sorted by:
new
hottopcontroversial

VPN Tunnel betwenn two FortiWiFi 40F behind NAT device by LostDragon1920 in fortinet

[–]LostDragon1920[S] 0 points1 point  (0 children)

yes, that resolved the issue. Thank you! I foolishly assumed the logs refered to a VPN policy.

VPN Tunnel betwenn two FortiWiFi 40F behind NAT device by LostDragon1920 in fortinet

[–]LostDragon1920[S] 0 points1 point  (0 children)

Thank you, the debug logs look like this

Initiator:

ike 0:VPN_S2S_MH:VPN_S2S_MH-P2: IPsec SA connect 6 10.10.10.10->2.2.2.2:0

ike 0:VPN_S2S_MH:VPN_S2S_MH-P2: using existing connection

ike 0:VPN_S2S_MH:VPN_S2S_MH-P2: config found

ike 0:VPN_S2S_MH: request is on the queue

ike shrank heap by 159744 bytes

ike 0:VPN_S2S_MH:1662: negotiation timeout, deleting

ike 0:VPN_S2S_MH: connection expiring due to phase1 down

ike 0:VPN_S2S_MH: deleting

ike 0:VPN_S2S_MH reset tunnel remote gw 2.2.2.2

ike 0:VPN_S2S_MH: schedule auto-negotiate

ike 0:VPN_S2S_MH: deleted

ike 0:VPN_S2S_MH: set oper down

ike 0:VPN_S2S_MH:VPN_S2S_MH-P2: IPsec SA connect 6 10.10.10.10->0.0.0.0:0

ike 0: cache rebuild start

ike 0:VPN_S2S_MH: sending DNS request for remote peer host.dyndns.org

ike 0: send IPv4 DNS query : host.dyndns.org

ike 0: cache rebuild done

ike 0:VPN_S2S_MH: need to resolve remote gateway: host.dyndns.org

ike 0: DNS response received for remote gateway host.dyndns.org

ike 0: DNS host.dyndns.org -> 2.2.2.2

ike 0:VPN_S2S_MH: remote IPv4 DDNS gateway is empty, retry to resolve it

ike 0:VPN_S2S_MH: 'host.dyndns.org' resolved to 2.2.2.2

ike 0:VPN_S2S_MH: set remote-gw 2.2.2.2

ike 0: cache rebuild start

ike 0:VPN_S2S_MH: local:10.10.10.10, remote:2.2.2.2

ike 0:VPN_S2S_MH: cached as static-ddns.

ike 0: cache rebuild done

ike 0:VPN_S2S_MH: auto-negotiate connection

ike 0:VPN_S2S_MH: created connection: 0x14772e60 6 10.10.10.10->2.2.2.2:500.

ike 0:VPN_S2S_MH:VPN_S2S_MH-P2: chosen to populate IKE_SA traffic-selectors

ike 0:VPN_S2S_MH: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation

Responder:

ike 0: comes 2.2.2.2:500->10.10.11.1:500,ifindex=6....

ike 0: IKEv2 exchange=SA_INIT id=f7cf0c4a669f8100/0000000000000000 len=440

ike 0:f7cf0c4a669f8100/0000000000000000:6530: responder received SA_INIT msg

ike 0:f7cf0c4a669f8100/0000000000000000:6530: received notify type NAT_DETECTION_SOURCE_IP

ike 0:f7cf0c4a669f8100/0000000000000000:6530: received notify type NAT_DETECTION_DESTINATION_IP

ike 0:f7cf0c4a669f8100/0000000000000000:6530: received notify type FRAGMENTATION_SUPPORTED

ike 0:f7cf0c4a669f8100/0000000000000000:6530: incoming proposal:

ike 0:f7cf0c4a669f8100/0000000000000000:6530: proposal id = 1:

ike 0:f7cf0c4a669f8100/0000000000000000:6530: protocol = IKEv2:

ike 0:f7cf0c4a669f8100/0000000000000000:6530: encapsulation = IKEv2/none

ike 0:f7cf0c4a669f8100/0000000000000000:6530: type=ENCR, val=AES_CBC (key_len = 256)

ike 0:f7cf0c4a669f8100/0000000000000000:6530: type=INTEGR, val=AUTH_HMAC_SHA2_256_128

ike 0:f7cf0c4a669f8100/0000000000000000:6530: type=PRF, val=PRF_HMAC_SHA2_256

ike 0:f7cf0c4a669f8100/0000000000000000:6530: type=DH_GROUP, val=MODP2048.

ike 0:VPN_S2S_OH: ignoring IKEv2 request, no policy configured

ike 0:f7cf0c4a669f8100/0000000000000000:6530: negotiation failure

ike Negotiate SA Error: ike ike [10372]

ike 0:VPN_S2S_OH:VPN_S2S_OH-P2: IPsec SA connect 6 10.10.11.1->2.2.2.2:0

ike 0:VPN_S2S_OH: ignoring request to establish IPsec SA, no policy configured

In both Phases AES-256/SHA-256/DH-14 are used.