Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mle2802
Staff
Staff

Created on ‎12-29-2023 08:18 AM Edited on ‎12-29-2023 10:18 AM By Moderator

Article Id 291458

Troubleshooting Tip: P1_Retransmit of IPsec tunnel with Pfsense

Description

This article describes one of the possible reasons for a P1_Retransmit of an IPsec tunnel with Pfsense.
Scope FortiGate and Pfsense.
Solution

When creating site-site Ipsec tunnel with a Pfsense firewall, the phase 1 and IKE debug return the following error:

 

sent IKE msg (ident_i3send): <ip_of_fgt>:4500-><ip_of_remote_end>:4500, len=108, id=14961d6d3f16486a/3f553c6066e91fac

ike 0: comes <ip_of_remote_end>:500-><ip_of_fgt>:500,ifindex=8....

ike 0: IKEv1 exchange=Informational id=14961d6d3f16486a/3f553c6066e91fac:51da3eaa len=76

ike 0: in 14961D6D3F16486A3F553C6066E91FAC0810050151DA3EAA0000004C25E6CBBC380CCB26039353B6C960C8F3EB3A39226208E8317DF8F8C6C0E44CF01E0A2850C991F25A53A182CAEC13A495

ike 0:fil_e2-dat_e1:370438: dec 14961D6D3F16486A3F553C6066E91FAC0810050151DA3EAA0000004C1CF5C5E69CF0D37883BCF8835E869E3B0C3FB82632241ADD6C943C1CE824C0373485524F1E63EA0CFFC1BB092D0F7B7D

ike 0:fil_e2-dat_e1:370440: out B877B4A9173E298A8596BD5F7895EDA305100201000000000000006C5FF7595E87F64F43BC2E1B3226F1FF46E5A793DE83FE29C4EF696F0FD90120A2A9E11498A64D845CC9BBC48ED3ADB1D8C0C06353DA176278D9799DF5D61595AF2CEB5F7737257DD293A20409E92BE49F

ike 0:fil_e2-dat_e1:370440: sent IKE msg (P1_RETRANSMIT): <ip_of_fgt>:4500-><ip_of_remote_end>:4500, len=108, id=b877b4a9173e298a/8596bd5f7895eda3

ike 0: comes <ip_of_remote_end>:500-><ip_of_fgt>:500,ifindex=8.... ike 0: IKEv1 exchange=Informational id=b877b4a9173e298a/8596bd5f7895eda3:b2ceacff len=76

ike 0: in B877B4A9173E298A8596BD5F7895EDA308100501B2CEACFF0000004CCB36F2BBBBA0B1EB465A94AD5B3C347CF5719D40CD84EDC1F89F2B8A518FF5753DBF071BAEBF7E8C7AA64DDFA7B68C28

ike 0:fil_e2-dat_e1:370440: dec B877B4A9173E298A8596BD5F7895EDA308100501B2CEACFF0000004C690B44395B1CCA084B8C0A9E0DBF58D40264AF8777D14A8A9B738D985820CB60E70445BA106B2CE01E97F069B559A7A0

 

This is because FortiGate is behind a NAT device with a private IP on a WAN interface. This does not match on the Pfsense side. To fix this, change the 'Peer identifier' on Pfsense to 'IP address' and specify the private IP on the WAN interface of FortiGate.


pfsese.png

 

Related document:
622
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.