Hello! I would really appreciate your help regarding this issue that I am having with AWS IPSEC tunnels over a Fortigate.
Scenario:
Currently I have a working Fortigate (F60D) with 2 tunnels to AWS VPC to servers that resides at 192.168.0.0 on one internet provider (ISP1)
Now, I added second internet provider(ISP2) and a new Fortigate (F70D) with static IP that is connected to a gateway on a point to point line to get to the internet through ISP2.
I would like to COPY the already existing tunnels (from ISP1) onto the new Fortigate(ISP2) that I have (to be used in tandem or as backup), so I created a new virtual gateway on amazon (AWS) and attached the gateway with the routes.
The problem: The tunnels do show as "UP" on the fortigate (ISP2) but I cant reach the AWS servers.
I have triple checked the configuration given from AWS and how it is added on the fortigate and cant figure out what is wrong. Also checked the configurations on AWS VPC dashboard and everything seems ok there.
When debbugging the issue with packet sniffer
our fortigate on ISP2 sends alot of these:
Y.Y.Y.Y.4500 -> YY.YY.YY.YY.4500: udp
X.X.X.X.4500 -> XX.XX.XX.XX.4500: udp
With no incoming <-
When diagnosing the ike tunnel
ike 0:vpn-XXYYXX:40: sent IKE msg (R-U-THERE): Y.Y.Y.Y:4500->Y.Y.YY.Y:4500, len=92, id=7411eb41bcdcd6c6/c1c4a89301b83808:abaf846b ike 0: comes Y.Y.Y.Y.4500 -> YY.YY.YY.YY.4500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7411eb41bcdcd6c6/c1c4a89301b83808:5895800a len=92 ike 0: in 7411EB41BCDCD6C6C1C4A89301B83808081005015895800A0000005C7E4DE7BC501E142CABAEB9DD700318D6499281D1C66BBDB7AE81DAB4A3B3B4CE0E47CA847929F027244B122CD4AC53B222DD67E58FE25C9A2A4A59ABDC19D261 ike 0:vpn-XXYYXX:40: dec 7411EB41BCDCD6C6C1C4A89301B83808081005015895800A0000005C0B0000184B2D55F5B934FA50B4369B01C1BB74D8F9E6B637000000200000000101108D287411EB41BCDCD6C6C1C4A89301B8380800006FE30000000000000000 ike 0:vpn-XXYYXX:40: notify msg received: R-U-THERE ike 0:vpn-XXYYXX:40: enc 7411EB41BCDCD6C6C1C4A89301B83808081005010C1144E9000000540B000018ACA5F8B74A1CA2BF70D4CA5F3F450EA04969E887000000200000000101108D297411EB41BCDCD6C6C1C4A89301B8380800006FE3 ike 0:vpn-XXYYXX:40: out 7411EB41BCDCD6C6C1C4A89301B83808081005010C1144E90000005C21C13C13A3569F3812FBF1AA3AAE5FAC2251F917D90FCEA2A275A9FDD81A63EC8234F65D6634F18120080318A56BBA5F0D474C717E825046845F67FB2A156E5E ike 0:vpn-XXYYXX:40: sent IKE msg (R-U-THERE-ACK): X.X.X.X.4500 -> XX.XX.XX.XX.4500:, len=92, id=7411eb41bcdcd6c6/c1c4a89301b83808:0c1144e9 ike 0: comes X.X.X.X.4500 -> XX.XX.XX.XX.4500:,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7411eb41bcdcd6c6/c1c4a89301b83808:9af2b73d len=92 ike 0: in 7411EB41BCDCD6C6C1C4A89301B83808081005019AF2B73D0000005C2D64365E03A12A2979388AEB9C15B56C258BCD7FCF2B8FD5D1066F0C1B2306A649B17AB60E5BA7F59085EB0EA38D98B897065E5389DC190A201F5532AE2C20CB ike 0:vpn-XXYYXX:40: dec 7411EB41BCDCD6C6C1C4A89301B83808081005019AF2B73D0000005C0B0000188E21C5E607CC160B529713DA99EDE30FFE838A55000000200000000101108D297411EB41BCDCD6C6C1C4A89301B83808000000540000000000000000 ike 0:vpn-XXYYXX:40: notify msg received: R-U-THERE-ACK
I would really appreciate if anyone could give me any insight into the above issues.
Solved! Go to Solution.
cli cmds are your friend
check for IKE SA
diag vpn ike gateway list
check for Phase2 SA ( should be two uni-directional ones )
diag vpn tunnel list
Check for traffic flow
diag debug flow
Do the above in the above order, if you have no IKE SAs, diagnose why ( PSK mismatch , IKEversion# , proposal , left/right gateway incorrect )
If you have no Phase2-SAs ( again proposals )
If you have no traffic matching any fwpolicy ( route(s), fwpolicy(s),etc....)
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
http://socpuppet.blogspot.com/2014/02/dual-vpc-terminate-on-fortigate-firewall.html
PCNSE
NSE
StrongSwan
cli cmds are your friend
check for IKE SA
diag vpn ike gateway list
check for Phase2 SA ( should be two uni-directional ones )
diag vpn tunnel list
Check for traffic flow
diag debug flow
Do the above in the above order, if you have no IKE SAs, diagnose why ( PSK mismatch , IKEversion# , proposal , left/right gateway incorrect )
If you have no Phase2-SAs ( again proposals )
If you have no traffic matching any fwpolicy ( route(s), fwpolicy(s),etc....)
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
http://socpuppet.blogspot.com/2014/02/dual-vpc-terminate-on-fortigate-firewall.html
PCNSE
NSE
StrongSwan
Hi,
Thanks for your reply :)
I've done above steps,
In diag debug flow I do not see anything
In Diag vpn tunnel list I see this:
name=vpn-XXXX-1 ver=1 serial=8 IP.IP.IP.IP:0->IP.IP.IP.IP:0 lgwy=static tun=intf mode=auto bound_if=5 proxyid_num=1 child_num=0 refcnt=6 ilast=3 olast=3 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=active on=1 idle=10000ms retry=3 count=0 seqno=12574 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vpn-XXXX-1 proto=0 sa=1 ref=2 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=0000000e type=00 soft=0 mtu=1358 expire=957/0B replaywin=1024 seqno=1 life: type=01 bytes=0/0 timeout=3551/3600 dec: spi=3b37a701 esp=aes key=16 123456 ah=sha1 key=20 1234565 enc: spi=917ca6d6 esp=aes key=16 123456 ah=sha1 key=20 123456 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=IP.IP.IP.IP npu_lgwy=IP.IP.IP.IP npu_selid=7 dec_npuid=0 enc_npuid=0
and as I mentioned before I see these DPD messages R-U-There, R-U-There-ACK
Please advice me on this matter :(
Thanks
Your tunnel is up, and two way exachanges for DPD (R-U-THERE, R-U-THERE-ACK) in ike debugging.
Check traffic selectors and policies as emnoc said, and make sure necessary routes are there toward the tunnel on both ends. Then run flow debug as in emnoc's comment when you send packets toward the tunnel.
Hi ,
are both the tunnels are up in ISP 1 and ISP 2 .
Could you get this below output .
dia vpn tunnel list
get router info routing-table database
Regards
Santhosh
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.