INVALID_SPI over S2S IPsec VPN, need help

alex.melekhov · August 16, 2018, 10:44pm

Good day to everyone.

Have client with Fortigate in HA cluster. Site2site IPsec VPN establishes w/o any trouble. But after 2nd phase completes i see multiply INVALID_SPI at my side:

VPN-IPSEC: "peer-50.***.2-tunnel-10" #12: ignoring informational payload, type INVALID_SPI

Tunnel #10 is only as example, same error is for each tunnel.

Cisco has feature crypto isakmp invalid-spi-recovery to fix this. Is there any chance that VyOS strongswan has such feature, like add/remove charon plugin? My side 1.1.7 VyOS as VM, clients’ - Fortigate 100E.

Any thoughts?
Thank you in advance.
Alex M.

alex.melekhov · August 27, 2018, 9:34pm

Interesting thing, leaving a single tunnel i do not see SPI errors. But once i activate any second they begin a fight for SPI.
Any ideas what may happening?
Alex M.

alex.melekhov · August 31, 2018, 1:52pm

Well, here is the solution.
If you run VyOS <–> Fortigate for IPsec S2S VPN you should create “Custom” VPN on Fortigate, and specify each LAN pair separately. Do not bundle LANs in phase2 settings.

syncer · August 31, 2018, 4:26pm

Thanks for sharing !

system · September 2, 2018, 4:32pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.