[solved] IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

notToNew · Tue Apr 26, 2016 11:14 am

Hi all,

i have set up some vpn connections and I have several IPSEC-VPNs between my Fortigate-Devices.

Now I want to connect a Microtik to my VPN-Net.
Phase 1 works without any error (at least, no error i see on the debug-log) on both sites.
But I never see an installed SA, and I never see traffik.

Can someone point me to the right direction?
I have read several Topics here regarding Fortigate and Mikrotik-VPN.
I tried them all.
I created the Fortigate-Rulee from IPsec-device to the internal Device and back.

Here are some Lines of the ipsec-debug-log where i get "succeed".
The rest of the debug.log is attached.

09:59:04 ipsec,debug,packet compute IV for phase2
09:59:04 ipsec,debug,packet phase1 last IV:
09:59:04 ipsec,debug,packet fb0f19b1 777a9d67 ab1f8513 77d139d8 bbe52340
09:59:04 ipsec,debug,packet hash(sha1)
09:59:04 ipsec,debug,packet encryption(aes)
09:59:04 ipsec,debug,packet phase2 IV computed:
09:59:04 ipsec,debug,packet ac9b4cb6 5499d09c 754c0481 2dffe18e
09:59:04 ipsec,debug,packet encryption(aes)
09:59:04 ipsec,debug,packet IV was saved for next processing:
09:59:04 ipsec,debug,packet 4eae650c ac9019d9 c6f34aaa e5d6a8a2
09:59:04 ipsec,debug,packet encryption(aes)
09:59:04 ipsec,debug,packet with key:
09:59:04 ipsec,debug,packet fb7a515d 70983747 89b2e7d0 65ae9671
09:59:04 ipsec,debug,packet decrypted payload by IV:
09:59:04 ipsec,debug,packet ac9b4cb6 5499d09c 754c0481 2dffe18e
09:59:04 ipsec,debug,packet decrypted payload, but not trimed.
09:59:04 ipsec,debug,packet 0b000018 26e86c5e f1e060a6 174f8d98 cae3ea64 feeb0d73 00000020 00000001
09:59:04 ipsec,debug,packet 01108d29 0357efe4 f00ca254 589e8356 982c1ce5 000002c4 03c16f2c f5c75d07
09:59:04 ipsec,debug,packet padding len=8
09:59:04 ipsec,debug,packet skip to trim padding.
09:59:04 ipsec,debug,packet decrypted.
09:59:04 ipsec,debug,packet 0357efe4 f00ca254 589e8356 982c1ce5 08100501 bbe52340 0000005c 0b000018
09:59:04 ipsec,debug,packet 26e86c5e f1e060a6 174f8d98 cae3ea64 feeb0d73 00000020 00000001 01108d29
09:59:04 ipsec,debug,packet 0357efe4 f00ca254 589e8356 982c1ce5 000002c4 03c16f2c f5c75d07
09:59:04 ipsec,debug,packet HASH with:
09:59:04 ipsec,debug,packet bbe52340 00000020 00000001 01108d29 0357efe4 f00ca254 589e8356 982c1ce5
09:59:04 ipsec,debug,packet 000002c4
09:59:04 ipsec,debug,packet hmac(hmac_sha1)
09:59:04 ipsec,debug,packet HASH computed:
09:59:04 ipsec,debug,packet 26e86c5e f1e060a6 174f8d98 cae3ea64 feeb0d73
09:59:04 ipsec,debug,packet hash validated.
09:59:04 ipsec,debug,packet begin.
09:59:04 ipsec,debug,packet seen nptype=8(hash)
09:59:04 ipsec,debug,packet seen nptype=11(notify)
09:59:04 ipsec,debug,packet succeed.

my ipsec-config is rather basic:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-ctr lifetime=8h name=ipsec-prop pfs-group=modp1536
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=10.0.1.2/32 comment=Phase1 dh-group=modp1536 enc-algorithm=aes-128 exchange-mode=aggressive lifetime=8h local-address=10.0.0.1 my-id=\
    fqdn:hegg_maint secret=XXXsecret
/ip ipsec policy
add comment=Phase2 disabled=yes dst-address=192.168.1.0/16 proposal=ipsec-prop sa-dst-address=10.0.1.2 sa-src-address=10.0.0.1 src-address=\
    192.168.0.0/24 tunnel=yes
add comment="Phase2 test IP" dst-address=192.168.1.0/16 ipsec-protocols=ah-esp proposal=ipsec-prop sa-dst-address=10.0.1.2 sa-src-address=10.0.0.1 \
    src-address=192.168.0.0/24 tunnel=yes

Thanks in advance for any help!

Tue Apr 26, 2016 11:58 am

Phase 2 is initiated only after packet matches ipsec policy. According to logs there were no attempt to initiate phase2 so there is no traffic that match those policies.

You can initiate phase2 for example with ping

notToNew · Tue Apr 26, 2016 12:10 pm

I tried to ping the other side, but always get a timeout.

Should I see anything in the Log when pinging, while the phase2 gets initiated?
There is nothing to see there, so nothing i can report here.

Do i have to enable phase2-debugging?

Edit1: I get a new entry in "Route list" which tells me that the gateway is unreachable.

Tue Apr 26, 2016 12:48 pm

When you run ping command you must specify correct source address.

notToNew · Tue Apr 26, 2016 1:32 pm

Thank you that helped a lot. Now i get much more new logs.
I goggled for "NO-PROPOSAL-CHOSEN", but what I foud is to check PFS-Group (which is DH5) and correct on both sides!
Any further ideas?

12:21:17 ipsec,debug,packet phase2 IV computed: 
12:21:17 ipsec,debug,packet 14f00d8d a63883ee 6f6b7228 6fe8c024 
12:21:17 ipsec,debug,packet encryption(aes) 
12:21:17 ipsec,debug,packet IV was saved for next processing: 
12:21:17 ipsec,debug,packet baf10211 b574abdf 3790d501 673d1ec2 
12:21:17 ipsec,debug,packet encryption(aes) 
12:21:17 ipsec,debug,packet with key: 
12:21:17 ipsec,debug,packet b56042ab 784f50e6 b64024ba 025ceff6 de84544d 0520ed3d 32b04a62 f93b2c4f 
12:21:17 ipsec,debug,packet decrypted payload by IV: 
12:21:17 ipsec,debug,packet 14f00d8d a63883ee 6f6b7228 6fe8c024 
12:21:17 ipsec,debug,packet decrypted payload, but not trimed. 
12:21:17 ipsec,debug,packet 0b000024 e971f393 52bfae08 ffe37e00 2aca122f b6490c02 e2928850 d8081e0e 
12:21:17 ipsec,debug,packet 10b46b00 00000010 00000001 0304000e 0c6050aa 3ab0b46a 0e638d26 0b122f0b 
12:21:17 ipsec,debug,packet padding len=12 
12:21:17 ipsec,debug,packet skip to trim padding. 
12:21:17 ipsec,debug,packet decrypted. 
12:21:17 ipsec,debug,packet 86d0b395 eb9609fb e1648ab7 07b8932b 08100501 d9455aa3 0000005c 0b000024 
12:21:17 ipsec,debug,packet e971f393 52bfae08 ffe37e00 2aca122f b6490c02 e2928850 d8081e0e 10b46b00 
12:21:17 ipsec,debug,packet 00000010 00000001 0304000e 0c6050aa 3ab0b46a 0e638d26 0b122f0b 
12:21:17 ipsec,debug,packet HASH with: 
12:21:17 ipsec,debug,packet d9455aa3 00000010 00000001 0304000e 0c6050aa 
12:21:17 ipsec,debug,packet hmac(hmac_sha2_256) 
12:21:17 ipsec,debug,packet HASH computed: 
12:21:17 ipsec,debug,packet e971f393 52bfae08 ffe37e00 2aca122f b6490c02 e2928850 d8081e0e 10b46b00 
12:21:17 ipsec,debug,packet hash validated. 
12:21:17 ipsec,debug,packet begin. 
12:21:17 ipsec,debug,packet seen nptype=8(hash) 
12:21:17 ipsec,debug,packet seen nptype=11(notify) 
12:21:17 ipsec,debug,packet succeed. 
12:21:17 ipsec,debug fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. 
12:21:17 ipsec,debug,packet notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0c6050aa(size=4).

Tue Apr 26, 2016 2:24 pm

There should be more logs showing what parameters in proposal exactly did not match.

notToNew · Tue Apr 26, 2016 3:20 pm

Here are the logs.
Can't find the error, do you see any?

Tue Apr 26, 2016 3:43 pm

NO-PROPOSAL-CHOSEN notify messsage is received from remote peer. Look for error messages on remote router.

notToNew · Tue Apr 26, 2016 5:35 pm

Thank you.
Now, the Mikrotik seems to not accept the proposals from the Fortigate?
"invalid length of payload"?

16:22:18 ipsec,debug,packet IV was saved for next processing: 
16:22:18 ipsec,debug,packet 222ec2f7 1e85e487 e5e6c6c1 18ead494 
16:22:18 ipsec,debug,packet encryption(aes) 
16:22:18 ipsec,debug,packet with key: 
16:22:18 ipsec,debug,packet 4fa2dddb 5b7221bc e521d09a ae0c3502 
16:22:18 ipsec,debug,packet decrypted payload by IV: 
16:22:18 ipsec,debug,packet e629d278 ffa2c0bc 3b0a0a7d d568aeba 
16:22:18 ipsec,debug,packet decrypted payload, but not trimed. 
16:22:18 ipsec,debug,packet 00a27f3b b395d5ec 06d45552 1f92b716 8a744958 8d991dcf 0a000034 00000001 
16:22:18 ipsec,debug,packet 00000001 00000028 01030401 8f6da0fc 0000001c 01030000 80010001 80027080 
16:22:18 ipsec,debug,packet 80040001 80050002 80030005 04000014 9734db29 28e014b4 3562309d 19bdb0b9 
16:22:18 ipsec,debug,packet 050000c4 5dba8236 3f1d2098 7d2f6ff8 c9eaf564 2a842ff4 511d997e 8e6e4447 
16:22:18 ipsec,debug,packet bc3d4410 1559b477 386a3b11 e984b74b 5d753317 1e47474a c88bb796 4cbe6ec3 
16:22:18 ipsec,debug,packet f25f8f87 56a10efa c4e69737 62733ecb 198a246c a557f157 4a66872a 8904ddf1 
16:22:18 ipsec,debug,packet 7708739a f077d89f d00f692a 1d968148 08f7545e fadeef67 d34ff10a a97b4022 
16:22:18 ipsec,debug,packet 23207fe7 ef165982 6d01d3f1 f9c8382d 116b7a13 e0a15d5d 9af273d5 d10379d1 
16:22:18 ipsec,debug,packet 2efce0ac 430efa8a 3b3f37f4 b549c059 3da242bf e5825d3e 284c7ff2 9e1b0b7b 
16:22:18 ipsec,debug,packet a1bc716d 05000010 04000000 c0a8b200 ffffff00 00000010 04000000 0a0c0000 
16:22:18 ipsec,debug,packet ffff0000 d5d1fdcb f9e6ab54 66822e0b 
16:22:18 ipsec,debug,packet padding len=12 
16:22:18 ipsec,debug,packet skip to trim padding. 
16:22:18 ipsec,debug,packet decrypted. 
16:22:18 ipsec,debug,packet f3e9904c ffc439d0 e61ace56 5a69c232 08102001 b4e5fce8 0000016c 00a27f3b 
16:22:18 ipsec,debug,packet b395d5ec 06d45552 1f92b716 8a744958 8d991dcf 0a000034 00000001 00000001 
16:22:18 ipsec,debug,packet 00000028 01030401 8f6da0fc 0000001c 01030000 80010001 80027080 80040001 
16:22:18 ipsec,debug,packet 80050002 80030005 04000014 9734db29 28e014b4 3562309d 19bdb0b9 050000c4 
16:22:18 ipsec,debug,packet 5dba8236 3f1d2098 7d2f6ff8 c9eaf564 2a842ff4 511d997e 8e6e4447 bc3d4410 
16:22:18 ipsec,debug,packet 1559b477 386a3b11 e984b74b 5d753317 1e47474a c88bb796 4cbe6ec3 f25f8f87 
16:22:18 ipsec,debug,packet 56a10efa c4e69737 62733ecb 198a246c a557f157 4a66872a 8904ddf1 7708739a 
16:22:18 ipsec,debug,packet f077d89f d00f692a 1d968148 08f7545e fadeef67 d34ff10a a97b4022 23207fe7 
16:22:18 ipsec,debug,packet ef165982 6d01d3f1 f9c8382d 116b7a13 e0a15d5d 9af273d5 d10379d1 2efce0ac 
16:22:18 ipsec,debug,packet 430efa8a 3b3f37f4 b549c059 3da242bf e5825d3e 284c7ff2 9e1b0b7b a1bc716d 
16:22:18 ipsec,debug,packet 05000010 04000000 c0a8b200 ffffff00 00000010 04000000 0a0c0000 ffff0000 
16:22:18 ipsec,debug,packet d5d1fdcb f9e6ab54 66822e0b 
16:22:18 ipsec,debug,packet begin. 
16:22:18 ipsec,debug,packet seen nptype=8(hash) 
16:22:18 ipsec,debug invalid length of payload 
16:22:18 ipsec,error failed to pre-process ph2 packet.

the error on fortigate says:

ike 0: IKEv1 exchange=Informational id=e04c67d9c72bbaee/fcae5acb0e2a9e84:96de2d2                                                                                                      2 len=76
ike 0: in E04C67D9C72BBAEEFCAE5ACB0E2A9E840810050196DE2D220000004CAC45FD5B9A6452                                                                                                      8ADF2836F91CA2FFE87BBDB962FC567E1D492F2B73A81A1D80ECFFB4322F339C6AA71796C27D83B5                                                                                                      E5
ike 0:MaintenanceI_0:64: dec E04C67D9C72BBAEEFCAE5ACB0E2A9E840810050196DE2D22000                                                                                                      0004C0B000018E1D87CDF7964F11AC2DC062F607A0C0BC25F44BA0000000C000000010100000E566                                                                                                      D7E465C49D2B945AE9A0B
ike 0:MaintenanceI_0:64: notify msg received: NO-PROPOSAL-CHOSEN
ike 0:MaintenanceI_0:64:: no matching IPsec SPI

notToNew · Wed Apr 27, 2016 10:05 am

Ok, i got this error using aes-128 ctr.
Now I changed to aes-128-cbc and i get a different error:

The Mikrotik-Site -error:

failed to pre-process ph2 packet

The Fortigate-Side-error:

notify msg received: NO-PROPOSAL-CHOSEN

So it seems, that the Mikrotik did not choose a Proposal from the fortigate-site,
but in this part of the Log from Fortigate, both proposals are the same:

 proposal id = 1:
   protocol id = IPSEC_ESP:
   PFS DH group = 5
      trans_id = ESP_AES (key_len = 128)
      encapsulation = ENCAPSULATION_MODE_TUNNEL
         type = AUTH_ALG, val=SHA1
 incoming proposal:
 proposal id = 1:
   protocol id = IPSEC_ESP:
   PFS DH group = 5
      trans_id = ESP_AES (key_len = 128)
      encapsulation = ENCAPSULATION_MODE_TUNNEL
         type = AUTH_ALG, val=SHA1
 negotiation result
 proposal id = 1:
   protocol id = IPSEC_ESP:
   PFS DH group = 5
      trans_id = ESP_AES (key_len = 128)
      encapsulation = ENCAPSULATION_MODE_TUNNEL
         type = AUTH_ALG, val=SHA1

Can you help me any further?
Attached is the full log of both devices

Edit1: TI tried to change the group to *FFFFFFFF as i found in an old thread, i found on searching for "failed to pre-process ph2 packet", but the result was the same.

Wed Apr 27, 2016 2:19 pm

Try to reboot the router, if problem appears again after reboot generate supout file right after you see error message and send it to support.

notToNew · Wed Apr 27, 2016 2:51 pm

It is reproducable after a restart and with Firmware 6.34.4 and 6.35.1, so I sent in the supportfile as Ticket#2016042766000718.
Thanks for your help!

notToNew · Mon May 02, 2016 4:30 pm

Thanks to the support, we found a solution. Just change phase2 from "ah+esp" wo "esp".

[solved] IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

[solved] IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

[solved] Re: IPsec Mikrotik to Fortigate Phase2 trouble, pls. help

Who is online