FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

12077 questions

14373 answers

22644 comments

36197 members

0 votes
544 views 7 comments
by
i have a teltonika rut 955 router v 00.06.07.5.

I am trying to create a dial-up vpnipsec with a fortigate.

The vpn goes UP but, when I insert the "my identifier" and the "peer id" on the Fortigate the vpn goes down.

Do you know what it can depend on?

1 Answer

0 votes
by
Hi,

It could be that identifier must be also defined on the other side as if it's not - the connection is interrupted by the mismatch.

Read more about IPSec configuration here: https://wiki.teltonika-networks.com/view/IPsec_configuration_examples

EB.
by
the peer id is configured correctly on both devices but the VPN remains down.

is it possible to paste here a piece of the configuration on the teltonika router side?

ADM
by

You can paste the screenshot in this forum, yes. Use the "Image" icon on your comment window and you will be able to upload a screenshot here.

Also, have you noticed any messages or logs that would indicate the issue why is it not connecting?

You can look for it in CLI, with command logread.

EB.

by

fortigate side the configuration is the same.

of course the local and remote networks are reversed and the peer id set with "movi3".

debugging from the firewall tells me that there is a missmatch on the key but it is the same checked several times.

ADM

by

I ran the command suggested below the output:

Fri Mar  5 15:39:18 2021 authpriv.info syslog: 07[IKE] initiating Aggressive Mode IKE_SA Movico3[6] to 193.206.192.7

Fri Mar  5 15:39:18 2021 daemon.info syslog: 07[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]

Fri Mar  5 15:39:18 2021 daemon.info syslog: 07[NET] sending packet: from 10.2.135.166[500] to 193.206.192.7[500] (469 bytes)

Fri Mar  5 15:39:18 2021 daemon.info syslog: 08[NET] received packet: from 193.206.192.7[500] to 10.2.135.166[500] (492 bytes)

Fri Mar  5 15:39:18 2021 daemon.info syslog: 08[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V ]

Fri Mar  5 15:39:18 2021 daemon.info syslog: 08[IKE] received NAT-T (RFC 3947) vendor ID

Fri Mar  5 15:39:18 2021 daemon.info syslog: 08[IKE] received DPD vendor ID

Fri Mar  5 15:39:18 2021 daemon.info syslog: 08[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00

Fri Mar  5 15:39:18 2021 daemon.info syslog: 08[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 15:39:18 2021 daemon.info syslog: 08[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 15:39:19 2021 daemon.info syslog: 08[IKE] calculated HASH does not match HASH payload

Fri Mar  5 15:39:19 2021 daemon.info syslog: 08[ENC] generating INFORMATIONAL_V1 request 1456629698 [ HASH N(AUTH_FAILED) ]

Fri Mar  5 15:39:19 2021 daemon.info syslog: 08[NET] sending packet: from 10.2.135.166[500] to 193.206.192.7[500] (92 bytes)

Fri Mar  5 15:39:48 2021 daemon.info syslog: 06[CFG] received stroke: initiate 'Movico3'

Fri Mar  5 15:39:48 2021 daemon.info syslog: 06[IKE] initiating Aggressive Mode IKE_SA Movico3[7] to 193.206.192.7

Fri Mar  5 15:39:48 2021 authpriv.info syslog: 06[IKE] initiating Aggressive Mode IKE_SA Movico3[7] to 193.206.192.7

Fri Mar  5 15:39:49 2021 daemon.info syslog: 06[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]

Fri Mar  5 15:39:49 2021 daemon.info syslog: 06[NET] sending packet: from 10.2.135.166[500] to 193.206.192.7[500] (469 bytes)

Fri Mar  5 15:39:49 2021 daemon.info syslog: 05[NET] received packet: from 193.206.192.7[500] to 10.2.135.166[500] (492 bytes)

Fri Mar  5 15:39:49 2021 daemon.info syslog: 05[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V ]

Fri Mar  5 15:39:49 2021 daemon.info syslog: 05[IKE] received NAT-T (RFC 3947) vendor ID

Fri Mar  5 15:39:49 2021 daemon.info syslog: 05[IKE] received DPD vendor ID

Fri Mar  5 15:39:49 2021 daemon.info syslog: 05[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00

Fri Mar  5 15:39:49 2021 daemon.info syslog: 05[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 15:39:49 2021 daemon.info syslog: 05[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 15:39:49 2021 daemon.info syslog: 05[IKE] calculated HASH does not match HASH payload

Fri Mar  5 15:39:49 2021 daemon.info syslog: 05[ENC] generating INFORMATIONAL_V1 request 1972190123 [ HASH N(AUTH_FAILED) ]

Fri Mar  5 15:39:49 2021 daemon.info syslog: 05[NET] sending packet: from 10.2.135.166[500] to 193.206.192.7[500] (92 bytes)

Fri Mar  5 15:40:19 2021 daemon.info syslog: 14[CFG] received stroke: initiate 'Movico3'

Fri Mar  5 15:40:19 2021 daemon.info syslog: 14[IKE] initiating Aggressive Mode IKE_SA Movico3[8] to 193.206.192.7

Fri Mar  5 15:40:19 2021 authpriv.info syslog: 14[IKE] initiating Aggressive Mode IKE_SA Movico3[8] to 193.206.192.7

Fri Mar  5 15:40:19 2021 daemon.info syslog: 14[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]

Fri Mar  5 15:40:19 2021 daemon.info syslog: 14[NET] sending packet: from 10.2.135.166[500] to 193.206.192.7[500] (469 bytes)

Fri Mar  5 15:40:19 2021 daemon.info syslog: 15[NET] received packet: from 193.206.192.7[500] to 10.2.135.166[500] (492 bytes)

Fri Mar  5 15:40:19 2021 daemon.info syslog: 15[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V ]

Fri Mar  5 15:40:19 2021 daemon.info syslog: 15[IKE] received NAT-T (RFC 3947) vendor ID

Fri Mar  5 15:40:19 2021 daemon.info syslog: 15[IKE] received DPD vendor ID

Fri Mar  5 15:40:19 2021 daemon.info syslog: 15[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00

Fri Mar  5 15:40:19 2021 daemon.info syslog: 15[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 15:40:19 2021 daemon.info syslog: 15[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 15:40:19 2021 daemon.info syslog: 15[IKE] calculated HASH does not match HASH payload

Fri Mar  5 15:40:19 2021 daemon.info syslog: 15[ENC] generating INFORMATIONAL_V1 request 3555378477 [ HASH N(AUTH_FAILED) ]

Fri Mar  5 15:40:19 2021 daemon.info syslog: 15[NET] sending packet: from 10.2.135.166[500] to 193.206.192.7[500] (92 bytes)

Fri Mar  5 15:40:49 2021 daemon.info syslog: 11[CFG] received stroke: initiate 'Movico3'

Fri Mar  5 15:40:49 2021 daemon.info syslog: 11[IKE] initiating Aggressive Mode IKE_SA Movico3[9] to 193.206.192.7

Fri Mar  5 15:40:49 2021 authpriv.info syslog: 11[IKE] initiating Aggressive Mode IKE_SA Movico3[9] to 193.206.192.7

Fri Mar  5 15:40:49 2021 daemon.info syslog: 11[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]

Fri Mar  5 15:40:49 2021 daemon.info syslog: 11[NET] sending packet: from 10.2.135.166[500] to 193.206.192.7[500] (469 bytes)

Fri Mar  5 15:40:49 2021 daemon.info syslog: 12[NET] received packet: from 193.206.192.7[500] to 10.2.135.166[500] (492 bytes)

Fri Mar  5 15:40:49 2021 daemon.info syslog: 12[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V ]

Fri Mar  5 15:40:49 2021 daemon.info syslog: 12[IKE] received NAT-T (RFC 3947) vendor ID

Fri Mar  5 15:40:49 2021 daemon.info syslog: 12[IKE] received DPD vendor ID

Fri Mar  5 15:40:49 2021 daemon.info syslog: 12[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00

Fri Mar  5 15:40:49 2021 daemon.info syslog: 12[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 15:40:49 2021 daemon.info syslog: 12[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 15:40:49 2021 daemon.info syslog: 12[IKE] calculated HASH does not match HASH payload

Fri Mar  5 15:40:49 2021 daemon.info syslog: 12[ENC] generating INFORMATIONAL_V1 request 420091842 [ HASH N(AUTH_FAILED) ]

Fri Mar  5 15:40:49 2021 daemon.info syslog: 12[NET] sending packet: from 10.2.135.166[500] to 193.206.192.7[500] (92 bytes)

by

Hello,

[IKE] calculated HASH does not match HASH payload: either the previous packets are received in the wrong order, at least one is missing... but cannot caused by a possible PSK mismatch.

This is known to happen half-hazardously with IKEv1 in agressive mode which is not a very good idea anyway. Could you change your settings, use IKEv2 or at least use main mode ?

Regards,

by

below is the output with ikev1 set in main mode:

Fri Mar  5 16:40:56 2021 authpriv.info syslog: 16[IKE] initiating Main Mode IKE_SA Movico3[1] to 193.206.192.7

Fri Mar  5 16:40:56 2021 daemon.info syslog: 16[ENC] generating ID_PROT request 0 [ SA V V V V V ]

Fri Mar  5 16:40:56 2021 daemon.info syslog: 16[NET] sending packet: from 10.2.133.65[500] to 193.206.192.7[500] (224 bytes)

Fri Mar  5 16:40:56 2021 daemon.info syslog: 05[NET] received packet: from 193.206.192.7[500] to 10.2.133.65[500] (192 bytes)

Fri Mar  5 16:40:56 2021 daemon.info syslog: 05[ENC] parsed ID_PROT response 0 [ SA V V V V V ]

Fri Mar  5 16:40:56 2021 daemon.info syslog: 05[IKE] received NAT-T (RFC 3947) vendor ID

Fri Mar  5 16:40:56 2021 daemon.info syslog: 05[IKE] received DPD vendor ID

Fri Mar  5 16:40:56 2021 daemon.info syslog: 05[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00

Fri Mar  5 16:40:56 2021 daemon.info syslog: 05[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 16:40:56 2021 daemon.info syslog: 05[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 16:40:56 2021 daemon.info syslog: 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

Fri Mar  5 16:40:56 2021 daemon.info syslog: 05[NET] sending packet: from 10.2.133.65[500] to 193.206.192.7[500] (308 bytes)

Fri Mar  5 16:40:56 2021 daemon.info syslog: 06[NET] received packet: from 193.206.192.7[500] to 10.2.133.65[500] (292 bytes)

Fri Mar  5 16:40:56 2021 daemon.info syslog: 06[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]

Fri Mar  5 16:40:56 2021 daemon.info syslog: 06[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]

Fri Mar  5 16:40:56 2021 daemon.info syslog: 06[NET] sending packet: from 10.2.133.65[4500] to 193.206.192.7[4500] (108 bytes)

Fri Mar  5 16:41:00 2021 daemon.info syslog: 09[IKE] sending retransmit 1 of request message ID 0, seq 3

Fri Mar  5 16:41:00 2021 daemon.info syslog: 09[NET] sending packet: from 10.2.133.65[4500] to 193.206.192.7[4500] (108 bytes)

Fri Mar  5 16:41:07 2021 daemon.info syslog: 11[IKE] sending retransmit 2 of request message ID 0, seq 3

Fri Mar  5 16:41:07 2021 daemon.info syslog: 11[NET] sending packet: from 10.2.133.65[4500] to 193.206.192.7[4500] (108 bytes)

Fri Mar  5 16:41:20 2021 daemon.info syslog: 14[IKE] sending retransmit 3 of request message ID 0, seq 3

Fri Mar  5 16:41:20 2021 daemon.info syslog: 14[NET] sending packet: from 10.2.133.65[4500] to 193.206.192.7[4500] (108 bytes)

Fri Mar  5 16:41:33 2021 local1.info gsmd[12449]: gsmd send: 'AT+QCSQ' (8)

Fri Mar  5 16:41:33 2021 local1.info gsmd[12449]: gsmd get: '+QCSQ: "LTE",78,-105,125,-9' (27)

Fri Mar  5 16:41:33 2021 local1.info gsmd[12449]: gsmd send: 'AT+CREG?' (9)

Fri Mar  5 16:41:33 2021 local1.info gsmd[12449]: gsmd get: '+CREG: 2,1,"0C3B","3184F3F",7' (29)

Fri Mar  5 16:41:44 2021 daemon.info syslog: 05[IKE] sending retransmit 4 of request message ID 0, seq 3

Fri Mar  5 16:41:44 2021 daemon.info syslog: 05[NET] sending packet: from 10.2.133.65[4500] to 193.206.192.7[4500] (108 bytes)

Fri Mar  5 16:42:26 2021 daemon.info syslog: 07[IKE] sending retransmit 5 of request message ID 0, seq 3

Fri Mar  5 16:42:26 2021 daemon.info syslog: 07[NET] sending packet: from 10.2.133.65[4500] to 193.206.192.7[4500] (108 bytes)

Fri Mar  5 16:42:57 2021 local1.info gsmd[12449]: gsmd send: 'AT+QCSQ' (8)

Fri Mar  5 16:42:57 2021 local1.info gsmd[12449]: gsmd get: '+QCSQ: "LTE",72,-105,106,-9' (27)

Fri Mar  5 16:42:57 2021 local1.info gsmd[12449]: gsmd send: 'AT+CREG?' (9)

Fri Mar  5 16:42:57 2021 local1.info gsmd[12449]: gsmd get: '+CREG: 2,1,"0C3B","3184F3F",7' (29)

Fri Mar  5 16:43:17 2021 local1.info gsmd[12449]: gsmd send: 'AT+QCSQ' (8)

Fri Mar  5 16:43:17 2021 local1.info gsmd[12449]: gsmd get: '+QCSQ: "LTE",78,-105,117,-9' (27)

Fri Mar  5 16:43:17 2021 local1.info gsmd[12449]: gsmd send: 'AT+CREG?' (9)

Fri Mar  5 16:43:17 2021 local1.info gsmd[12449]: gsmd get: '+CREG: 2,1,"0C3B","3184F3F",7' (29)

Fri Mar  5 16:43:41 2021 daemon.info syslog: 15[IKE] giving up after 5 retransmits

Fri Mar  5 16:43:41 2021 daemon.info syslog: 15[IKE] peer not responding, trying again (3/0)

Fri Mar  5 16:43:41 2021 daemon.info syslog: 15[IKE] initiating Main Mode IKE_SA Movico3[1] to 193.206.192.7

Fri Mar  5 16:43:41 2021 authpriv.info syslog: 15[IKE] initiating Main Mode IKE_SA Movico3[1] to 193.206.192.7

Fri Mar  5 16:43:41 2021 daemon.info syslog: 15[ENC] generating ID_PROT request 0 [ SA V V V V V ]

Fri Mar  5 16:43:41 2021 daemon.info syslog: 15[NET] sending packet: from 10.2.133.65[500] to 193.206.192.7[500] (224 bytes)

Fri Mar  5 16:43:41 2021 daemon.info syslog: 16[NET] received packet: from 193.206.192.7[500] to 10.2.133.65[500] (192 bytes)

Fri Mar  5 16:43:41 2021 daemon.info syslog: 16[ENC] parsed ID_PROT response 0 [ SA V V V V V ]

Fri Mar  5 16:43:41 2021 daemon.info syslog: 16[IKE] received NAT-T (RFC 3947) vendor ID

Fri Mar  5 16:43:41 2021 daemon.info syslog: 16[IKE] received DPD vendor ID

Fri Mar  5 16:43:41 2021 daemon.info syslog: 16[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00

Fri Mar  5 16:43:41 2021 daemon.info syslog: 16[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 16:43:41 2021 daemon.info syslog: 16[IKE] received FRAGMENTATION vendor ID

Fri Mar  5 16:43:41 2021 daemon.info syslog: 16[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

Fri Mar  5 16:43:41 2021 daemon.info syslog: 16[NET] sending packet: from 10.2.133.65[500] to 193.206.192.7[500] (308 bytes)

Fri Mar  5 16:43:41 2021 daemon.info syslog: 05[NET] received packet: from 193.206.192.7[500] to 10.2.133.65[500] (292 bytes)

Fri Mar  5 16:43:41 2021 daemon.info syslog: 05[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]

Fri Mar  5 16:43:42 2021 daemon.info syslog: 05[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]

Fri Mar  5 16:43:42 2021 daemon.info syslog: 05[NET] sending packet: from 10.2.133.65[4500] to 193.206.192.7[4500] (108 bytes)

Fri Mar  5 16:43:45 2021 local1.info gsmd[12449]: gsmd send: 'AT+QCSQ' (8)

Fri Mar  5 16:43:45 2021 local1.info gsmd[12449]: gsmd get: '+QCSQ: "LTE",72,-105,108,-9' (27)

Fri Mar  5 16:43:45 2021 local1.info gsmd[12449]: gsmd send: 'AT+CREG?' (9)

Fri Mar  5 16:43:45 2021 local1.info gsmd[12449]: gsmd get: '+CREG: 2,1,"0C3B","3184F3F",7' (29)

Fri Mar  5 16:43:46 2021 daemon.info syslog: 07[IKE] sending retransmit 1 of request message ID 0, seq 3

Fri Mar  5 16:43:46 2021 daemon.info syslog: 07[NET] sending packet: from 10.2.133.65[4500] to 193.206.192.7[4500] (108 bytes)

Fri Mar  5 16:43:51 2021 local1.info gsmd[12449]: gsmd send: 'AT+QCSQ' (8)

Fri Mar  5 16:43:51 2021 local1.info gsmd[12449]: gsmd get: '+QCSQ: "LTE",79,-105,112,-9' (27)

Fri Mar  5 16:43:51 2021 local1.info gsmd[12449]: gsmd send: 'AT+CREG?' (9)

Fri Mar  5 16:43:51 2021 local1.info gsmd[12449]: gsmd get: '+CREG: 2,1,"0C3B","3184F3F",7' (29)

Fri Mar  5 16:43:53 2021 daemon.info syslog: 10[IKE] sending retransmit 2 of request message ID 0, seq 3

Fri Mar  5 16:43:53 2021 daemon.info syslog: 10[NET] sending packet: from 10.2.133.65[4500] to 193.206.192.7[4500] (108 bytes)

Fri Mar  5 16:44:00 2021 local1.info gsmd[12449]: gsmd send: 'AT+QCSQ' (8)

Fri Mar  5 16:44:00 2021 local1.info gsmd[12449]: gsmd get: '+QCSQ: "LTE",73,-105,97,-9' (26)

Fri Mar  5 16:44:00 2021 local1.info gsmd[12449]: gsmd send: 'AT+CREG?' (9)

Fri Mar  5 16:44:00 2021 local1.info gsmd[12449]: gsmd get: '+CREG: 2,1,"0C3B","3184F3F",7' (29)

Fri Mar  5 16:44:06 2021 daemon.info syslog: 09[IKE] sending retransmit 3 of request message ID 0, seq 3

Fri Mar  5 16:44:06 2021 daemon.info syslog: 09[NET] sending packet: from 10.2.133.65[4500] to 193.206.192.7[4500] (108 bytes)

by

Fri Mar  5 16:40:56 2021 daemon.info syslog: 06[NET] sending packet: from 10.2.133.65[4500] to 193.206.192.7[4500] (108 bytes)

The Fortigate doesn't reply to this message, would it be possible to see the logs on the other side at this time?

Regards,