忍者ブログ

BFoIP ブログ

CCNAのサンプル問題などを 英語の場合は和訳をつけて紹介します。

[PR]

×

[PR]上記の広告は3ヶ月以上新規記事投稿のないブログに表示されています。新しい記事を書く事で広告が消えます。

FortiGate: VPN can't connect with this message [peer has not completed Configuration Method]

I was not able to connect Internet VPN between FortiGate and Juniper SRX.
Then I found following message at the FortiGate:
[peer has not completed Configuration Method]

---log messages------------- 
ike 0:VPNTest:890: notify msg received: R-U-THERE-ACK
ike 0:VPNTest:VPNTest: IPsec SA connect 4 10.10.10.1->192.168.1.1:0
ike 0:VPNTest:VPNTest: using existing connection
ike 0:VPNTest:VPNTest: config found
ike 0:VPNTest: request is on the queue
ike 0: comes 192.168.1.1:500->10.10.10.1:500,ifindex=4....
ike 0: IKEv1 exchange=Quick id=b8c9b865eb29f2bb/b31f2aadaac2cb72:efeabe21 len=428
ike 0: in B8C9B865EB29F2BBB31F2AADAAC2CB7208102001EFEABE21000001AC61F3DCE0A14CE2E5F756
ike 0:VPNTest:890: peer has not completed Configuration Method
ike 0:VPNTest: link is idle 4 10.10.10.1->192.168.1.1:0 dpd=1 seqno=2481
ike 0:VPNTest:890: send IKEv1 DPD probe, seqno 9345
ike 0:VPNTest:890: enc B8C9B865EB29F2BBB31F2AADAAC2CB7208100501A0EB31B500000054
ike 0:VPNTest:890: out B8C9B865EB29F2BBB31F2AADAAC2CB7208100501A0EB31B50000005C
ike 0:VPNTest:890: sent IKE msg (R-U-THERE): 10.10.10.1:500->192.168.1.1:500, len=92, id=b8c9b865eb29f2bb/b31f2aadaac2cb72:a0eb31b5
ike 0: comes 192.168.1.1:500->10.10.10.1:500,ifindex=4....
----------------

If you also find this message, please try to delete following configuration on your FortiGate firewall:
[set mode-cfg enable]


1. Enter "vpn ipsec phase1-interface" mode
Test-60C # config vpn ipsec phase1-interface


2. Check set mode-cfg enable is listed or not on your configuration using "show" command
Test-60C (phase1-interface) # show
config vpn ipsec phase1-interface
    edit "VPNTest"
        set interface "wan1"
        set nattraversal disable
        set mode-cfg enable
        set proposal 3des-sha1 aes128-sha1
        set dhgrp 5 2
        set remote-gw 192.168.1.1
        set psksecret ENC ooq9fO8Kc2/3JvXNaHzw==
    next
end


3. Delete "set mode-cfg enable"
Test-60C (phase1-interface) # edit VPNTest
Test-60C (VPNTest) # set mode-cfg disable


4. Confirm the configuration is deleted using show command
Test-60C (VPNTest) # show
config vpn ipsec phase1-interface
    edit "VPNTest"
        set interface "wan1"
        set nattraversal disable
        set proposal 3des-sha1 aes128-sha1
        set dhgrp 5 2
        set remote-gw 192.168.1.1
        set psksecret ENC ooq9fO8Kc2/3JvXNaHzw==
    next
end


5. Exit from the VPN configuration mode
Test-60C (VPNTest) # next
Test-60C (phase1-interface) # end
Test-60C # 
PR