Problem with IPSec VPN tunnel to remote site
Hi experts,
We need to setup an IPSec VPN tunnel to a remote site. Other remote site hardware is unkown, but we do know the IPSec settings. Phase 1 and Phase 2 have been configured and firewall policies are defined.
In our Fortigate logs we get this during a setup of the tunnel:
error dpd IPsec connection failure on the tunnel to <remote ip>:500 dpd_failure
notice negotiate Initiator: tunnel <remote ip>, transform=ESP_AES, HMAC_SHA1 success
notice negotiate Initiator: sent <remote ip> quick mode message #2 (DONE) success
notice install_sa Initiator: tunnel <local ip>/<remote ip> install ipsec sa
notice negotiate Initiator: sent <remote ip> quick mode message #1 (OK) success
notice negotiate Initiator: parsed <remote ip> main mode message #3 (DONE) success
notice negotiate Initiator: sent <remote ip> main mode message #3 (OK) success
notice negotiate Initiator: sent <remote ip> main mode message #2 (OK) success
notice negotiate Initiator: sent <remote ip> main mode message #1 (OK) success
notice delete_phase1_sa Deleted an Isakmp SA on the tunnel to <remote ip>:500
The dpd_failure message has id 23011. According to fortigate this means:
1.11. Message ID: 23011
Message: loc_ip=<local_ipaddress> loc_port=<local_port> rem_ip=<> rem_port=<> out_if=<> vpn_tunnel=<ip_address> cookies=<> action=dpd status=dpd_failure msg="IPSec connection failure"
Meaning: IPSec connection failure.
(see url http://kc.forticare.com/print.asp?id=3271&Lang=1&SID=)
The problem is here we need a deeper analysis of what exactly is going wrong.
dpd_failure = dead peer detected failure, but since it's replying on the first phases, the Fortigate can reach the other site.
Anyone a suggestion?
thanks,
Pieter
We need to setup an IPSec VPN tunnel to a remote site. Other remote site hardware is unkown, but we do know the IPSec settings. Phase 1 and Phase 2 have been configured and firewall policies are defined.
In our Fortigate logs we get this during a setup of the tunnel:
error dpd IPsec connection failure on the tunnel to <remote ip>:500 dpd_failure
notice negotiate Initiator: tunnel <remote ip>, transform=ESP_AES, HMAC_SHA1 success
notice negotiate Initiator: sent <remote ip> quick mode message #2 (DONE) success
notice install_sa Initiator: tunnel <local ip>/<remote ip> install ipsec sa
notice negotiate Initiator: sent <remote ip> quick mode message #1 (OK) success
notice negotiate Initiator: parsed <remote ip> main mode message #3 (DONE) success
notice negotiate Initiator: sent <remote ip> main mode message #3 (OK) success
notice negotiate Initiator: sent <remote ip> main mode message #2 (OK) success
notice negotiate Initiator: sent <remote ip> main mode message #1 (OK) success
notice delete_phase1_sa Deleted an Isakmp SA on the tunnel to <remote ip>:500
The dpd_failure message has id 23011. According to fortigate this means:
1.11. Message ID: 23011
Message: loc_ip=<local_ipaddress> loc_port=<local_port> rem_ip=<> rem_port=<> out_if=<> vpn_tunnel=<ip_address> cookies=<> action=dpd status=dpd_failure msg="IPSec connection failure"
Meaning: IPSec connection failure.
(see url http://kc.forticare.com/print.asp?id=3271&Lang=1&SID=)
The problem is here we need a deeper analysis of what exactly is going wrong.
dpd_failure = dead peer detected failure, but since it's replying on the first phases, the Fortigate can reach the other site.
Anyone a suggestion?
thanks,
Pieter
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay this did solve the problem.
I also found someone with the same problem between a Fortigate and a Cisco. He also had to disable dtd on the Fortigate so that the VPN tunnel would become operational.
I also found someone with the same problem between a Fortigate and a Cisco. He also had to disable dtd on the Fortigate so that the VPN tunnel would become operational.
Thank you for the info it would help everyone! :)
I am going for a wild guess but did you defined a firewall rule to allow some or all protocols, depending of your needs (with rule ENCRYPT) the traffic flowing from site A to site B once the connection has been established ?
Clearly the dead peer detection could be a cause of lost syncs, however if you don't setup a firewall rule the connexion isn't going to be maintained just after phase I and II.
Clearly the dead peer detection could be a cause of lost syncs, however if you don't setup a firewall rule the connexion isn't going to be maintained just after phase I and II.
ASKER
So i'll try your advice and disabled the dpd check.
I know the remote device is not a Fortigate, but i'll see i can get some more information soon.