Site-to-Site Tunnel failing...

FernandoDM · ‎05-05-2015

Hello, Having issues keeping a VPN Site-to-Site tunnel up..

My devices are a FG100D and the remote device is a FG30, both have been updated to v5.2.3 firmware. I set up the site-to-site with the VPN wizard, the VPN tunnel was working for about 3 days and then it stopped.

Tried debugging on the near end (Remote end FG30 device is about an hour drive away, I would like to resolve it from this end if possible without having to drive there). In the debug it says: P1_RETRANSMIT about 3 times then goes to a negotiation timeout, deleting... Connection expiring due to phase1 down.

Tried setting the VPN interface to IKE V1 and aggressive mode but same result. Set it back to IKE2. Not sure if that is the default because setting up with the wizard does not specify. I figured it would default to IKE V2.

Looked at a few forum threads and this one had some interesting commands to restart the VPN tunnel:

https://forum.fortinet.com/tm.aspx?m=107918

# execute router restart

# diagnose debug application ike 2 # diagnose debug enable # diagnose vpn ike restart

Any help is appreciated, Thanks!

emnoc · ‎05-05-2015

Logs, show outputs, & configuration details would be nice, also did you do this in Route or Policy based, but what I would do. if either party are behind NAT translation; " than enabled nat-T or deploy ikev2 "

2nd config the exact proposals. In fact I would copy the config from one FIREWALL and used it at the other side ( just change the interface and address )

for the last step, I would copy the one side phase2 settings and once again swap the src/dst-subnets details

lastly, ensure that fwpolicy and a route-exists ( the latter is only for route-base )

next, google socpuppet vpn troubleshooting for good t-shoot steps.

socpuppet.blogspot.com/.../site-2-site-routed-vpn-trouble-shooting.html

PCNSE

NSE

StrongSwan

View solution in original post

emnoc · ‎05-27-2015

All zero is not the problem, as long as the remote & local vpn devices are using 0.0.0.0/0:0 as the same for it's src/dst-subnet than that's okay. And if both devices are fortigate that's okay also.

What's probably the issues, you don't have the auto-neg enable under the phase2 settings;

config vpn ipsec phase2-interface edit "sega-p2" set phase1name "sega-main"

set auto-negotiate enable set src-subnet 0.0.0.0/0 set dst-subnet 0.0.0.0/0 next

I believe you need to check the full cfg from the CLI and you will find the above is set to "disable". Confirm also the keepalives are the same for the SA & enabled

e.g ( enabled and set for seconds at 1hour )

set keepalive enabled <------KAs are enabled set keylife-type seconds <---- lifetime is set for seconds vrs bytes

set keylifeseconds 3600 <------1 hour

Try the above for both devices and re-monitor and I bet you will have no problems in the future.

PCNSE

NSE

StrongSwan

View solution in original post

emnoc · ‎05-05-2015

Logs, show outputs, & configuration details would be nice, also did you do this in Route or Policy based, but what I would do. if either party are behind NAT translation; " than enabled nat-T or deploy ikev2 "

2nd config the exact proposals. In fact I would copy the config from one FIREWALL and used it at the other side ( just change the interface and address )

for the last step, I would copy the one side phase2 settings and once again swap the src/dst-subnets details

lastly, ensure that fwpolicy and a route-exists ( the latter is only for route-base )

next, google socpuppet vpn troubleshooting for good t-shoot steps.

socpuppet.blogspot.com/.../site-2-site-routed-vpn-trouble-shooting.html

PCNSE

NSE

StrongSwan

juanchonica · ‎05-18-2015

same problem!!!

did you find any solution?

juanchonica · ‎05-26-2015

it does it work, but i dont know why for some reason constantly is going down and i have to restart the fgt :\

FernandoDM · ‎05-18-2015

All of these steps were done on both sides.

- I changed the tunnel from a Wizard created Tunnel to a Custom Tunnel.

- In Authentication, changed the IKE to V2..

- In Phase 1 - Setup different Diffie-Hellman groups than the default (make sure it matches both sides) and removed all of the other encryption algorithms except the first one AES128-SHA256.

-In Phase 2 - Went in to Advanced > remove all encryption algorithms except AES128-SHA1. Also changed diffie-hellman group to something other than default (make sure they match on both sides). Put a check in everything below the diffie hellman settings > Local Port/Remote Port/Autokey keep alive/auto-negotiate.

It was up for about 5 days and DSL had a blip. This caused the tunnel to go down and it didn't come back up when the DSL was back up. Had to reboot the 30D and the tunnel came back up and it has been up for 5 days now.

I don't know if that counts as a fix if you still have to reboot the device every time a DSL line goes down... :\

Let me know if you have better luck. Thanks!

FernandoDM · ‎05-19-2015

UPDATE: Uptime was about 5 days, the tunnel went down. Rebooted the 30D and the tunnel came back up.

Co-worker said he read a post about a similar issue to mine. The fix was to update the Phase 2 section of the tunnel with the correct local and remote IP subnet information. I updated that information and rebooted the 30D again. Tunnel is up and I am able to connect to the devices on the other side of the tunnel. Just have to wait and see another 4-5 days if it stays up.

I guess I should clarify that with the Tunnel Wizard, P2 subnet information defaults to all zeroes. It works but it is not specifically the right information for my IP configuration. I narrowed it down to just the specific IP subnets that we are using and not a generic all zeros.

juanchonica · ‎05-20-2015

will try all the above ideas, i will let you know if does it work

emnoc · ‎05-27-2015

All zero is not the problem, as long as the remote & local vpn devices are using 0.0.0.0/0:0 as the same for it's src/dst-subnet than that's okay. And if both devices are fortigate that's okay also.

What's probably the issues, you don't have the auto-neg enable under the phase2 settings;

config vpn ipsec phase2-interface edit "sega-p2" set phase1name "sega-main"

set auto-negotiate enable set src-subnet 0.0.0.0/0 set dst-subnet 0.0.0.0/0 next

I believe you need to check the full cfg from the CLI and you will find the above is set to "disable". Confirm also the keepalives are the same for the SA & enabled

e.g ( enabled and set for seconds at 1hour )

set keepalive enabled <------KAs are enabled set keylife-type seconds <---- lifetime is set for seconds vrs bytes

set keylifeseconds 3600 <------1 hour

Try the above for both devices and re-monitor and I bet you will have no problems in the future.

PCNSE

NSE

StrongSwan

Kess · ‎05-28-2015

I have exactly the same problem between a 60D and a VM00.

In order to re-establish the tunnel I need to reboot the 60D. Reboot of the VM00 has no effect.

I tried now to modify the cfg with your suggestions on both firewalls. I'll let you know in the next 4-5 days if the problem has been resolved.

For the moment, thank you :)

FernandoDM · ‎05-28-2015

Still having the issue on my end. Changed PHASE 2 back to all zeroes since it did not have any effect and emonoc mentioned it should not have any relevance.

@emonoc - I made the changes back to all zeroes. Added the kelifeseconds and the keylife-type seconds commands. Here is the current config from both sides.

config vpn ipsec phase2-interface edit "100D-VPN1" set phase1name "100D-VPN1" set proposal aes256-sha1 set dhgrp 20 16 set keepalive enable set auto-negotiate enable set keylifeseconds 3600 next

config vpn ipsec phase2-interface edit "30D-VPN1" set phase1name "30D-VPN1" set proposal aes256-sha1 set dhgrp 20 16 set keepalive enable set auto-negotiate enable set keylifeseconds 3600 next

Also I called FortiNet support. The tech said that the upgrade path that I took from firmware 5.0 to 5.2.3 was incorrect. He said I had to format the device and install the firmware from scratch. This explanation sounds hokey to me but in any case, I have a FW30D-POE that I can mess around with and I will try it on that one since it is a spare.

Here is the documentation that the support rep gave me: http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=10338&sliceId=...