December 14th, 2004, 07:25
Hello -

First post here, so I'm hoping someone can help.. here's the run-down:

I have a number of clients that use Forticlient (1.0.207) to connect via a VPN to our Fortigate 100. I have set up another machine with exactly the same configuration, this latest machine is however unable to connect. both the working machines and this latest machine are connected to our LAN for testing.

From the working machine when I try to connect I find that I recieve:

Dec 13 12:27:58: Initiator: sent x.x.x.x aggressive mode message #1 (OK)

Dec 13 12:27:58: Initiator: sent x.x.x.x aggressive mode message #2 (DONE)

Dec 13 12:27:58: Initiator: sent x.x.x.x quick mode message #1 (OK)

Dec 13 12:27:58: Initiator: sent x.x.x.x quick mode message #2 (DONE)

Negotiation succeeded!

From the machine that is failing I recieve:

Dec 13 12:38:2: Initiator: sent x.x.x.x aggressive mode message #1 (OK)

Dec 13 12:38:2: Initiator: parsed x.x.x.x aggressive mode message #1 (ERROR)

When I look in the log I find this:

Error message: loc_ip= loc_port=500 rem_ip=x.x.x.x rem_port=500 out_if=0 vpn_tunnel=londonvpn2 status=negotiate_error msg="Initiator: parsed x.x.x.x aggressive mode message #1 (ERROR)".

This machine is capable of Pinging x.x.x.x.

Any ideas? Thanks in advance


December 14th, 2004, 09:45
My Fortinet isn't up to speed, but that looks a lot like a PSK failure in an old Cisco concentrator. Are you copying the conf files over or entering it by hand? If by hand, might wanna check that thing one more time. =)

BTW- if you don't mind me asking, why do aggressive mode?

December 14th, 2004, 12:40
Atlas -

Thanks for the reply, but there isn't any cisco kit involved here. The VPN box is the fortigate 100, and the forticlient is having problems with it. I realise you dont use it, but if you have a couple clients working on a segment and one having problems... is it most likely config on the PC? Thanks again for the post, it caused me to do a bit of research of pks ;)


December 14th, 2004, 13:38
I was just drawing a parallel between the way Cisco reports (used to look) and the log that you had up there. As you pointed out, since you have clients that are working correctly, I would agree that the problem probably isn't with the Fortigate but more likely with the client that is failing.

PSK is the Pre-Shared Key and I would make sure that the client that is failing has the correct PSK defined as it appears to be failing in the first phase of Internet Key Exchange (IKE).

December 14th, 2004, 17:24
Perfect, thanks for that. I was looking into phase shift keying ;) I'll check it out, thanks for your help

December 14th, 2004, 17:34
on a separate note.. I know that aggressive mode takes less steps, but why would/wouldnt you use it? Use it on an unreliable of high latency link.. something like that?

December 14th, 2004, 17:56

Check out figures 7 and 8; this is a good page for discussion of IPSEC in general if you have theoretical interests.

The major difference is that main mode IKE requires 5 messages to configure the tunnel between the two parties. Aggressive mode only requires 3. Aggressive mode cuts down the number by including the key exchange and proposal in the same message. This can compromise usernames and passwords prior to the formation of the tunnel.

Aggressive mode is typically used when scalability is a major concern as 5 messages is a lot more than 3 when multiplied by hundreds of thousands. Generally, though, aggressive mode is a big no-no because of the clear-text authentication piece. Going to main mode (or hybrid mode, if you're using CheckPoint products) is highly recommended.

Just my two cents... I'm sure there are other opinions on this.

December 15th, 2004, 18:16
Atlas you're a very helpful guy, thanks very much for your posts.