Monday, December 9, 2019

IKEv2 - Fortigate 60E to Sophos XG, AUTHENTICATION FAILED ?

Hello,

This one has me banging my head against the wall.I have a fortigate 60E with a 4G USB modem using NAT (fortigate gets internal IP of 192.168.8.100).

Trying to establish an IPSEC tunnel using IKEv2 to a Sophos XG device.

I have checked over the Phase1 + Phase2 details several times, triple checked the pre shared key, everything looks correct, but I keep getting the following in the debug output of the Fortigate;

ike 0:Cloud - 4G:6: sent IKE msg (SA_INIT): 192.168.8.100:500->SOPHOS-PUBLIC-IP:500, len=440, id=6e5994e70f76b7e8/0000000000000000 ike 0: comes SOPHOS-PUBLIC-IP:500->192.168.8.100:500,ifindex=27.... ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=6e5994e70f76b7e8/28193c1977894caf len=448 ike 0: in 6E5994E70F76B7E828193C1977894CAF2120222000000000000001C0220000300000002C010100040300000C0100000C800E0100030000080300000E0300000802000007000000080400000E28000108000E000068A6CE15EC64E1CDF548F6EB49E88EC1037617F60A3BEA8A4BAD43AD93D65C49D3533C5CAE82530E1CCF845584D3DE1F63F31562253C08A4D7D39A14A62D3C9894653E5E1B1627720D6E7D19A8CEF3762869A5D96C8D6C56B632537F39B9155423E31FE4A19A8C777CB2B42340614A165A48AF50E8AE77546BE1188DDBC55FF8AD667FEA75556BE60A852C5FB4ADA2346C743487CF35783407118FFC5E9880634440D94A3DB6883C40AE66F4E3FA697CD8D6F5CC6FFB86DEC91167F087AE86424975DC3A2CB43AC528669828F667D86BD0FA6A4A4B57F38F5A6057A8E3DFBE9AA1A1F5D06A64E4742B02BFA303A5EEF27E3430395510151BA2501A3F7AD5AA65290000247102C8E4401E931B75B35E938660548067FE711D65F871181944F1EA7FCECDEE2900001C00004004E7AF37D8336824E5DD66777E56027684655902312900001C0000400596BB1A59A9CF71F70762C5FC27DAD2307D36DC1C290000080000402E0000000800004014 ike 0:Cloud - 4G:6: initiator received SA_INIT response ike 0:Cloud - 4G:6: processing notify type NAT_DETECTION_SOURCE_IP ike 0:Cloud - 4G:6: processing NAT-D payload ike 0:Cloud - 4G:6: NAT not detected ike 0:Cloud - 4G:6: process NAT-D ike 0:Cloud - 4G:6: processing notify type NAT_DETECTION_DESTINATION_IP ike 0:Cloud - 4G:6: processing NAT-D payload ike 0:Cloud - 4G:6: NAT detected: ME ike 0:Cloud - 4G:6: process NAT-D ike 0:Cloud - 4G:6: processing notify type FRAGMENTATION_SUPPORTED ike 0:Cloud - 4G:6: processing notify type 16404 ike 0:Cloud - 4G:6: incoming proposal: ike 0:Cloud - 4G:6: proposal id = 1: ike 0:Cloud - 4G:6: protocol = IKEv2: ike 0:Cloud - 4G:6: encapsulation = IKEv2/none ike 0:Cloud - 4G:6: type=ENCR, val=AES_CBC (key_len = 256) ike 0:Cloud - 4G:6: type=INTEGR, val=AUTH_HMAC_SHA2_512_256 ike 0:Cloud - 4G:6: type=PRF, val=PRF_HMAC_SHA2_512 ike 0:Cloud - 4G:6: type=DH_GROUP, val=MODP2048. ike 0:Cloud - 4G:6: matched proposal id 1 ike 0:Cloud - 4G:6: proposal id = 1: ike 0:Cloud - 4G:6: protocol = IKEv2: ike 0:Cloud - 4G:6: encapsulation = IKEv2/none ike 0:Cloud - 4G:6: type=ENCR, val=AES_CBC (key_len = 256) ike 0:Cloud - 4G:6: type=INTEGR, val=AUTH_HMAC_SHA2_512_256 ike 0:Cloud - 4G:6: type=PRF, val=PRF_HMAC_SHA2_512 ike 0:Cloud - 4G:6: type=DH_GROUP, val=MODP2048. ike 0:Cloud - 4G:6: lifetime=86400 ike 0:Cloud - 4G:6: IKE SA 6e5994e70f76b7e8/28193c1977894caf SK_ei 32:81AB95DD798FD080153402F78337C5183343011C465B0A3AEBEA3722C79E0EFD ike 0:Cloud - 4G:6: IKE SA 6e5994e70f76b7e8/28193c1977894caf SK_er 32:0F9489F3B16EC5F117C6B6C65D091194CCA1D068DF2284292B65F030C6C49FE8 ike 0:Cloud - 4G:6: IKE SA 6e5994e70f76b7e8/28193c1977894caf SK_ai 64:92FAD96313278A498883B0BD5C76C3F963927273E7871B3BD60873DB56AA9F655DC96935349EF26B8F16AEC33D54C38290451944896CC136674EEF697CBC18A8 ike 0:Cloud - 4G:6: IKE SA 6e5994e70f76b7e8/28193c1977894caf SK_ar 64:00108652A91924C81E956757B6808C2FD7261BCC99C0FBB7E4D34B352F6E7062E1EDB60B1201654C0D8D9F8EFE5DD2A452D710973DAD805FF30A0E9E7056424C ike 0:Cloud - 4G:6: initiator preparing AUTH msg ike 0:Cloud - 4G:6: sending INITIAL-CONTACT ike 0:Cloud - 4G:6: enc 29000015020000003139322E3136382E382E313030270000080000400029000048020000002E93B171D5344B14EE4103DEAECFCD21F0503D9288B137DB0C65F1367A90A8F0398F8E5679B6C5F0A80FBB6FFDE83C6D07D8BA6E602976EC478D506F5F3EF39721000008000040242C00002C0000002801030403BB6624F00300000C0100000C800E0100030000080300000E00000008050000002D00001801000000070000100000FFFFC0A80100C0A801FF0000001801000000070000100000FFFFC0A88500C0A885FF06050403020106 ike 0:Cloud - 4G:6: detected NAT ike 0:Cloud - 4G:6: NAT-T float port 4500 ike 0:Cloud - 4G:6: out 6E5994E70F76B7E828193C1977894CAF2E2023080000000100000120230001045EDE90245CB99F865DF60148D562CD554A6EC71BB8A9EEE17B35DA3988582ED401901EDC11D98A72C2F2EC78B4A0BBD22B17BE4F189849F4273EDB97B1B223717E7097E037DDE1431BF443FEE472FEE0956FFEDE7A2C7E2BD0D1439D9CF94ADDDD99673668C9CB06B591BC72C7963EC2CB3925E1E3744ABB981BBD2B4A70786380E85DAF2674D9A35289A9779E55D432939EFDC45B535B0086F57F2E5FD06903CCB9B7AD2F8CDF288403926D9A8236ECDA6E184927C5D5333D4D6D8085609C48EFF466CC7313F737226B561371B5C69C2497C964EAD116BB35EA06410319774FEEFB72BB310D6E89E656F9F7806BB2894C2EBE9E6592009D4B5012B2B3468A2B ike 0:Cloud - 4G:6: sent IKE msg (AUTH): 192.168.8.100:4500->SOPHOS-PUBLIC-IP:4500, len=288, id=6e5994e70f76b7e8/28193c1977894caf:00000001 ike 0: comes SOPHOS-PUBLIC-IP:4500->192.168.8.100:4500,ifindex=27.... ike 0: IKEv2 exchange=AUTH_RESPONSE id=6e5994e70f76b7e8/28193c1977894caf:00000001 len=96 ike 0: in 6E5994E70F76B7E828193C1977894CAF2E202320000000010000006029000044679D16E3A34E813C9FFDA0762B42C427565D084536806509082952DC3C08DBFCE509DFED9F6D0315AF10F14BA4858237543CA1756C76A8D447C5A10E63DD0369 ike 0:Cloud - 4G:6: dec 6E5994E70F76B7E828193C1977894CAF2E2023200000000100000028290000040000000800000018 ike 0:Cloud - 4G:6: initiator received AUTH msg ike 0:Cloud - 4G:6: received notify type AUTHENTICATION_FAILED ike 0:Cloud - 4G:6: schedule delete of IKE SA 6e5994e70f76b7e8/28193c1977894caf ike 0:Cloud - 4G:6: scheduled delete of IKE SA 6e5994e70f76b7e8/28193c1977894caf ike 0:Cloud - 4G: connection expiring due to phase1 down ike 0:Cloud - 4G: deleting ike 0:Cloud - 4G: deleted

Wondering if anyone has any ideas?

I did get the tunnel to establish over IKEv1 briefly in earlier testing.

Thanks



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)