IPSec phase 2 down randomly

doctor12th · January 19, 2022, 7:46pm

Hello,
i have a site to site between two sites.
The Policy are
10.0.89.64/26 → 10.1.89.64/26
10.0.89.64/26 → 10.1.90.64/26

The other side is a Fortigate firewall .
The LAN on my side is 192.168.1.64/26 , i have netmap srcnat/dstnat 192.168.1.64/26 ↔ 10.0.89.64/26 using connection_mark for connection to dst-address-list ip addresses.
Randomly the phase 2 goes down, if i check logs on my side there is “NO PROPOSAL CHOSEN” and i don’t know the reason.
I do not have access to the remote logs of the other side so i do not know how can i fix this.
Normally the VPN works well, this happens randomly so i don t know

sindy · January 19, 2022, 8:13pm

Does it look like this:

21:09:27 ipsec processing payloads: NOTIFY
21:09:27 ipsec   notify: NO_PROPOSAL_CHOSEN
21:09:27 ipsec got error: NO_PROPOSAL_CHOSEN

or like this:

10:13:13 ipsec,error no proposal chosen
10:13:13 ipsec adding notify: NO_PROPOSAL_CHOSEN

?

doctor12th · January 19, 2022, 8:40pm

if i check logs on my side there is “NO PROPOSAL CHOSEN” and i don’t know the reason.

Does it look like this:
21:09:27 ipsec processing payloads: NOTIFY
21:09:27 ipsec   notify: NO_PROPOSAL_CHOSEN
21:09:27 ipsec got error: NO_PROPOSAL_CHOSEN
or like this:
10:13:13 ipsec,error no proposal chosen
10:13:13 ipsec adding notify: NO_PROPOSAL_CHOSEN
?

error the second you wrote

own3r1138 · January 19, 2022, 8:53pm

subject-alt-name in ssl :d Is it random or about the same time as lifetime of your proposal?

sindy · January 19, 2022, 8:53pm

In that case, it was your Mikrotik that did not like a request from the Fortigate, hence the previous lines in the log should show what the request contained and what RouterOS did not like about it.

doctor12th · January 20, 2022, 8:42pm

I Enabled IPsec topc but i can’t see what mikrotik received because It shows paylosd encrypted. How can i see the plain paylosd?

sindy · January 20, 2022, 9:07pm

It indeed writes “encrypted payload” into the log, however it also shows the decrypted contents in hexadecimal form (if you remove the !packet part from the topics list under /system logging, see here how to visualize it if really necessary), but even more important, it usually shows the contents in an even more readable form. At least you should see the required traffic selector and the proposed transform values in the request from the Fortigate. See an example below:

01:47:00 ipsec,debug ===== received 604 bytes from 192.168.227.11[4500] to 192.168.227.13[4500]
01:47:00 ipsec,debug,packet 7911f08d 2ebe0b20 04523ba7 30747483 2e202408 0000001e 0000025c 28000240
…
01:47:00 ipsec,debug,packet 27c3261f 0c57f758 9b6df524 9284dade 5239e228 6ba17615 dbb2b40e
01:47:00 ipsec → ike2 request, exchange: CREATE_CHILD_SA:30 192.168.227.11[4500] 7911f08d2ebe0b20:04523ba730747483
01:47:00 ipsec payload seen: ENC (576 bytes)
01:47:00 ipsec processing payload: ENC
01:47:00 ipsec,debug => iv (size 0x10)
01:47:00 ipsec,debug 88361d79 94aa39b5 41beb48f fd74926b
01:47:00 ipsec,debug decrypted
01:47:00 ipsec,debug,packet => decrypted packet (size 0x150)
01:47:00 ipsec,debug,packet 2200001c 619b82b6 bbcd1ad1 5a6329eb 1ed6afd3 af145619 6a1e5100 21000088
…
01:47:00 ipsec,debug,packet 00000000 00030004 00000000 00190000
01:47:00 ipsec payload seen: NONCE (28 bytes)
01:47:00 ipsec payload seen: KE (136 bytes)
01:47:00 ipsec payload seen: SA (76 bytes)
01:47:00 ipsec payload seen: TS_I (24 bytes)
01:47:00 ipsec payload seen: TS_R (24 bytes)
01:47:00 ipsec payload seen: CONFIG (48 bytes)
01:47:00 ipsec create child: respond
01:47:00 ipsec processing payloads: NOTIFY (none found)
01:47:00 ipsec processing payloads: NOTIFY (none found)
01:47:00 ipsec peer wants tunnel mode
01:47:00 ipsec processing payload: CONFIG
01:47:00 ipsec attribute: internal IPv4 address size: 4
01:47:00 ipsec attribute: internal IPv4 netmask size: 4
01:47:00 ipsec attribute: internal IPv6 subnet size: 8
01:47:00 ipsec attribute: internal IPv4 DNS size: 4
01:47:00 ipsec attribute: internal DNS domain
01:47:00 ipsec processing payload: TS_I
01:47:00 ipsec 192.168.88.1
01:47:00 ipsec processing payload: TS_R
01:47:00 ipsec 192.168.137.146
01:47:00 ipsec canditate selectors: 192.168.137.146 <=> 192.168.88.1
01:47:00 ipsec processing payload: SA
01:47:00 ipsec IKE Protocol: ESP
01:47:00 ipsec proposal #1
01:47:00 ipsec enc: aes256-cbc
01:47:00 ipsec enc: aes192-cbc
01:47:00 ipsec enc: aes128-cbc
01:47:00 ipsec auth: sha1
01:47:00 ipsec dh: modp1024
01:47:00 ipsec searching for policy for selector: 192.168.137.146 <=> 192.168.88.1
01:47:00 ipsec using strict match: 192.168.137.146 <=> 192.168.88.1
01:47:00 ipsec allocated address from pool is not within selector
01:47:00 ipsec,error no proposal chosen
01:47:00 ipsec adding notify: NO_PROPOSAL_CHOSEN