IPSec VPN Sh Fort Fortigate

我试图在Fortigate 80C上configurationIPSec VPN并使用Shrew Soft VPN连接到它。即使对Fortigate单元的debugging显示了两个提议的相同值（除提案ID以外），我也遇到了协商失败的情况：

ike 0: comes 213.233.112.182:500->192.168.1.254:500,ifindex=18.... ike 0: IKEv1 exchange=Aggressive id=448542093a752e2a/0000000000000000 len=577 ike 0: in  ike 0:448542093a752e2a/0000000000000000:1314: responder: aggressive mode get 1st message... ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862 ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56 ike 0:448542093a752e2a/0000000000000000:1314: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:448542093a752e2a/0000000000000000:1314: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000 ike 0:448542093a752e2a/0000000000000000:1314: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 3B9031DCE4FCF88B489A923963DD0C49 ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): F14B94B7BFF1FEF02773B8C49FEDED26 ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (20): 166F932D55EB64D8E4DF4FD37E2313F0D0FD8451 ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 8404ADF9CDA05760B2CA292E4BFF537B ike 0:448542093a752e2a/0000000000000000:1314: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 ike 0: IKEv1 Aggressive, comes 213.233.112.182:500->192.168.1.254 18, peer-id=FSARO ike 0:448542093a752e2a/0000000000000000:1314: my proposal, gw BKIPSECVPN: ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1: ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP: ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE. ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA. ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536. ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800 ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1: ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP: ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE. ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA. ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536. ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800 ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1: ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP: ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE. ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA. ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536. ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800 ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1: ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP: ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE. ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA. ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536. ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800 ike 0:448542093a752e2a/0000000000000000:1314: incoming proposal: ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 0: ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP: ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE. ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA. ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536. ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800 ike 0:448542093a752e2a/0000000000000000:1314: negotiation failure ike Negotiate ISAKMP SA Error: ike 0:448542093a752e2a/0000000000000000:1314: no SA proposal chosen ike shrank heap by 122880 bytes ike shrank heap by 20480 bytes

任何想法为什么发生这种情况？

这里是隧道configuration：

 BKFGT80C-03 # show vpn ipsec phase1-interface BKIPSECVPN config vpn ipsec phase1-interface edit "BKIPSECVPN" set type dynamic set interface "WANProsodieDATA" set mode aggressive set xauthtype pap set proposal 3des-sha1 aes128-sha1 set authusrgrp "vpn-users@SRV3" set psksecret ENC nhHJbl/trs/6Fxx383T9wTSrI85maR2cvP2R4N5XD0VyLc/rdzp/QnWFKOEYlXEIBc6ViKqSrb2GCliq5+4y3dxuRG3hurRq5T4Vz1uYf23y/+qE8xMspKvWOJkb2BP8wV7bkNgd7TjJabL/GfOU6pIsuga9J0kknxTdEPl8fWzj3U4g85R9+BO7264YQ/7ZopFZHA== set keepalive 15 next end BKFGT80C-03 # show vpn ipsec phase2-interface BKIPSECVPN_Ph2 config vpn ipsec phase2-interface edit "BKIPSECVPN_Ph2" set keepalive enable set phase1name "BKIPSECVPN" set proposal 3des-sha1 aes128-sha1 next end

这里是Shrewsoft的VPNconfiguration：

 n:version:4 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:0 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:client-banner-enable:0 n:network-notify-enable:1 n:client-dns-used:1 n:client-dns-auto:0 n:client-dns-suffix-auto:0 n:client-splitdns-used:1 n:client-splitdns-auto:0 n:client-wins-used:0 n:client-wins-auto:0 n:phase1-dhgroup:5 n:phase1-life-secs:28800 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:1800 n:phase2-life-kbytes:5120 n:policy-nailed:1 n:policy-list-auto:1 n:phase1-keylen:256 s:network-host:213.139.103.131 s:client-auto-mode:disabled s:client-iface:virtual s:client-ip-addr:192.168.50.2 s:client-ip-mask:255.255.255.0 s:network-natt-mode:enable s:network-frag-mode:enable s:client-dns-addr:8.8.8.8 s:client-dns-suffix:bk.local s:auth-method:mutual-psk-xauth s:ident-client-type:address s:ident-server-type:address b:auth-mutual-psk:YWJjZGVmZ2hpamts s:phase1-exchange:aggressive s:phase1-cipher:3des s:phase1-hash:sha1 s:phase2-transform:esp-3des s:phase2-hmac:sha1 s:ipcomp-transform:disabled n:phase2-pfsgroup:5 s:policy-level:auto

你能粘贴隧道的fortigateconfiguration吗？（将编辑一个答案，但没有configuration我不能帮你）

你还可以包括Sh软configuration？显然在configuration中有一个不匹配的地方。当地-ID？ DH组？如果您取消selectXAUTH并使用PSK，会发生什么情况？

我可以看到在你的configuration中你有不同的阶段2的密码types：

 set proposal 3des-sha1 aes128-sha1

和Shrewsoft VPN

 s:phase2-transform:esp-3des s:phase2-hmac:sha1

同时使用AES-128或3DES。这应该解决问题。