Error establishing VPN


#1

Hi all,

I have configured a VPN against a FortiGate device. All configuration is the same in both sides but i’m getting this error in the sierra device (I copy all log because I don’t know how many lines are necessary).

8 Hash
Decoding t 1 SA
Attr 1 - Encyption 1
Attr 2 - Hash len 4
Attr 4 - Grp Desc 61443
Attr 6 - Grp Prime 256
Attr 5 - Grp Type 2
Attr 3 - Auth 2
Decoding t 10 Nonce
Decoding t 4 Key Exchange
Decoding t 5 ID

  • type 4 addr 10.0.0.0, mask 255.0.0.0
    Decoding t 5 ID
  • type 4 addr XX.XX.XX.XX, mask 255.255.255.248
    IP_B_ID select src ip 10.0.0.0, dest ip XX.XX.XX.XX
    Get IPsec Policy for Src 10.0.0.0 Dest XX.XX.XX.XX 1 2 -found
    Add_SA2
    <-- Sending phase 2 IKE message
    Encoding t 8 Hash
    Encoding t 1 SA
    Attr 1 - Encyption 1
    Attr 2 - Hash len 4
    Attr 4 - Grp Desc 61443
    Attr 6 - Grp Prime 256
    Attr 5 - Grp Type 2
    Attr 3 - Auth 2
    Encoding t 10 Nonce
    Encoding t 4 Key Exchange
    Encoding t 5 Identification
  • type 4 addr 10.0.0.0, Mask 255.0.0.0
    Encoding t 5 Identification
  • type 4 addr XX.XX.XX.XX, Mask 255.255.255.248
    Received from IPSec Gateway XX.XX.XX.XX
    Received from IPSec Gateway XX.XX.XX.XX
    –> Received NATT message
    Get IKE Policy for Type 1, IP XX.XX.XX.XX xx 1 -found - policy found
    Dispatching Phase 2 message
    Exchange type 32 -quick
    Quick mode
    *** mode handlers
    Quick Mode State 3
    Decoding t 8 Hash
    Decoding t 1 SA
    Attr 6 - Grp Prime 256
    Attr 4 - Grp Desc 61443
    Attr 3 - Auth 2
    Attr 5 - Grp Type 2
    Attr 1 - Encyption 1
    Attr 2 - Hash len 4
    Decoding t 10 Nonce
    Decoding t 4 Key Exchange
    Decoding t 5 ID
  • type 4 addr XX.XX.XX.XX, mask 255.255.255.248
    Decoding t 5 ID
  • type 4 addr 10.0.0.0, mask 255.0.0.0
    IKE_IPS: type 17 17 src . XX.XX.XX.XX, dst . 10.0.0.0
    IPSEC Add SA Pair
    IPSEC Add Out SA
    IPSEC Add Inbound SA
    Showing out SA’s
    SPI src dst – Tunnel src dst
    d0d2cf1a XX.XX.XX.XX 10.0.0.0- XX.XX.XX.XX XX.XX.XX.XX
    In Bound
    b45ed914 XX.XX.XX.XX XX.XX.XX.XX
    <-- Sending phase 2 IKE message
    Encoding t 8 Hash
    Quick mode exchange completed
    **** Finalizing Phase 2 Handle - Tunnel established *********
    –> Received NATT message
    Get IKE Policy for Type 1, IP XX.XX.XX.XX xx 1 -found - policy found
    Dispatching Phase 2 message
    Exchange type 32 -quick
    Quick mode
    Received from IPSec Gateway XX.XX.XX.XX
    Received from IPSec Gateway XX.XX.XX.XX
    –> Received NATT message
    Get IKE Policy for Type 1, IP XX.XX.XX.XX xx 1 -found - policy found
    Dispatching Phase 2 message
    Exchange type 32 -quick
    Quick mode
    *** mode handlers
    Quick Mode State 4
    Decoding t 8 Hash
    IKE_IPS: type 17 17 src . XX.XX.XX.XX, dst . 10.0.0.0
    IPSEC Add SA Pair
    IPSEC Add Out SA
    IPSEC Add Inbound SA
    Showing out SA’s
    SPI src dst – Tunnel src dst
    d0d2cf19 XX.XX.XX.XX 10.0.0.0- XX.XX.XX.XX XX.XX.XX.XX
    d0d2cf1a XX.XX.XX.XX 10.0.0.0- XX.XX.XX.XX XX.XX.XX.XX
    In Bound
    b45ed914 XX.XX.XX.XX XX.XX.XX.XX
    b45ed915 XX.XX.XX.XX XX.XX.XX.XX
    Quick mode exchange completed
    **** Finalizing Phase 2 Handle - Tunnel established *********
    –> Received NATT message
    Get IKE Policy for Type 1, IP XX.XX.XX.XX xx 1 -found - policy found
    Dispatching Phase 2 message
    Exchange type 32 -quick
    Quick mode
    *** mode handlers
    Quick Mode State 2
    Decoding t 8 Hash
    Quick Mode failed - aborting status -4908
    <-- Sending phase 2 IKE message
    Encoding t 8 Hash
    Encoding t 11 Notify
    Error notification sent
    Received from IPSec Gateway XX.XX.XX.XX
    Received from IPSec Gateway XX.XX.XX.XX
    –> Received IKE message
    Get IKE Policy for Type 1, IP XX.XX.XX.XX xx 1 -found - policy found
    IKE message contains invalid payload
    Error in incoming message - message ignored

By this way, VPN is never up. What is happening?

Thanks.


#2

Hi again,

after too many tries I got the problem. It was that the VPN can’t be established using a PSK of 20 chars. It is weird but if I use PSK up to 15 chars, the VPN is correctly established. Do someone know why this happen? Is this a limitation of Sierra?

Regards.


#3

Sometime its depends on VPN. Which VPN are you using, I’m using StrongVPN and its working good, never got any issue about using it. If you want to know about StrongVPN check the details about StrongVPN review