[Swan] Need Help in Phase 2 Failures

Paul Wouters paul at nohats.ca
Tue Jan 22 16:00:37 UTC 2019

On Tue, 22 Jan 2019, Raees Khan wrote:

> I am currently having an issue with Libreswan IPSec implementation with Fortinet Firewall. Libreswan with Cisco is working fine for me. 
> The behavior is weird in case of Fortinet. I have matched all the parameters on both sides (IKE ALGO + ESP ALGO) all is same including
> timers. The ISAKMP/IPSEC SA is established and then it again starts Quick Mode. Complete logs are given below. The continuous logging
> activity and phase 2 failure messages are shown on both devices.

> Jan  9 12:26:12 R1-1500 pluto[4507]: "Link1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha
> group=MODP1536}

phase 1 came up.

> Jan  9 12:26:12 R1-1500 pluto[4507]: "Link1" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:98bc42c3 proposal=AES(12)_256-SHA1(2)
> pfsgroup=OAKLEY_GROUP_MODP1536}
> Jan  9 12:26:12 R1-1500 pluto[4507]: "Link1" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=16

phase 2 got rejected. So there is a mismatch here.

Perhaps the DH for phase 2 is wrong, or they don't want PFS at all? Or
they don't like your aes 256 key size?

So try tweaking the phase2/esp line and try pfs=no

alternatively, try to have them initiate to you, so you get to see the
proposals in the logs and you can match up what they are asking for.

Or check their logs and see why they rejected your phase 2 proposal.


More information about the Swan mailing list