000000000:13: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:f0d8d95cbf3e993e/0000000000000000:13: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:f0d8d95cbf3e993e/0000000000000000:13: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:f0d8d95cbf3e993e/0000000000000000:13: VID draft-ietf-ipsec-nat-t-ike-02 90CB80913EBB696E086381B5EC427B1F
ike 0:f0d8d95cbf3e993e/0000000000000000:13: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:f0d8d95cbf3e993e/0000000000000000:13: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:f0d8d95cbf3e993e/0000000000000000:13: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:f0d8d95cbf3e993e/0000000000000000:13: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:f0d8d95cbf3e993e/0000000000000000:13: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:f0d8d95cbf3e993e/0000000000000000:13: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0: cache rebuild start
ike 0:VPN-to-SH: local:100.1.1.2, remote:200.1.1.2
ike 0:VPN-to-SH: cached as static-ddns.
ike 0: cache rebuild done
ike 0:f0d8d95cbf3e993e/0000000000000000:13: incoming proposal:
ike 0:f0d8d95cbf3e993e/0000000000000000:13: proposal id = 0:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:   protocol id = ISAKMP:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      trans_id = KEY_IKE.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      encapsulation = IKE/none
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_HASH_ALG, val=SHA2_512.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:f0d8d95cbf3e993e/0000000000000000:13: ISAKMP SA lifetime=86400
ike 0:f0d8d95cbf3e993e/0000000000000000:13: proposal id = 0:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:   protocol id = ISAKMP:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      trans_id = KEY_IKE.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      encapsulation = IKE/none
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_HASH_ALG, val=SHA2_512.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:f0d8d95cbf3e993e/0000000000000000:13: ISAKMP SA lifetime=86400
ike 0:f0d8d95cbf3e993e/0000000000000000:13: my proposal, gw VPN-to-SH:
ike 0:f0d8d95cbf3e993e/0000000000000000:13: proposal id = 1:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:   protocol id = ISAKMP:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      trans_id = KEY_IKE.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      encapsulation = IKE/none
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:f0d8d95cbf3e993e/0000000000000000:13: ISAKMP SA lifetime=86400
ike 0:f0d8d95cbf3e993e/0000000000000000:13: proposal id = 1:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:   protocol id = ISAKMP:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      trans_id = KEY_IKE.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      encapsulation = IKE/none
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:f0d8d95cbf3e993e/0000000000000000:13: ISAKMP SA lifetime=86400
ike 0:f0d8d95cbf3e993e/0000000000000000:13: proposal id = 1:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:   protocol id = ISAKMP:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      trans_id = KEY_IKE.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      encapsulation = IKE/none
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:f0d8d95cbf3e993e/0000000000000000:13: ISAKMP SA lifetime=86400
ike 0:f0d8d95cbf3e993e/0000000000000000:13: proposal id = 1:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:   protocol id = ISAKMP:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      trans_id = KEY_IKE.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      encapsulation = IKE/none
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:f0d8d95cbf3e993e/0000000000000000:13: ISAKMP SA lifetime=86400
ike 0:f0d8d95cbf3e993e/0000000000000000:13: proposal id = 1:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:   protocol id = ISAKMP:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      trans_id = KEY_IKE.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      encapsulation = IKE/none
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:f0d8d95cbf3e993e/0000000000000000:13: ISAKMP SA lifetime=86400
ike 0:f0d8d95cbf3e993e/0000000000000000:13: proposal id = 1:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:   protocol id = ISAKMP:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      trans_id = KEY_IKE.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      encapsulation = IKE/none
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:f0d8d95cbf3e993e/0000000000000000:13: ISAKMP SA lifetime=86400
ike 0:f0d8d95cbf3e993e/0000000000000000:13: proposal id = 1:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:   protocol id = ISAKMP:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      trans_id = KEY_IKE.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      encapsulation = IKE/none
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:f0d8d95cbf3e993e/0000000000000000:13: ISAKMP SA lifetime=86400
ike 0:f0d8d95cbf3e993e/0000000000000000:13: proposal id = 1:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:   protocol id = ISAKMP:
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      trans_id = KEY_IKE.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:      encapsulation = IKE/none
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f0d8d95cbf3e993e/0000000000000000:13:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:f0d8d95cbf3e993e/0000000000000000:13: ISAKMP SA lifetime=86400
ike 0:f0d8d95cbf3e993e/0000000000000000:13: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:f0d8d95cbf3e993e/0000000000000000:13: no SA proposal chosen

预共享秘钥不匹配

从Debug显示probable pre-shared secret mismatch,可以判断是预共享秘钥不匹配


FGT-BJ# diagnose debug application ike -1
FGT-BJ# diagnose debug  enable

ike shrank heap by 163840 bytes
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=dd4a4831edc1e725/0000000000000000 len=332 vrf=0
ike 0: in DD4A4831EDC1E725000000000000000001100200000000000000014C0D000064000000010000000100000058010100020300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0000002802010000800B0001000C00040001518080010007800E00808003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:dd4a4831edc1e725/0000000000000000:17: responder: main mode get 1st message...
ike 0:dd4a4831edc1e725/0000000000000000:17: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:dd4a4831edc1e725/0000000000000000:17: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:dd4a4831edc1e725/0000000000000000:17: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:dd4a4831edc1e725/0000000000000000:17: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:dd4a4831edc1e725/0000000000000000:17: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:dd4a4831edc1e725/0000000000000000:17: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:dd4a4831edc1e725/0000000000000000:17: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:dd4a4831edc1e725/0000000000000000:17: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:dd4a4831edc1e725/0000000000000000:17: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:dd4a4831edc1e725/0000000000000000:17: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0: cache rebuild start
ike 0:VPN-to-SH: local:100.1.1.2, remote:200.1.1.2
ike 0:VPN-to-SH: cached as static-ddns.
ike 0: cache rebuild done
ike 0:dd4a4831edc1e725/0000000000000000:17: negotiation result
ike 0:dd4a4831edc1e725/0000000000000000:17: proposal id = 1:
ike 0:dd4a4831edc1e725/0000000000000000:17:   protocol id = ISAKMP:
ike 0:dd4a4831edc1e725/0000000000000000:17:      trans_id = KEY_IKE.
ike 0:dd4a4831edc1e725/0000000000000000:17:      encapsulation = IKE/none
ike 0:dd4a4831edc1e725/0000000000000000:17:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:dd4a4831edc1e725/0000000000000000:17:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:dd4a4831edc1e725/0000000000000000:17:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:dd4a4831edc1e725/0000000000000000:17:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:dd4a4831edc1e725/0000000000000000:17: ISAKMP SA lifetime=86400
ike 0:dd4a4831edc1e725/0000000000000000:17: SA proposal chosen, matched gateway VPN-to-SH
ike 0:VPN-to-SH: created connection: 0x9b57be0 10 100.1.1.2->200.1.1.2:500.
ike 0:VPN-to-SH:17: DPD negotiated
ike 0:VPN-to-SH:17: peer is FortiGate/FortiOS (v0 b0)
ike 0:VPN-to-SH:17: selected NAT-T version: RFC 3947
ike 0:VPN-to-SH:17: cookie dd4a4831edc1e725/7d0c610fb77157ce
ike 0:VPN-to-SH:17: out DD4A4831EDC1E7257D0C610FB77157CE0110020000000000000000C00D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN-to-SH:17: sent IKE msg (ident_r1send): 100.1.1.2:500->200.1.1.2:500, len=192, vrf=0, id=dd4a4831edc1e725/7d0c610fb77157ce
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=dd4a4831edc1e725/7d0c610fb77157ce len=380 vrf=0
ike 0: in DD4A4831EDC1E7257D0C610FB77157CE04100200000000000000017C0A0001044FF0C6534555C243272FB0833E95A874D13A865B705BD1C94ED0D0543A52972D5512DB656C442276401DC9FCFA3AA119208499DF00C5043FA108FE0BE3D38F2BF896E927F0E96454BC828886CC7CD8AB1022D19D60A9811B25CD571A7E10188C6FD7E61CB9E64DE5D33A38F9BCF0B2C2E41C611D9AC5C047E2A03938BC6798683CE6208F43A6CA894407182B9CEE9A3B41FB58BC3039326C180335E5044F7FA4D6A027426B609933E4B02BF09AA693AA64518B8050FD0ED70BC7AE87C0C88C09D58E68F4474F21E8D6C3F7D66D3C7A423E91278F42D6B1BB014A53F215E8D1BEAFA2E1D1CD717DFA02A896BD83C525E5400993BA860A61A4207B66437C4EA60314000014657893D41BEBDBEA198635BC6A09EF9914000024A66B51CDA1E16E10A0B69659421DF4143EF4394DF3E6A08E9E5BAB9DEBC5292C0000002406045FC70A8214BED832E183B81236F416DF5770C32F118AD2F38B9F3CD54606
ike 0:VPN-to-SH:17: responder:main mode get 2nd message...
ike 0:VPN-to-SH:17: received NAT-D payload type 20
ike 0:VPN-to-SH:17: received NAT-D payload type 20
ike 0:VPN-to-SH:17: NAT not detected 
ike 0:VPN-to-SH:17: generate DH public value request queued
ike 0:VPN-to-SH:17: compute DH shared secret request queued
ike 0:VPN-to-SH:17: out DD4A4831EDC1E7257D0C610FB77157CE04100200000000000000017C0A0001042354F77BA3782481818EFCA017482C82BE52A8F85A6E36AF8C311C80EA75EA9C3CAD3AB41C069BE71EFF4DFC076C72E0369E7C0B7668EF7A53B674B8E5CAE1755DEF61CB21927A45A1304EF0895714D3CB622F37B435C9E7EA0C2D7980951C20CAA41CAEF5A44F61D30304B0C24EA82BB1FBBB20FF2C5245FBDCCC0D9102DAE56B2C8AA4E41DB5473AF7ADDA0CA5C1EE43CAE6BB1D807379CECF73F8D70849EFB353D51805FE16EA186604E87CAC595040E42F65DF18CAF08373C3C2A81D7F0BB8025139B5AD3F94239748EBB9FF337AE10C4FE415B5B93017A42D66B7574E406398BCBB7C235F88B382B94FC03638CB9BDB5F8A8D43764004B4B41EA86E381C14000014BDA49AFE0D6450572E7C41AE2BC3CEF51400002406045FC70A8214BED832E183B81236F416DF5770C32F118AD2F38B9F3CD5460600000024A66B51CDA1E16E10A0B69659421DF4143EF4394DF3E6A08E9E5BAB9DEBC5292C
ike 0:VPN-to-SH:17: sent IKE msg (ident_r2send): 100.1.1.2:500->200.1.1.2:500, len=380, vrf=0, id=dd4a4831edc1e725/7d0c610fb77157ce
ike 0:VPN-to-SH:17: ISAKMP SA dd4a4831edc1e725/7d0c610fb77157ce key 16:308FD68288AC676140E7228F0D38783A
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=dd4a4831edc1e725/7d0c610fb77157ce len=108 vrf=0
ike 0: in DD4A4831EDC1E7257D0C610FB77157CE05100201000000000000006C8FE002AE3B8049C7B1913FC10F2D97F44D646E05224E064DEC03481780B7A238205D754F3E9D56715677EE1755456CB2A7065507E04FDCFB454ED3A7C7AC0A77E146380BED18595E4EC503A89EDB11C2
ike 0:VPN-to-SH:17: responder: main mode get 3rd message...
ike 0:VPN-to-SH:17: dec DD4A4831EDC1E7257D0C610FB77157CE05100201000000000000006C553BDCD748E60ACBE00D989D77561C67934BDA836A49273085DDDE950D5F328C845CF726C579351BED1BC286ED98D115D683ED3B0FB5FF6A97809437417B29D0B722E56F95A3EA9268565E3303B3C75D
ike 0:VPN-to-SH:17: parse error
ike 0:VPN-to-SH:17: probable pre-shared secret mismatch

Peer ID不匹配

从Debug显示ignoring IKE request, incorrect ID,可以判断FGT-BJ设置了对端的身份peer ID,由于对端不匹配,因此协商失败。

FGT-BJ# diagnose debug application ike -1
FGT-BJ# diagnose debug  enable

ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Aggressive id=e6280452ac6300c3/0000000000000000 len=720 vrf=0
ike 0: in E6280452AC6300C300000000000000000110040000000000000002D0040000B40000000100000001000000A8010100040300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0000002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0A000104B6A00CB09789C8BC6146763CE20B649D18F4923FD7C80543ED2EF0EF97667D1CFA0684F40AAE49A6734172BFDEB8594A7B8DF0D5BC9141C613DFC8D822AC73EAC167AB6412A1F22AE72A3B1328224F5377C57F094B6D2A952A483A4B8C44787707C387C33EB7240CF5B3FB5B4C2144EF94B39E830D3EF2F2980C403A3817E0FBB2FC18425CD0498A73419AFA2BF3CADCB520CA2583DE90F55E72E686898BF3177D3AEE60C7BC0F7AB35D7D7E06E2E319C8FAAD0E8822D81AAB7780EC837664E6A1772420F20B3C80760169600CEBDDF5A2EAAC5741391218D4C104892F7823A400F837375AC6E86D811BCB68AA5D54C6463C4E609113C567E3CDE1E489A5A874050000245345D5C44232C8EA75FA163A9605835CB173327C00AA6B3C79B3D087F9BE7F410D00000C01000000C80101020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:e6280452ac6300c3/0000000000000000:24: responder: aggressive mode get 1st message...
ike 0:e6280452ac6300c3/0000000000000000:24: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:e6280452ac6300c3/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:e6280452ac6300c3/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:e6280452ac6300c3/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:e6280452ac6300c3/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:e6280452ac6300c3/0000000000000000:24: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:e6280452ac6300c3/0000000000000000:24: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:e6280452ac6300c3/0000000000000000:24: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:e6280452ac6300c3/0000000000000000:24: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:e6280452ac6300c3/0000000000000000:24: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0::24: peer identifier IPV4_ADDR 200.1.1.2
ike 0: cache rebuild start
ike 0:VPN-to-SH: local:100.1.1.2, remote:200.1.1.2
ike 0:VPN-to-SH: cached as static-ddns.
ike 0: cache rebuild done
ike 0:VPN-to-SH: ignoring IKE request, incorrect ID.
ike 0:e6280452ac6300c3/0000000000000000:24: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:e6280452ac6300c3/0000000000000000:24: no SA proposal chosen

阶段二Proposal秘钥集不匹配

从Debug显示ike Negotiate IPsec SA Error: ike 0:VPN-to-SH:28:23: no SA proposal chosen,对比incoming proposal和my proposal可以看出IPSEC阶段二(ike Negotiate IPsec SA Error)没有匹配的加密算法。

FGT-BJ# diagnose debug application ike -1
FGT-BJ# diagnose debug  enable

ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Aggressive id=f7204652fa935744/0000000000000000 len=656 vrf=0
ike 0: in F7204652FA9357440000000000000000011004000000000000000290040000B40000000100000001000000A8010100040300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050A0000C412447085117ADAC1FEBBD542C368680FEA237164357F20442AFC40C2A589DBA7F32F33ED514F890D0E4FF2F6C7BEE902AE01CBB5CD541119097BB21863BADF1518CB892AA4A7F18FA33895136C38CF1714E4CD91A84C885C3C4F5B623607469BFF4370460765FEF16583F0A53838A32668DD758252861C401EDAD583A882849DFAD20E37FC7446DF38A7EB5D2A643726C99BDD7008293879D3623F8317E15C2334995A051081FB9626802B5C179F22EAFF570FCA3C09E1BD616BCE8C8DF58719050000244E01F8ABA71441ECB0510C71D87D85DCEE37B3927DE27397AE61CA69B36E242D0D00000C01000000C80101020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:f7204652fa935744/0000000000000000:28: responder: aggressive mode get 1st message...
ike 0:f7204652fa935744/0000000000000000:28: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:f7204652fa935744/0000000000000000:28: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:f7204652fa935744/0000000000000000:28: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:f7204652fa935744/0000000000000000:28: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:f7204652fa935744/0000000000000000:28: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:f7204652fa935744/0000000000000000:28: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:f7204652fa935744/0000000000000000:28: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:f7204652fa935744/0000000000000000:28: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:f7204652fa935744/0000000000000000:28: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:f7204652fa935744/0000000000000000:28: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0::28: peer identifier IPV4_ADDR 200.1.1.2
ike 0: cache rebuild start
ike 0:VPN-to-SH: local:100.1.1.2, remote:200.1.1.2
ike 0:VPN-to-SH: cached as static-ddns.
ike 0: cache rebuild done
ike 0:f7204652fa935744/0000000000000000:28: negotiation result
ike 0:f7204652fa935744/0000000000000000:28: proposal id = 1:
ike 0:f7204652fa935744/0000000000000000:28:   protocol id = ISAKMP:
ike 0:f7204652fa935744/0000000000000000:28:      trans_id = KEY_IKE.
ike 0:f7204652fa935744/0000000000000000:28:      encapsulation = IKE/none
ike 0:f7204652fa935744/0000000000000000:28:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:f7204652fa935744/0000000000000000:28:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:f7204652fa935744/0000000000000000:28:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:f7204652fa935744/0000000000000000:28:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:f7204652fa935744/0000000000000000:28: ISAKMP SA lifetime=86400
ike 0:f7204652fa935744/0000000000000000:28: SA proposal chosen, matched gateway VPN-to-SH
ike 0:VPN-to-SH: created connection: 0x9b57be0 10 100.1.1.2->200.1.1.2:500.
ike 0:VPN-to-SH:28: DPD negotiated
ike 0:VPN-to-SH:28: peer is FortiGate/FortiOS (v0 b0)
ike 0:VPN-to-SH:28: selected NAT-T version: RFC 3947
ike 0:VPN-to-SH:28: generate DH public value request queued
ike 0:VPN-to-SH:28: compute DH shared secret request queued
ike 0:VPN-to-SH:28: cookie f7204652fa935744/5b61d63b74cbb9f6
ike 0:VPN-to-SH:28: ISAKMP SA f7204652fa935744/5b61d63b74cbb9f6 key 16:0F91D8F5D8A2C9FA3A9088B189E03E25
ike 0:VPN-to-SH:28: out F7204652FA9357445B61D63B74CBB9F60110040000000000000002110400003C000000010000000100000030010100010000002802010000800B0001000C00040001518080010007800E00808003000180020004800400050A0000C4F4B3253B46BD6F0E6565ECEED05034971D80ECF4F3CDC60FFDA3FEDB48C17FECCE8FF822AE90A5CCB6AF42639776B96DC37937512BC0A3F9BFFF2E928675A2C809A7EC994FD0EB20B67BE20D9B3BE4B6714191F4F0C7367C5CD6426D044D32CAC8846133F49E58D54971E9A0AC21E87A84D89AE61272B054C00647076F653AF6C6C14169F85D90EA436DD94F0C74BACAD6DBB6A8B1C3891F792351C7EB7DA6833B6B05882779827B8624D94F3B8CC9175C8CCE725AFAEB326D800797781699FE0500001448B6599BE05DE8169526D5559B9F3C930800000D0200000074657374310D0000240A540CEA1B861ABB4EE4E8A7BF1241860187DB76D929109FC58DD68ED39DB45F140000144A131C81070358455C5728F20E95452F140000249A6E313BA678326493465137F6BDA361E9B2381E17CE5CF19EE808B22346E67C0D000024ACC52C4EFEC900F50AD8EEB8FE3C08EA6E18437072859ECC217AD6E29C5964A00D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN-to-SH:28: sent IKE msg (agg_r1send): 100.1.1.2:500->200.1.1.2:500, len=529, vrf=0, id=f7204652fa935744/5b61d63b74cbb9f6
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Aggressive id=f7204652fa935744/5b61d63b74cbb9f6 len=172 vrf=0
ike 0: in F7204652FA9357445B61D63B74CBB9F60810040100000000000000AC4368B8C00750D9E5D4364D4C8C3E8741F5D66ADB8F2716593C3DB039D13088AB5A2E4D38FEA304CAB222731BC854E4506D50ABAFC2D456FDEB620E7927D161A6FA9709F473EA4EB963799383B67C3F1E82076A68ED37501BCC42E3BD01A211E2E5821A7785CE35C0527663C430D35266AF1BD1D8496ECFB32F5420C795F386B8C7F8D08611A2ECC3CF020C7D4D43D93E
ike 0:VPN-to-SH:28: responder: aggressive mode get 2nd response...
ike 0:VPN-to-SH:28: dec F7204652FA9357445B61D63B74CBB9F60810040100000000000000AC140000246A0154E97988DFCFFB1D314FF8E895AE5C9ED93CB3B6FE44833A8B423F639ED514000024ACC52C4EFEC900F50AD8EEB8FE3C08EA6E18437072859ECC217AD6E29C5964A00B0000249A6E313BA678326493465137F6BDA361E9B2381E17CE5CF19EE808B22346E67C0000001C0000000101106002F7204652FA9357445B61D63B74CBB9F639536A88D14FCC07
ike 0:VPN-to-SH:28: received NAT-D payload type 20
ike 0:VPN-to-SH:28: received NAT-D payload type 20
ike 0:VPN-to-SH:28: received p1 notify type INITIAL-CONTACT
ike 0:VPN-to-SH:28: PSK authentication succeeded
ike 0:VPN-to-SH:28: authentication OK
ike 0:VPN-to-SH:28: NAT not detected 
ike 0:VPN-to-SH:28: established IKE SA f7204652fa935744/5b61d63b74cbb9f6
ike 0:VPN-to-SH:28: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:VPN-to-SH:28: processing INITIAL-CONTACT
ike 0:VPN-to-SH: flushing 
ike 0:VPN-to-SH: flushed 
ike 0:VPN-to-SH:28: processed INITIAL-CONTACT
ike 0:VPN-to-SH: set oper up
ike 0:VPN-to-SH:28: no pending Quick-Mode negotiations
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Quick id=f7204652fa935744/5b61d63b74cbb9f6:854d6010 len=476 vrf=0
ike 0: in F7204652FA9357445B61D63B74CBB9F608102001854D6010000001DCD35083E7B123E3B5C7C5ECCE5C291BF2AB24505BA8045D3712FD03B3C6921B8879E69C4F89C41ED3AA8F4D8C67F3CF1ED801F07862C20EE784387EF43372115C4C7ED2DE2269431C4D69AD61BE03C918555C69280EF4D9DE81C058FBAC440D4FAF0B507CDE4779CE282A0D12E7CA0AC0EF1C13D9F100C6C4DD849A1E12E11AEB8141356C9231AA43667F07C93232668531971F3BA330804BD63D963699AB7DB0B046B938470F1082B30E1E52D5C1B2F3E23ECC8C19F0B7281FF51E7A06F39C83D1897A91E3D2BABA0233D1154DAEAD2C5E15D7363063CB4BBB1125536368DD508F6CA3230FF80980D26A696B970B3CF5846974FC7F6AF48891A118EA8DAA9A5022FA69958095DDF55BAC8A30676A780B99B398E9DDCC84A2E8DC79E68240437D7C28D7D6B76A4155BE29F3018195D8CF8B7CA339308F09C1744459F751A837DB85A3BD7E332374577376EAA9662E5692439CFCB0AF2D06833CC88D9CC371854AE33272D9469971B48A4C62BD2413A6F814DAD70C4680B0942B67E5EF8CC1F9158573B40B4B6B9BC5E8D7EC7B32285EFFE51935D5F011493CA822378ED42D1F04FEF702FB8371DAF7902BE30CFA6C0185A42145D0DE9AA73C5ACB5C111CA8C9BB
ike 0:VPN-to-SH:28:23: responder received first quick-mode message
ike 0:VPN-to-SH:28: dec F7204652FA9357445B61D63B74CBB9F608102001854D6010000001DC01000024EA4C99A2785B85A08F8AD5DAEDD8227E2E23F7157394766515BE32574DF3324A0A00005800000001000000010000004C0103040236826FEB03000020010C0000800100018002A8C08004000180060100800500028003000E00000020020C0000800100018002A8C08004000180060100800500058003000E04000014153BB1F0FE1EC2D16347F6E59D9279EE050001044B6A54A5DE7C5BF9DD546C32A28508FEFBC9056F465563F366A20AA5318FFC514DF0800CD028DC7422634E749A1B85A4CA414501B87DE19FDF9F6674BFAB35E224D5460FDD6A26D11A800DF0386403F850876F93BE32971442E8E4F235F307FED3C53AF74294B6989BDF38438A5595A509423235B2B820D57B344870F03F999C712458DD13A2A36047370CB5917097D54D6B7E8D320BADD3B292FF2D089AD0923DE2AE9116B7CB98DFCAED4A97D7DF7FA9391EAD63F121C4C24BA8E11FBD590F2459296C6B750745C67B165CE6A0D16A3A9E6CDC2621470412544C4C29BF6912EA9BFEB8811E08459CF098E6C6401228568B632BB267E10593E6AF1A9272724A0500001004000000C0A80100FFFFFF000000001004000000C0A80000FFFFFF002BDD3013B2168B798A40790B
ike 0:VPN-to-SH:28:23: peer proposal is: peer:0:192.168.1.0-192.168.1.255:0, me:0:192.168.0.0-192.168.0.255:0
ike 0:VPN-to-SH:28:VPN-to-SH:23: trying
ike 0:VPN-to-SH:28:VPN-to-SH:23: matched phase2
ike 0:VPN-to-SH:28:VPN-to-SH:23: autokey
ike 0:VPN-to-SH:28:VPN-to-SH:23: my proposal:
ike 0:VPN-to-SH:28:VPN-to-SH:23: proposal id = 1:
ike 0:VPN-to-SH:28:VPN-to-SH:23:   protocol id = IPSEC_ESP:
ike 0:VPN-to-SH:28:VPN-to-SH:23:   PFS DH group = 14
ike 0:VPN-to-SH:28:VPN-to-SH:23:      trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:28:VPN-to-SH:23:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:28:VPN-to-SH:23:         type = AUTH_ALG, val=SHA2_512
ike 0:VPN-to-SH:28:VPN-to-SH:23: proposal id = 2:
ike 0:VPN-to-SH:28:VPN-to-SH:23:   protocol id = IPSEC_ESP:
ike 0:VPN-to-SH:28:VPN-to-SH:23:   PFS DH group = 5
ike 0:VPN-to-SH:28:VPN-to-SH:23:      trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:28:VPN-to-SH:23:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:28:VPN-to-SH:23:         type = AUTH_ALG, val=SHA2_512
ike 0:VPN-to-SH:28:VPN-to-SH:23: incoming proposal:
ike 0:VPN-to-SH:28:VPN-to-SH:23: proposal id = 1:
ike 0:VPN-to-SH:28:VPN-to-SH:23:   protocol id = IPSEC_ESP:
ike 0:VPN-to-SH:28:VPN-to-SH:23:   PFS DH group = 14
ike 0:VPN-to-SH:28:VPN-to-SH:23:      trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:28:VPN-to-SH:23:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:28:VPN-to-SH:23:         type = AUTH_ALG, val=SHA1
ike 0:VPN-to-SH:28:VPN-to-SH:23:      trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-to-SH:28:VPN-to-SH:23:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-to-SH:28:VPN-to-SH:23:         type = AUTH_ALG, val=SHA2_256
ike 0:VPN-to-SH:28:VPN-to-SH:23: negotiation failure
ike Negotiate IPsec SA Error: ike 0:VPN-to-SH:28:23: no SA proposal chosen
ike 0:VPN-to-SH:23: info_send_n2, type 14, peer SPI 36826feb
ike 0:VPN-to-SH:28: enc F7204652FA9357445B61D63B74CBB9F608100501D001250C000000500B000024DA181A96FDB1E05A810C664047DA00EE6AC66F194C9549253F322B804C59869000000010000000010304000E36826FEB
ike 0:VPN-to-SH:28: out F7204652FA9357445B61D63B74CBB9F608100501D001250C0000005C3A5150D6C379B62DDE5EB654F552CE2C5FB1022E78DE45FD65FA1FDE284B57EA3AC4DD593068FECBE6A60DBADB418C54B61E2C9C2C415BB5323CB41283CFFA87
ike 0:VPN-to-SH:28: sent IKE msg (p2_notify_14): 100.1.1.2:500->200.1.1.2:500, len=92, vrf=0, id=f7204652fa935744/5b61d63b74cbb9f6:d001250c
ike 0:VPN-to-SH:28: error processing quick-mode message from 200.1.1.2 as responder
ike shrank heap by 159744 bytes

感兴趣流不匹配

从Debug显示specified selectors mismatch,对比两端感兴趣流peer: type=7/7, local=0:192.168.0.0-192.168.0.255:0, remote=0:192.168.1.0-192.168.1.255:0和mine: type=7/7, local=0:192.168.0.0-192.168.0.255:0, remote=0:192.168.10.0-192.168.10.255:0是不匹配的,因此协商失败。

ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Aggressive id=9bbf928209f22769/0000000000000000 len=656 vrf=0
ike 0: in 9BBF928209F227690000000000000000011004000000000000000290040000B40000000100000001000000A8010100040300002801010000800B0001000C00040001518080010007800E00808003000180020004800400050300002802010000800B0001000C00040001518080010007800E01008003000180020004800400050300002803010000800B0001000C00040001518080010007800E00808003000180020002800400050000002804010000800B0001000C00040001518080010007800E01008003000180020002800400050A0000C499A094C58E0633FF797B3EF770CB35722E912E0533C5C6657BDC1883DB5EB8B8D704EE6D5405EAD5CAE35B54698AAB9E4B2B18D285BE7A0F3C4BF05DB4E86E8F080A723FE26C667B17D52F1C95F1E8960A94377D36CBDBADC70D355E7BB3557D2BAF27572B634183ACA7914686E2B09871469BAF9DA137915F60C17DC1FABCA750E380641AB53665BFA7D3CFB3037B8DD8600E92551B6733CE4A2DE9D528A39E495D23BEB48455FFD88570E68DA43E9318D348675FBB93AF3362B6DFBAC499C405000024EA3AFD1354F3F8794D04364A1DA75C09290F121FD2A23F751D01BE3635C3C1980D00000C01000000C80101020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:9bbf928209f22769/0000000000000000:29: responder: aggressive mode get 1st message...
ike 0:9bbf928209f22769/0000000000000000:29: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:9bbf928209f22769/0000000000000000:29: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:9bbf928209f22769/0000000000000000:29: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:9bbf928209f22769/0000000000000000:29: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:9bbf928209f22769/0000000000000000:29: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:9bbf928209f22769/0000000000000000:29: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:9bbf928209f22769/0000000000000000:29: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:9bbf928209f22769/0000000000000000:29: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:9bbf928209f22769/0000000000000000:29: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:9bbf928209f22769/0000000000000000:29: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0::29: peer identifier IPV4_ADDR 200.1.1.2
ike 0: cache rebuild start
ike 0:VPN-to-SH: local:100.1.1.2, remote:200.1.1.2
ike 0:VPN-to-SH: cached as static-ddns.
ike 0: cache rebuild done
ike 0:9bbf928209f22769/0000000000000000:29: negotiation result
ike 0:9bbf928209f22769/0000000000000000:29: proposal id = 1:
ike 0:9bbf928209f22769/0000000000000000:29:   protocol id = ISAKMP:
ike 0:9bbf928209f22769/0000000000000000:29:      trans_id = KEY_IKE.
ike 0:9bbf928209f22769/0000000000000000:29:      encapsulation = IKE/none
ike 0:9bbf928209f22769/0000000000000000:29:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:9bbf928209f22769/0000000000000000:29:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:9bbf928209f22769/0000000000000000:29:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:9bbf928209f22769/0000000000000000:29:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:9bbf928209f22769/0000000000000000:29: ISAKMP SA lifetime=86400
ike 0:9bbf928209f22769/0000000000000000:29: SA proposal chosen, matched gateway VPN-to-SH
ike 0:VPN-to-SH: created connection: 0x9b57be0 10 100.1.1.2->200.1.1.2:500.
ike 0:VPN-to-SH:29: DPD negotiated
ike 0:VPN-to-SH:29: peer is FortiGate/FortiOS (v0 b0)
ike 0:VPN-to-SH:29: selected NAT-T version: RFC 3947
ike 0:VPN-to-SH:29: generate DH public value request queued
ike 0:VPN-to-SH:29: compute DH shared secret request queued
ike 0:VPN-to-SH:29: cookie 9bbf928209f22769/1912fc364606cdf2
ike 0:VPN-to-SH:29: ISAKMP SA 9bbf928209f22769/1912fc364606cdf2 key 16:6F0A5C5D7ABE1862A0754D4F67F6C309
ike 0:VPN-to-SH:29: out 9BBF928209F227691912FC364606CDF20110040000000000000002110400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020004800400050A0000C4789B20D8E6155283C87B6C929A2CE7FC886FDB69F26FE13BB5BCD92C73B0F2BDC7A495FB095CC5CED439F41DB332A22594A9128635D392BB8D511BA38FF3984BCD092FBC7AF4E22FC8CD25BF91FA6D0334B12D4ED2FAC4FD061A7C199BFC6C19613645D9729D57D80003CF347B5B51D545EE9B5560904DC8A071A9291F42F948A61CDDB99915C0757FE13411153AF6CB42FB8BE04873F606280B3AFDCB7B817A1D4106364F934F64936DBB595681EEF360CC887FCBD456657FA8497FCA18471A05000014FAFD06AA2EB8122B83A734FAF066A39F0800000D0200000074657374310D0000249471A719861E95E1CBF1723784350CC0876E57B07E6FA74D06A0B3F4F81AD3F2140000144A131C81070358455C5728F20E95452F1400002493E1BF9E618E0E5225FEE63AB09074A2ED8DADEDE66B1D79F009C96C006B13E60D000024CB2EC39A82D1FEE194284F072DA1FE064954BC8059215C114AE94739631B63C40D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN-to-SH:29: sent IKE msg (agg_r1send): 100.1.1.2:500->200.1.1.2:500, len=529, vrf=0, id=9bbf928209f22769/1912fc364606cdf2
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Aggressive id=9bbf928209f22769/1912fc364606cdf2 len=172 vrf=0
ike 0: in 9BBF928209F227691912FC364606CDF20810040100000000000000ACF2D87D3D3C57A87AA9FBEEFD034859AFC9AF00BEBEB1BB1FA731127B48EAD6C7AA5B0FA8D84E6446D502E242937B83F222A23BD25C31095752FEFF3C97C3095B698EE63122D4E47925CD95D7F1FF2B793BA587D4EC882D3D10804C395C24CB12AEFC208B3C7DB4793889FB5CDAD64831290EAA5AE65FD7DE10AE60D80109162F1F9C769F1F57059FCED85A10BCA12E70
ike 0:VPN-to-SH:29: responder: aggressive mode get 2nd response...
ike 0:VPN-to-SH:29: dec 9BBF928209F227691912FC364606CDF20810040100000000000000AC14000024A31F2CDD20D257FD8CB06D9FEA96472FD20E34599130F73928E0E24B80D81FE914000024CB2EC39A82D1FEE194284F072DA1FE064954BC8059215C114AE94739631B63C40B00002493E1BF9E618E0E5225FEE63AB09074A2ED8DADEDE66B1D79F009C96C006B13E60000001C00000001011060029BBF928209F227691912FC364606CDF279B09DF11828DE07
ike 0:VPN-to-SH:29: received NAT-D payload type 20
ike 0:VPN-to-SH:29: received NAT-D payload type 20
ike 0:VPN-to-SH:29: received p1 notify type INITIAL-CONTACT
ike 0:VPN-to-SH:29: PSK authentication succeeded
ike 0:VPN-to-SH:29: authentication OK
ike 0:VPN-to-SH:29: NAT not detected 
ike 0:VPN-to-SH:29: established IKE SA 9bbf928209f22769/1912fc364606cdf2
ike 0:VPN-to-SH:29: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:VPN-to-SH:29: processing INITIAL-CONTACT
ike 0:VPN-to-SH: flushing 
ike 0:VPN-to-SH: flushed 
ike 0:VPN-to-SH:29: processed INITIAL-CONTACT
ike 0:VPN-to-SH: set oper up
ike 0:VPN-to-SH:29: no pending Quick-Mode negotiations
ike 0: comes 200.1.1.2:500->100.1.1.2:500,ifindex=10,vrf=0....
ike 0: IKEv1 exchange=Quick id=9bbf928209f22769/1912fc364606cdf2:29a1bf3f len=412 vrf=0
ike 0: in 9BBF928209F227691912FC364606CDF20810200129A1BF3F0000019CA256FBF54CF315B0F0D3EBA8234DEF95082641935CBC5CF69FD677D3657FB02E591720692F3706441317346555CA0F5FC750F4202A8459C159C3892443B4A1537AA863AD33883432E73F63C1406D12043F142C79E1BAAA3310248865F52BE530725EA7DBF2A00E9E5E5A1C3942D96BD979F2FD4C43071680651F142C015A47351772636C667AD010EAA6A9971A9D52B2553E954C9590FC03C7D252600CDBEB16E4CB8E913AA3992A2986EE68D44774CD5F1F253BF07FB7AF649189E2D8EF982FEC6EBFD89C0F2B6CBD5EDFDD65A93353A3497AA73932C546DBDD94F900977EDCBF058144FA0B69508000E017A97BB075968D854547FC55ECFA841B356563E32D41413B3813B0DB32B3E4C8CDE3DF159F96F6B887D2AB5480D0A36FBFD657A1F1D89868DC78860903A1CDA173B655022112B15F5DE6A14430D998F230F041355C61D20829D9BA9CAF3CE57D58DD8425CD37E0A9BEE5514FDB7159AFB8398FDAFCB077499CA00FA4FCA9F1BC9A5B2208DFE69B2C041C85442669A6A1D23E8133AD
ike 0:VPN-to-SH:29:25: responder received first quick-mode message
ike 0:VPN-to-SH:29: dec 9BBF928209F227691912FC364606CDF20810200129A1BF3F0000019C0100002458D9086AFB973BD12DB26A7870A43555F16C84F66FDA552401520C92832D79BE0A00005800000001000000010000004C0103040236826FEC03000020010C0000800100018002A8C08004000180060100800500028003000500000020020C0000800100018002A8C08004000180060100800500058003000504000014062F996DD325B8E32EB8B8EDDE3D48C4050000C4D0A802E07811F15FB57E6A8DC7C46D9E4EC6BB5580F531B24787DCC36DB6A9B2D04B13A0FE462CC4348B4C3434CBFC3E887FCF6BD982ABF9E06E24AB4B3A88C6416FCE8BC58A45F97226F2F59C63758AFC7112483C3C4BF357F35DF1351267ED3004C6A8CAE54F7FFAEC67482CD3FDC9CC4C53A176B4A3C3DC6D62A2948C08071A8D5B616A55284CD82A1D89E021E67A5A05AFDD3B3F2FEB0DC8251B8E70D4ED71E83655B7E6E8CFB5BFF09E433594BF8D4CE68CDC3656BAC89C067E84A3BA9A0500001004000000C0A80100FFFFFF000000001004000000C0A80000FFFFFF005F66F91E52BA59DB99E4F90B
ike 0:VPN-to-SH:29:25: peer proposal is: peer:0:192.168.1.0-192.168.1.255:0, me:0:192.168.0.0-192.168.0.255:0
ike 0:VPN-to-SH:29:VPN-to-SH:25: trying
ike 0:VPN-to-SH:29:25: specified selectors mismatch
ike 0:VPN-to-SH:29:25: peer: type=7/7, local=0:192.168.0.0-192.168.0.255:0, remote=0:192.168.1.0-192.168.1.255:0
ike 0:VPN-to-SH:29:25: mine: type=7/7, local=0:192.168.0.0-192.168.0.255:0, remote=0:192.168.10.0-192.168.10.255:0
ike 0:VPN-to-SH:29:25: no matching phase2 found
ike 0:VPN-to-SH:29:25: failed to get responder proposal
ike 0:VPN-to-SH:29: error processing quick-mode message from 200.1.1.2 as responder

IKEv2重协商失败

  1. 使用IKEv2,且感兴趣流只有一对保护网段时,一定要注意两端二阶段的PFS配置是否一致,如果不一致,可能会导致第一次IPSec协商成功,但后续重协商时失败。

  2. 这是由于IKEv2在第一次协商时,二阶段的SA包含在IKE_AUTH报文中,而IKE_AUTH中携带的SA是无法使用PFS的,所以即使两端PFS配置不一致(例如一端开启另一端不开启,或配置的PFS DH组不一致),第一次协商连接也是可以正常建立的。

  3. 但重协商(rekey)时,使用的是Create_Child_SA报文携带SA信息,Create_Child_SA会按照用户配置携带PFS信息,这时如果两端的PFS配置不一致,会导致IKEv2重协商时协商失败。

  4. 使用如下命令(childless-ike)可以强制FortiGate使用Child SA携带二阶段SA(IKE_AUTH中不携带二阶段SA,所有二阶段SA必须通过Create_Child_SA协商,注意使用此功能时对端设备也必须支持并开启此功能)。

    config vpn ipsec phase1-interface 
        edit xxxx
            set ike-version 2
            set childless-ike enable
        next
    end
    

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-01-15 09:50:00

results matching ""

    No results matching ""