IPSec negotiate_error

IPSec一端是拨号网络,IPSec拨号成功后,会偶然性的忽然断开,日志显示协商失败,有时可以自动重连成功,有时候重启后才能重连IPSec正常, 请问造成这个原因是什么?
防火墙型号Forti Wifi30E
防火墙版本v5.4.1,build1064 (GA)
 
 
VPN事件日志报错如下:
date=2017-03-28 time=09:06:10 logid=0101037132 type=event subtype=vpn level=critical vd=root logdesc="IPsec ESP" msg="IPsec ESP" action=error remip=****** locip=********* remport=0 locport=500 outintf="ppp1" cookies="6af3b5e49ba63de0/f1e094196d6a8eac" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="to-center" status=esp_error error_num="Invalid ESP packet detected (replayed packet)." spi="5a5a33e8" seq="00000002"
 
 
 
process IPSec phase1 错误时打开的# diagnose debug application  ike -1
 
# ike 0: comes **********:500->***********:500,ifindex=32....
ike 0: IKEv1 exchange=Informational id=bcde29e4e94b42e5/603432231f6482c5:740f7f27 len=92
ike 0: in BCDE29E4E94B42E5603432231F6482C508100501740F7F270000005CD9446AB77C43BBC2BFAC9D50561F325450C5A3E4AB383F085FC31C04AA77DDFCFA9CF94D38FED706590E2398E1720A5F231EB7775D83E467F4E4C8D835B1A257
ike 0:to-center:13: dec BCDE29E4E94B42E5603432231F6482C508100501740F7F270000005C0B000018755BFFAA6F878D7932757B8E1A6AEBA1A57E888F000000200000000101108D28BCDE29E4E94B42E5603432231F6482C500004B681F6BBC0ECD769107
ike 0:to-center:13: notify msg received: R-U-THERE
ike 0:to-center:13: enc BCDE29E4E94B42E5603432231F6482C5081005019CCB9FBC000000540B000018CC526E9D42904D1C24131BE832B957E49B475B85000000200000000101108D29BCDE29E4E94B42E5603432231F6482C500004B68
ike 0:to-center:13: out BCDE29E4E94B42E5603432231F6482C5081005019CCB9FBC0000005CDA0902CF8EEFF54F5CD1B10DB1B7FD0419F4CF3B8E8BED126C1DDDD81BFEE0E70C2FAEA39738B3133C48189B6985DD129E1062A17FC7B45A097235FA00B5CE4E
ike 0:to-center:13: sent IKE msg (R-U-THERE-ACK): ***********:500->**********:500, len=92, id=bcde29e4e94b42e5/603432231f6482c5:9ccb9fbc
ike shrank heap by 126976 bytes
ike 0: comes **********:54636->**********:500,ifindex=32....
ike 0: IKEv1 exchange=Identity Protection id=3e35c70729dfedef/0000000000000000 len=64
ike 0: in 3E35C70729DFEDEF000000000000000001100200000000000000004000000024000000010000000100000018010104012EBF193C0000000C0101000080010006
ike 0:3e35c70729dfedef/0000000000000000:14: responder: main mode get 1st message...
ike 0:3e35c70729dfedef/0000000000000000:14: no proposal found
ike 0:3e35c70729dfedef/0000000000000000:14: no SA proposal chosen
 
 
1.png


2.png

 
 
 
 
已邀请:

kmliu - Fortinet-TAC

赞同来自: [已注销]

拨号方式的IPsec请使用野蛮模式,同时通过Loacl-ID和Peer-ID来区分不同的连接。
我估计你的配置,是既有拨号的VPN还有静态IP的VPN,而对方的请求连接找错VPN-tunnel了。

loumzd

赞同来自:

国内ip不够用经常出现,直接关掉DPD搞定。

要回复问题请先登录注册