FortiGateとSRXでVPN接続を実施しようとした際、FortiGate側で
[peer has not completed Configuration Method]というメッセージでVPNが接続できなかったときの対応をメモしておきます。
---ログサンプル-------------
ike 0:VPNTest:890: notify msg received: R-U-THERE-ACK
ike 0:VPNTest:VPNTest: IPsec SA connect 4 10.10.10.1->192.168.1.1:0
ike 0:VPNTest:VPNTest: using existing connection
ike 0:VPNTest:VPNTest: config found
ike 0:VPNTest: request is on the queue
ike 0: comes 192.168.1.1:500->10.10.10.1:500,ifindex=4....
ike 0: IKEv1 exchange=Quick id=b8c9b865eb29f2bb/b31f2aadaac2cb72:efeabe21 len=428
ike 0: in B8C9B865EB29F2BBB31F2AADAAC2CB7208102001EFEABE21000001AC61F3DCE0A14CE2E5F756
ike 0:VPNTest:890: peer has not completed Configuration Method
ike 0:VPNTest: link is idle 4 10.10.10.1->192.168.1.1:0 dpd=1 seqno=2481
ike 0:VPNTest:890: send IKEv1 DPD probe, seqno 9345
ike 0:VPNTest:890: enc B8C9B865EB29F2BBB31F2AADAAC2CB7208100501A0EB31B500000054
ike 0:VPNTest:890: out B8C9B865EB29F2BBB31F2AADAAC2CB7208100501A0EB31B50000005C
ike 0:VPNTest:890: sent IKE msg (R-U-THERE): 10.10.10.1:500->192.168.1.1:500, len=92, id=b8c9b865eb29f2bb/b31f2aadaac2cb72:a0eb31b5
ike 0: comes 192.168.1.1:500->10.10.10.1:500,ifindex=4....
----------------
このメッセージが出た場合、[set mode-cfg enable]の設定を無効化にする必要がありました。
1.vpn ipsec phase1-interface の設定モードに入る
Test-60C # config vpn ipsec phase1-interface
2.show コマンドで set mode-cfg enable の設定の有無を確認
Test-60C (phase1-interface) # show
config vpn ipsec phase1-interface
edit "VPNTest"
set interface "wan1"
set nattraversal disable
set mode-cfg enable
set proposal 3des-sha1 aes128-sha1
set dhgrp 5 2
set remote-gw 192.168.1.1
set psksecret ENC ooq9fO8Kc2/3JvXNaHzw==
next
end
3.set mode-cfg enable 設定の無効化
Test-60C (phase1-interface) # edit VPNTest
Test-60C (VPNTest) # set mode-cfg disable
4.showコマンドで、設定が無効化されたことを確認
※set mode-cfg enableが表示されないことを確認
Test-60C (VPNTest) # show
config vpn ipsec phase1-interface
edit "VPNTest"
set interface "wan1"
set nattraversal disable
set proposal 3des-sha1 aes128-sha1
set dhgrp 5 2
set remote-gw 192.168.1.1
set psksecret ENC ooq9fO8Kc2/3JvXNaHzw==
next
end
5.VPN設定モードから抜ける
Test-60C (VPNTest) # next
Test-60C (phase1-interface) # end
Test-60C #