IPsec VPN between Mikrotik and Fortigate

rbuserdl · July 29, 2020, 8:52pm

Hello,

I tried to create for first time a VPN between a Fortigate 60E (v5.6.0) and a Mikrotik CCR1009-7G-1C-1S+ (v6.45.7) but with issues
Used the following “guide”: https://www.fastbit.ro/en/ipsec-site-to-site-vpn-between-fortigate-and-mikrotik/#:~:text=On%20the%20Action%20TAB%20fill,create%20a%20new%20IPSec%20Peer.
Many menues are very different in many versions of routeros and I found everything different
The first thing that catches my attention is that the “guide” asked me to create an ipsec policy, specifying the local and remote networks, I have created this, however when I see the policy, it appears with 0.0.0.0/0 as source address and the remote public IP as destination address, and dont let me change the values
In the fortigate I have another IPsec VPN with other fortigate device, which is working

This is the VPN setting in the Mikrotik:

/ip ipsec profile
add dh-group=modp1536 enc-algorithm=3des name=profileTemp
/ip ipsec peer
add address=remotePublicIP/32 name=peerTemp profile=profileTemp
/ip ipsec proposal
add enc-algorithms=3des lifetime=1d name=proposaltemp pfs-group=modp1536
/ip ipsec identity
add peer=peerTemp secret=Argentina20
/ip ipsec policy
add dst-address=190.111.200.154/32 peer=peerTemp proposal=proposaltemp src-address=0.0.0.0/0

I made a debug in the fortigate and get the following:

diagnose debug enable
diagnose debug application ike -1

fgt60e-iga01 # ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:bf4ddd3d len=92
ike 0: in DCD2166064C689C55C05337671EB29A808100501BF4DDD3D0000005CF6EEE2129F004C024770A4F7EC1660535C35E6FF0149DFF8B8A6D8EA577D7FC8609D202CE3274B5DB6C9444563528ED5D17F1EB9D4A9B211E89B306B1F422999
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A808100501BF4DDD3D0000005C0B00001842EAD06BCC1C1648A9EE1B77E291F050E384E63F000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691B65DC2EF2D447A507
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A8081005018D693DF2000000540B00001860924C304E7F5B65BB1DC5AAD7BFF41FB5BA8D8B000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691B
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A8081005018D693DF20000005CECCAE8EDADB77DABA6CEEB5EC49E4B69E91A960E1EDCCFB6F14361076095048978842EEC1EFA4521086B4F24FB6F5DF3E11A84C17731D76677B3B1570FB5E8BB
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:8d693df2
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes MKTpublicIP:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=e223d3ab5154f152/0000000000000000 len=344
ike 0: in E223D3AB5154F15200000000000000000110020000000000000001580D00003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
ike 0:e223d3ab5154f152/0000000000000000:665: responder: main mode get 1st message...
ike 0:e223d3ab5154f152/0000000000000000:665: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:e223d3ab5154f152/0000000000000000:665: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:e223d3ab5154f152/0000000000000000:665: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:VPNnotWorking: ignoring IKE request, no policy configured
ike 0:e223d3ab5154f152/0000000000000000:665: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:e223d3ab5154f152/0000000000000000:665: no SA proposal chosen
ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:7f92927e len=92
ike 0: in DCD2166064C689C55C05337671EB29A8081005017F92927E0000005C23E9E8BA922224E27410752A322D3C8F5078295313576A969995532EA5726D4645261202E16911BDF31BCE93EB53F1E49ABA13F5F5CC477A366A865642046B3F
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A8081005017F92927E0000005C0B000018A0F62FB15CB9A23E70193206725F7749387191C8000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691C38D41073DB07FB07
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A80810050115C5C594000000540B0000182BC0C54DEF16A64BDE0474940F4DAB0AFB1B3B28000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691C
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A80810050115C5C5940000005C9E37C0FEBE0D9F6DA2FFD0CBEEC540C9F7846B962BAD08D18817ED83E6F3875F647F92D107C734926113F64CCBC3B11BFB2E70E91AC57A9E553C906B490F5547
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:15c5c594
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:4c9d7d25 len=92
ike 0: in DCD2166064C689C55C05337671EB29A8081005014C9D7D250000005CF8C4A1D282BB7CBBEEFE1DCBB527662543A776DAC5FCBBD6D7262133D4AB4B44BCEABC49BEC68566C401B6371377C0D34D87363B6666E4448774A5444231915D
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A8081005014C9D7D250000005C0B000018F2E3F9AED40BDA510EBD40639643AEE60BCC1BC7000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691D54A4BFDB8EC5AB07
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A808100501F5A92033000000540B0000187429C914D0BCEE87A3DF44E84ED729C39315D144000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691D
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A808100501F5A920330000005C14D21895B0664AA669F4F3EA38F01236EE35ACEBA85ED67C5766AE4C856E311530448E00FB67F559E2B0988FE1C5ABFFE6ADD7D4B9A0CCF3A5484AB2991D587E
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:f5a92033
ike 0:VPNnotWorking: gw negotiation timeout
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes MKTpublicIP:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=e223d3ab5154f152/0000000000000000 len=344
ike 0: in E223D3AB5154F15200000000000000000110020000000000000001580D00003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
ike 0:e223d3ab5154f152/0000000000000000:666: responder: main mode get 1st message...
ike 0:e223d3ab5154f152/0000000000000000:666: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:e223d3ab5154f152/0000000000000000:666: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:e223d3ab5154f152/0000000000000000:666: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:VPNnotWorking: ignoring IKE request, no policy configured
ike 0:e223d3ab5154f152/0000000000000000:666: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:e223d3ab5154f152/0000000000000000:666: no SA proposal chosen
 
fgt60e-iga01 # ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:de0a8ecb len=92
ike 0: in DCD2166064C689C55C05337671EB29A808100501DE0A8ECB0000005CCC2D99EAEC38155B2EBE42D6D05A10208A3C3AACB70CE8FF2B99ECC47E6137BDAABA52CED08EE7A99E0369BEB191C04AFE671B3869FD0147017D843592753E6B
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A808100501DE0A8ECB0000005C0B0000182B17852A73613B947EB56B68ECEB9CBFA3450EB4000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691E6C1A58ABDBC87D07
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A808100501D6B40B29000000540B000018FEA0F92D74FA46C5208DBAA51559C7334AB4A6B9000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691E
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A808100501D6B40B290000005C516C3BB76C362A610F630037159190A9CDAF6FF66769D51D369834FA294E0927CE8D32F927C922183C25B8112C251C86FD0B1C00B725FF5DD9ECB937438A4DFD
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:d6b40b29
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
diaike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:f4d82f23 len=92
ike 0: in DCD2166064C689C55C05337671EB29A808100501F4D82F230000005CE48AE2C546372335306B6480FC2B370C4409B3CD8A52F3839805FA4A8F5F105F2FA616A53A4FB580ACFA9F5B3E4E4FCC9EBCB64BCB991B87AB9D27AE91063D20
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A808100501F4D82F230000005C0B000018C2C6970FFEFC4C6B53E9811EE21C53BD00CC9A9E000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691F2C2F7CC78E46D607
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A8081005010982D979000000540B000018D70F7978CD77A35EC43FF12ECF5710E493215746000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691F
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A8081005010982D9790000005C1AB43D21F31A9DF7E82CC81C4B5B34C71D19D605876CDB331F793B4A65E486090D9D23317AEFCD8D3D050C9C032F618C396A6172E654FF036289F1EE588367B5
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:0982d979
gnose deike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
bug disaike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:7bdddc9e len=92
ike 0: in DCD2166064C689C55C05337671EB29A8081005017BDDDC9E0000005C92E7F23C31876941DF781405208F0F4585937381F0B07ECCF952617C03C422DBEF425E65E8C86B1CED15F551FC5B22C971B6FE5DF592B2EE1B399B35279492D6
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A8081005017BDDDC9E0000005C0B00001857806043CA930CAC8F67B1BAD61876A4D2C17C75000000200000000101108D28DCD2166064C689C55C05337671EB29A80011692096A450E529E5C007
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A808100501078A66ED000000540B000018A3A469AF3EC99F5656C43A2843BB8A3BC1CD03CB000000200000000101108D29DCD2166064C689C55C05337671EB29A800116920
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A808100501078A66ED0000005CFCFF7B0D4CBEA1D1C511D05DDE738987CE3D49F39CBE5CCDD6ABB333E8722E5064ED7DE0756F6E3DBBDAF9C1C46D7AAB9AA23F2BBF59F4F7402CFC15C072C9B0
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:078a66ed
ble

The fortigate tell me “No policy configured” do you know what policy is it talking about?

Thanks in advance.
Regards,
Damián

ingdaka · July 29, 2020, 10:57pm

First of all! Upgrade both routers with latest firmware

rbuserdl · July 30, 2020, 1:34pm

Hello, thanks for your response.
I have no way to do this so far.
I passed the “No policy” message but I get the following:

6353: notify msg received: NO-PROPOSAL-CHOSEN

I have a proposal created and this is selected in the policy
Now the tunnel is down in the fortigate but I see 2 active peers in mikrotik, I dont know what this means:

[admin@Mikrotik] > ip ipsec active-peers print
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                                                      DYNAMIC-ADDRESS                           
 0 R                       established        28m36s                    FGpublicIP                                                    
 1                         established        28m28s                    FGpublicIP

Any idea?
Regards,
Damián

sindy · July 30, 2020, 2:37pm

NO-PROPOSAL-CHOSEN means that the remote peer did not like any of the encryption & authentication algorithm combinations in your Phase 2 proposal. As both devices are configured as both initiators and responders, you can set passive=yes at Mikrotik side (at the peer representing the Fortigate), wait until the Fortigate sets up a connection (you may have to disable and re-enable the identity) and see in the log what transforms the Fortigate itself proposes for Phase 2 (policy negotiation) - Phase 1 is OK, otherwise you wouldn’t see active-peer state established).

rbuserdl · July 30, 2020, 3:28pm

Hello, thanks for your response.

In the Mikrotik, “active peer” tab, “side” column, it appears as “responder”, I changed the auto-negotiate option to disabled in the fortigate, which I think is to trigger the tunnel from the Mikrotik.
I am not sure but maybe the “responder” value means that the Fortigate tried to start the tunnel and Mikrotik answered, this means that disabling the auto-negotiate option is not doing what I supposed to do. Am I right?
Anyway I tried to enable the auto-negotiate in the Fortigate and set “passive” in the Mikrotik peer with the same behavior
In the Mikrotik policies, it appears as “no phase2”, which means that you are right and the issue is with phase2.
I set in both sides:
Auth algorithms: only sha1
Encr algorithms: only 3des

However, in the Mikrotik I set modp1536 as PFS Group, but I dont have any option like this in the fortigate, I only have the “Enable Perfect Forward Secrecy (PFS)” enabled, but I cant select anything.

Could be the problem that sha1-3des work different in Mikrotik and Fortigate?
Do you have any working configuration?

Regards,
Damián

sindy · July 30, 2020, 3:49pm

No, I don’t have any working configuration for Fortigate-Mikrotik interworking. According to @emils, pfs-group in Phase 2 proposal must match the dh-group in Phase 1 profile (or be set to none). There is also the lifetime which may differ - as said, read the log when Mikrotik is set to respond only (passive=yes) and Fortigate initiates the connection, it will tell you what the Fortigate proposes.

sha1 and 3des cannot work different on different devices; but if they did due to a bug on one of the devices, it would show up later, not as early as during the SA negotiation. There must be some difference in one of the proposals’ parameters.

rbuserdl · July 30, 2020, 6:48pm

Hello,

Thank you Sindy,
PFS-group in Phase 2 proposal do match the dh-group in Phase 1 profile, both are modp1536
Mikrotik is set to respond only (passive=yes) and I get all the time the same error in log:

15:36:24 ipsec,error FGpublicIP failed to pre-process ph2 packet.

Which means nothing to me, I pasted this in google and found very different problems, seems a generic error.
Any idea?

Thanks in advance.
Regards,
Damián

sindy · July 30, 2020, 7:03pm

I didn’t expect you to find out anything useful from an error severity log message, but I also didn’t expect that you didn’t activate debug severity messages at Mikrotik given that you could do that at Fortinet.

So:

disable the peer representing the Fortigate at Mikrotik side
issue /system logging add topics=ipsec,!packet to activate logging of everything regarding IPsec except dump of complete packet contents
run /log print follow-only file=ipsec-startup where topics~“ipsec”
enable the peer representing the Fortigate and wait until the active-peers list shows the Fortigate to be active
break the /log print …
download the file ipsec-startup.txt and read what the Fortigate actually proposes for Phase 2

Other than the above, it is also quite likely that something useful can be found in the Fortigate log, but you have only posted the one taken before you’ve managed to successfully configure the systems for Phase 1, so that one is useless for analysis of the current issue.

rbuserdl · July 30, 2020, 7:51pm

Thanks Sindy,

I didnt know that I should activate the debug log level.
While you wrote your response I was watching an youtube tutorial in spanish and this worked to me:
https://www.youtube.com/watch?v=1V7h8kJLvH0
This uses only des, maybe I will try later with another security and will upload the settings here

Regards,
Damián