Could not create dialup name too long

Posted by
Facebooktwitterredditpinterestlinkedintumblr

Issue:IPSec VPN to Fotigate UTM doesn’t establish. Getting an error “Could not create dialup name too long”.

Platform: Fortigate UTM firmware version 5.2.

Solution: I encountered this issue after upgrading Fortigate firmware from version 5.0.7 to 5.2. In the previous version, I was allowed to enter 14 characters as its IPSec VPN phase 1 name on both CLI and GUI. What I have noticed in the latest firmware, it didn’t allow me to use 14 characters on the GUI but was okay on the CLI. Since I was using the CLI I was confident my IPSec VPN tunnels were working. Upon testing tunnels were not coming up. Enabled debugging on the Fortigate using these commands:

diagnose debug application ike -1
diagnose debug enable

The error I was getting on the debug was “Could not create dialup name too long”. I have also highlighted the error on the debug output below. This issue came up because Fortigate automatically suffix “ipsec-phase1-name_X” (where X is an index) for every tunnel built. Thus, it exceeds the limit of 15 characters.

To solve this problem you have to make sure your IPSec VPN phase 1 name doesn’t exceed 12 characters giving room for 99 tunnels.

ike 3: comes 1.137.195.230:500->211.29.240.115:500,ifindex=41....
ike 3: IKEv1 exchange=Identity Protection id=c8c0feeee245379d/0000000000000000 len=164
ike 3: in C8C0FEEEE245379D00000000000000000110020000000000000000A40D00003800000001000000010000002C01010001000000240101000080010005800200028004000280030001800B0001000C0004000151800D0000144A131C81070358455C5728F20E95452F0D000014439B59F8BA676C4C7737AE22EAB8F5820D0000147D9419A65310CA6F2C179D9215529D560000001490CB80913EBB696E086381B5EC427B1F
ike 3:c8c0feeee245379d/0000000000000000:9: responder: main mode get 1st message...
ike 3:c8c0feeee245379d/0000000000000000:9: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 3:c8c0feeee245379d/0000000000000000:9: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
ike 3:c8c0feeee245379d/0000000000000000:9: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 3:c8c0feeee245379d/0000000000000000:9: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 3:c8c0feeee245379d/0000000000000000:9: negotiation result
ike 3:c8c0feeee245379d/0000000000000000:9: proposal id = 1:
ike 3:c8c0feeee245379d/0000000000000000:9:   protocol id = ISAKMP:
ike 3:c8c0feeee245379d/0000000000000000:9:      trans_id = KEY_IKE.
ike 3:c8c0feeee245379d/0000000000000000:9:      encapsulation = IKE/none
ike 3:c8c0feeee245379d/0000000000000000:9:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 3:c8c0feeee245379d/0000000000000000:9:         type=OAKLEY_HASH_ALG, val=SHA.
ike 3:c8c0feeee245379d/0000000000000000:9:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 3:c8c0feeee245379d/0000000000000000:9:         type=OAKLEY_GROUP, val=MODP1024.
ike 3:c8c0feeee245379d/0000000000000000:9: ISAKMP SA lifetime=3600
ike 3:c8c0feeee245379d/0000000000000000:9: SA proposal chosen, matched gateway ipsec-vpn-p1-1
ike 3:ipsec-vpn-p1-1:9: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07
ike 3:ipsec-vpn-p1-1:9: selected NAT-T version: RFC 3947
ike 3:ipsec-vpn-p1-1:9: cookie c8c0feeee245379d/369d2beb46a82f7a
ike 3:ipsec-vpn-p1-1:9: out C8C0FEEEE245379D369D2BEB46A82F7A0110020000000000000000900D00003800000001000000010000002C01010001000000240101000080010005800200028004000280030001800B0001000C0004000151800D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE0005024D
ike 3:ipsec-vpn-p1-1:9: sent IKE msg (ident_r1send): 211.29.240.115:500->1.137.195.230:500, len=144, id=c8c0feeee245379d/369d2beb46a82f7a
ike 3: comes 1.137.195.230:500->211.29.240.115:500,ifindex=41....
ike 3: IKEv1 exchange=Identity Protection id=c8c0feeee245379d/369d2beb46a82f7a len=284
ike 3: in C8C0FEEEE245379D369D2BEB46A82F7A04100200000000000000011C0A000084D8DD7F8DD480AFEA8BDBAD770C10C4C3FBC28E8E12531E8F7236FF0282074845EF63F8285AFCD6CB3BE01C54D3B5ABC635EDF013CFF1B8581D776FBE0A19B8E7279E9F8C3F9D52A7EE139512444D79ABB87B92C85C0BCA30A67D0B583AB2D6CF2F81F6A5289AAA54DF74A8366B677D7EE731056C380BFA2A888B16014C9FACBE0D000018AFF487F2B0ADB9BACAD56723A71C18F0A673CB2A0D000014AFCAD71368A1F1C96B8696FC775701000D0000143D0759F3E244379D7EC60474B36C8DDF1400000C09002689DFD6B712140000184A727818E43F4F7723B27731D9E39BD1E6E95A4100000018FBCA246132C4197E022F8EA370121DE57968C67A
ike 3:ipsec-vpn-p1-1:9: responder:main mode get 2nd message...
ike 3:ipsec-vpn-p1-1:9: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 3:ipsec-vpn-p1-1:9: VID unknown (16): 3D0759F3E244379D7EC60474B36C8DDF
ike 3:ipsec-vpn-p1-1:9: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 3:ipsec-vpn-p1-1:9: NAT detected: PEER
ike 3:ipsec-vpn-p1-1:9: out C8C0FEEEE245379D369D2BEB46A82F7A0410020000000000000000E40A0000844F2FD1C96D262A25AAC2F8AF62339B2A62ACEE83298BA8365A94DD37D40397F7A682AA186D1862DD65FCCE41ED7252D64A4A2847937D988F0CA7D21AF8D8DB9FCE6E4A6008EB48795DE1C0DFC837B32365CB20C5FAA9AE15D230413EEC6507072BF671952BE19A9098CB25C8D1FD276A7D5CBDC6D1ABA668BD80B0B2CA1A55E314000014F9AAB4F8283938C46CEB958EEBABC18C14000018CE27A072D8C226DB244ECA852A09103B0B2BBABE000000184A727818E43F4F7723B27731D9E39BD1E6E95A41
ike 3:ipsec-vpn-p1-1:9: sent IKE msg (ident_r2send): 211.29.240.115:500->1.137.195.230:500, len=228, id=c8c0feeee245379d/369d2beb46a82f7a
ike 3:ipsec-vpn-p1-1:9: ISAKMP SA c8c0feeee245379d/369d2beb46a82f7a key 24:3C7A6AD2C9A52DBB970DAC87FD4A047E2A4014B540CAEB42
ike 3: comes 1.137.195.230:4500->211.29.240.115:4500,ifindex=41....
ike 3: IKEv1 exchange=Identity Protection id=c8c0feeee245379d/369d2beb46a82f7a len=100
ike 3: in C8C0FEEEE245379D369D2BEB46A82F7A051002010000000000000064B3CFBF3E3EAD85097169DDF4BCAA7BC1132BAECE1E7977550ADE5EE3FFBAD9CA4211EBD3DC43F7F359C3149B73B1911515A447C0E84F3A84C4E0959E2AE0AC59B137AE21ADF0FA22
ike 3:ipsec-vpn-p1-1:9: responder: main mode get 3rd message...
ike 3:ipsec-vpn-p1-1:9: dec C8C0FEEEE245379D369D2BEB46A82F7A0510020100000000000000640800000C011100000AA806F90B000018CF9A2BD55BA86C83B873654A48FFD1E40812BF180000001C0000000101106002C8C0FEEEE245379D369D2BEB46A82F7A0000000000000000
ike 3:ipsec-vpn-p1-1:9: received notify type 24578
ike 3:ipsec-vpn-p1-1:9: peer identifier IPV4_ADDR 10.168.6.249
ike 3:ipsec-vpn-p1-1:9: PSK authentication succeeded
ike 3:ipsec-vpn-p1-1:9: authentication OK
ike 3:ipsec-vpn-p1-1:9: enc C8C0FEEEE245379D369D2BEB46A82F7A0510020100000000000000400800000C01000000DF1DF17300000018757C85B7CE343DB641A5191F922FD783FFD7EFF5
ike 3:ipsec-vpn-p1-1:9: remote port change 500 -> 4500
ike 3:ipsec-vpn-p1-1:9: out C8C0FEEEE245379D369D2BEB46A82F7A0510020100000000000000444A7726E29F25FF9471F1B92404BF51D9784C1C97A29D43C05438DDC41C10C17FC3B7933A2BA3FFF7
ike 3:ipsec-vpn-p1-1:9: sent IKE msg (ident_r3send): 211.29.240.115:4500->1.137.195.230:4500, len=68, id=c8c0feeee245379d/369d2beb46a82f7a
ike 3:ipsec-vpn-p1-1:9: established IKE SA c8c0feeee245379d/369d2beb46a82f7a
ike 3:ipsec-vpn-p1-1: adding new dynamic tunnel for 1.137.195.230:4500
<strong>ike 3:ipsec-vpn-p1-1_0: could not create dialup name ipsec-vpn-p1-1_0, too long</strong>
ike 3:ipsec-vpn-p1-1:9: schedule delete of IKE SA c8c0feeee245379d/369d2beb46a82f7a
ike 3: comes 1.137.195.230:4500->211.29.240.115:4500,ifindex=41....
ike 3: IKEv1 exchange=Quick id=c8c0feeee245379d/369d2beb46a82f7a:05d4fc5a len=164
ike 3: in C8C0FEEEE245379D369D2BEB46A82F7A0810200105D4FC5A000000A451A4608BE75A6C42CDC77580F61EB2A5842B02544F58BA2C9AC433F7788DA7D52CB561E97A6C3C81D9F2550DED9565E68A037A0AFED7E87EBEA1CD5858674D009DCCE9996876F324D8A7F79D23202132E9A46BDFB386B01A4EF28C91E9F28D5C64B342D544F32343C2EFF2B4B7B43F3BDC12DD014E9B8CFE4900704DB1F2A3A0C15E4334D580C40A
ike 3:ipsec-vpn-p1-1:9: can not start the quick mode 00000000, waiting to establish ISAKMP SA c8c0feeee245379d/369d2beb46a82f7a
ike 3:ipsec-vpn-p1-1:9: scheduled delete of IKE SA c8c0feeee245379d/369d2beb46a82f7a
ike 3:ipsec-vpn-p1-1: connection expiring due to phase1 down
ike 3:ipsec-vpn-p1-1: deleting
ike 3:ipsec-vpn-p1-1: flushing
ike 3:ipsec-vpn-p1-1: sending SNMP tunnel DOWN trap
ike 3:ipsec-vpn-p1-1: flushed
ike 3:ipsec-vpn-p1-1: reset NAT-T
ike 3:ipsec-vpn-p1-1: deleted

Leave a Reply

Your email address will not be published. Required fields are marked *

*