- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- AWS Ipsec Tunnels
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AWS Ipsec Tunnels
Hello! I would really appreciate your help regarding this issue that I am having with AWS IPSEC tunnels over a Fortigate.
Scenario:
Currently I have a working Fortigate (F60D) with 2 tunnels to AWS VPC to servers that resides at 192.168.0.0 on one internet provider (ISP1)
Now, I added second internet provider(ISP2) and a new Fortigate (F70D) with static IP that is connected to a gateway on a point to point line to get to the internet through ISP2.
I would like to COPY the already existing tunnels (from ISP1) onto the new Fortigate(ISP2) that I have (to be used in tandem or as backup), so I created a new virtual gateway on amazon (AWS) and attached the gateway with the routes.
The problem: The tunnels do show as "UP" on the fortigate (ISP2) but I cant reach the AWS servers.
I have triple checked the configuration given from AWS and how it is added on the fortigate and cant figure out what is wrong. Also checked the configurations on AWS VPC dashboard and everything seems ok there.
When debbugging the issue with packet sniffer
our fortigate on ISP2 sends alot of these:
Y.Y.Y.Y.4500 -> YY.YY.YY.YY.4500: udp
X.X.X.X.4500 -> XX.XX.XX.XX.4500: udp
With no incoming <-
When diagnosing the ike tunnel
ike 0:vpn-XXYYXX:40: sent IKE msg (R-U-THERE): Y.Y.Y.Y:4500->Y.Y.YY.Y:4500, len=92, id=7411eb41bcdcd6c6/c1c4a89301b83808:abaf846b ike 0: comes Y.Y.Y.Y.4500 -> YY.YY.YY.YY.4500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7411eb41bcdcd6c6/c1c4a89301b83808:5895800a len=92 ike 0: in 7411EB41BCDCD6C6C1C4A89301B83808081005015895800A0000005C7E4DE7BC501E142CABAEB9DD700318D6499281D1C66BBDB7AE81DAB4A3B3B4CE0E47CA847929F027244B122CD4AC53B222DD67E58FE25C9A2A4A59ABDC19D261 ike 0:vpn-XXYYXX:40: dec 7411EB41BCDCD6C6C1C4A89301B83808081005015895800A0000005C0B0000184B2D55F5B934FA50B4369B01C1BB74D8F9E6B637000000200000000101108D287411EB41BCDCD6C6C1C4A89301B8380800006FE30000000000000000 ike 0:vpn-XXYYXX:40: notify msg received: R-U-THERE ike 0:vpn-XXYYXX:40: enc 7411EB41BCDCD6C6C1C4A89301B83808081005010C1144E9000000540B000018ACA5F8B74A1CA2BF70D4CA5F3F450EA04969E887000000200000000101108D297411EB41BCDCD6C6C1C4A89301B8380800006FE3 ike 0:vpn-XXYYXX:40: out 7411EB41BCDCD6C6C1C4A89301B83808081005010C1144E90000005C21C13C13A3569F3812FBF1AA3AAE5FAC2251F917D90FCEA2A275A9FDD81A63EC8234F65D6634F18120080318A56BBA5F0D474C717E825046845F67FB2A156E5E ike 0:vpn-XXYYXX:40: sent IKE msg (R-U-THERE-ACK): X.X.X.X.4500 -> XX.XX.XX.XX.4500:, len=92, id=7411eb41bcdcd6c6/c1c4a89301b83808:0c1144e9 ike 0: comes X.X.X.X.4500 -> XX.XX.XX.XX.4500:,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7411eb41bcdcd6c6/c1c4a89301b83808:9af2b73d len=92 ike 0: in 7411EB41BCDCD6C6C1C4A89301B83808081005019AF2B73D0000005C2D64365E03A12A2979388AEB9C15B56C258BCD7FCF2B8FD5D1066F0C1B2306A649B17AB60E5BA7F59085EB0EA38D98B897065E5389DC190A201F5532AE2C20CB ike 0:vpn-XXYYXX:40: dec 7411EB41BCDCD6C6C1C4A89301B83808081005019AF2B73D0000005C0B0000188E21C5E607CC160B529713DA99EDE30FFE838A55000000200000000101108D297411EB41BCDCD6C6C1C4A89301B83808000000540000000000000000 ike 0:vpn-XXYYXX:40: notify msg received: R-U-THERE-ACK
I would really appreciate if anyone could give me any insight into the above issues.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cli cmds are your friend
check for IKE SA
diag vpn ike gateway list
check for Phase2 SA ( should be two uni-directional ones )
diag vpn tunnel list
Check for traffic flow
diag debug flow
Do the above in the above order, if you have no IKE SAs, diagnose why ( PSK mismatch , IKEversion# , proposal , left/right gateway incorrect )
If you have no Phase2-SAs ( again proposals )
If you have no traffic matching any fwpolicy ( route(s), fwpolicy(s),etc....)
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
http://socpuppet.blogspot.com/2014/02/dual-vpc-terminate-on-fortigate-firewall.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cli cmds are your friend
check for IKE SA
diag vpn ike gateway list
check for Phase2 SA ( should be two uni-directional ones )
diag vpn tunnel list
Check for traffic flow
diag debug flow
Do the above in the above order, if you have no IKE SAs, diagnose why ( PSK mismatch , IKEversion# , proposal , left/right gateway incorrect )
If you have no Phase2-SAs ( again proposals )
If you have no traffic matching any fwpolicy ( route(s), fwpolicy(s),etc....)
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
http://socpuppet.blogspot.com/2014/02/dual-vpc-terminate-on-fortigate-firewall.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your reply :)
I've done above steps,
In diag debug flow I do not see anything
In Diag vpn tunnel list I see this:
name=vpn-XXXX-1 ver=1 serial=8 IP.IP.IP.IP:0->IP.IP.IP.IP:0 lgwy=static tun=intf mode=auto bound_if=5 proxyid_num=1 child_num=0 refcnt=6 ilast=3 olast=3 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=active on=1 idle=10000ms retry=3 count=0 seqno=12574 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vpn-XXXX-1 proto=0 sa=1 ref=2 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=0000000e type=00 soft=0 mtu=1358 expire=957/0B replaywin=1024 seqno=1 life: type=01 bytes=0/0 timeout=3551/3600 dec: spi=3b37a701 esp=aes key=16 123456 ah=sha1 key=20 1234565 enc: spi=917ca6d6 esp=aes key=16 123456 ah=sha1 key=20 123456 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=IP.IP.IP.IP npu_lgwy=IP.IP.IP.IP npu_selid=7 dec_npuid=0 enc_npuid=0
and as I mentioned before I see these DPD messages R-U-There, R-U-There-ACK
Please advice me on this matter :(
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your tunnel is up, and two way exachanges for DPD (R-U-THERE, R-U-THERE-ACK) in ike debugging.
Check traffic selectors and policies as emnoc said, and make sure necessary routes are there toward the tunnel on both ends. Then run flow debug as in emnoc's comment when you send packets toward the tunnel.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
are both the tunnels are up in ISP 1 and ISP 2 .
Could you get this below output .
dia vpn tunnel list
get router info routing-table database
Regards
Santhosh
Related Posts
- IPSEC Down After Changing the IP... 48 Views
- Force the routing of a domain... 65 Views
- Multiple phase 2 selectors needed for... 155 Views
- Split Tunnel with SSL VPN and... 112 Views
- Remote VPN Issue 120 Views
Labels
-
FortiGate
6,507 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
71 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.