Community discussions

MikroTik App
 
Geoffb
just joined
Topic Author
Posts: 13
Joined: Wed Dec 27, 2006 4:13 pm

IPSec Connection Issue [Mikrotik<->FortGate]

Fri Jul 27, 2012 6:40 pm

Hi All,

I'm having an issue trying to setup a IPSec VPN between a RB1100(v4.12) and a FortGate 331B (v4.0,build0342,120227). I have tried searching through the support forums, but have not found any helpful information as yet.

I have included logs and configs of both devices to this post. It basically dies with a "invalid length of payload/malformed or expired" error, and I'm at a total loss as to what is wrong.
jul/18 16:48:39 ipsec respond new phase 1 negotiation: *MIKROTIK-IP*[500]<=>*FORTGATE-IP*[500] 
jul/18 16:48:39 ipsec begin Identity Protection mode. 
jul/18 16:48:39 ipsec received Vendor ID: RFC 3947 
jul/18 16:48:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
jul/18 16:48:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
jul/18 16:48:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
jul/18 16:48:39 ipsec 
jul/18 16:48:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-01 
jul/18 16:48:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 
jul/18 16:48:39 ipsec received Vendor ID: DPD 
jul/18 16:48:39 ipsec Selected NAT-T version: RFC 3947 
jul/18 16:48:39 ipsec Hashing *MIKROTIK-IP*[500] with algo #1  
jul/18 16:48:39 ipsec NAT-D payload #0 verified 
jul/18 16:48:39 ipsec Hashing *FORTGATE-IP*[500] with algo #1  
jul/18 16:48:39 ipsec NAT-D payload #1 verified 
jul/18 16:48:39 ipsec NAT not detected  
jul/18 16:48:39 ipsec Hashing *REMOTE-IP*[500] with algo #1  
jul/18 16:48:39 ipsec Hashing *FORTGATE-IP*[500] with algo #1  
jul/18 16:48:39 ipsec Adding remote and local NAT-D payloads. 
jul/18 16:48:39 ipsec phase1 negotiation failed due to time up. f3910b0466248ffb:db0f570033e05fba 
jul/18 16:48:39 ipsec invalid length of payload
I'd great appreciate any help you can offer.
Thanks very much!
You do not have the required permissions to view the files attached to this post.
 
Poki
just joined
Posts: 11
Joined: Thu Jul 26, 2012 3:42 pm

Re: IPSec Connection Issue [Mikrotik<->FortGate]

Sat Jul 28, 2012 1:07 am

Try removing nat-traversal from the peer setup.
 
rjickity
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: IPSec Connection Issue [Mikrotik<->FortGate]

Sat Jul 28, 2012 1:54 pm

double check your secrets. If it is complex secret, attempt a simple 'abc123' and see what happens. If it still occurs debug both and see what they are seeing.

Sent from my GT-I9100 using Tapatalk 2
 
bluemoon
just joined
Posts: 16
Joined: Sat Jan 17, 2015 10:22 am

Re: IPSec Connection Issue [Mikrotik<->FortGate]

Fri Apr 17, 2015 9:25 am

Hi rjickity,

Thanks for the feedback. My VPN connection problem has been fixed from my LAN side but I am still strugling from WAN side. After the reading your comment I can connect with Mikrotik from my LAN but WAN not allowing me to connect and even I don't see any error in log

can you please guide me

thanks
 
rjickity
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Sun May 10, 2015 4:50 am

Sorry I don't quite understand. Your ipsec policy will be what defines your traffic for encryption (SRC and DST addressing which from your initial policy is a single host on the MikroTik side and a small subnet on the fortigate side).

When you say you cannot access from the WAN I would think that's by design. Could you give an example of what you're trying to access and from where ?

Who is online

Users browsing this forum: mikeeg02, Sob and 47 guests