FortiGate to StrongSWAN: "Failed to find IPSec Common"

jmillican · ‎11-13-2018

I have created a tunnel from StrongSWAN (AWS) to FortiGate. The tunnel is up but when I try to ping between the private networks a diag debug flow filter addr 10.50.255.10 shows "Failed to find IPSec Common". I have been unable to find any information about this message on the internet including these forums. The issue seems to be with the FortiGate trying to forward traffic out of the tunnel to AWS.

StrongSWAN Private Network: 10.50.254.0/23

FortiGate Private Network: 10.110.0.0/16

FortiGate # diag debug flow addr 10.50.255.10

When trying to ping internal IP's from FortiGate 10.110.254.254 to StrongSWAN 10.50.255.10

id=20085 trace_id=26 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 10.110.254.254:3584->10.50.255.10:2048) from local. type=8, code=0, id=3584, seq=0." id=20085 trace_id=26 func=init_ip_session_common line=5390 msg="allocate a new session-139660bb" id=20085 trace_id=26 func=ipsecdev_hard_start_xmit line=578 msg="enter IPsec interface-VOK-to-AWS" id=20085 trace_id=26 func=ipsecdev_hard_start_xmit line=592 msg="Failed to find IPsec Common: VOK-to-AWS"

When trying to ping internal IP's from StrongSWAN 10.50.255.10 to FortiGate 10.110.254.254 the traffic makes it in but does not go back out.

id=20085 trace_id=17 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 10.50.255.10:24599->10.110.0.9:2048) from VOK-to-AWS. type=8, code=0, id=24599, seq=1." id=20085 trace_id=17 func=init_ip_session_common line=5390 msg="allocate a new session-139453eb" id=20085 trace_id=17 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-10.110.0.9 via port21" id=20085 trace_id=17 func=fw_forward_handler line=737 msg="Allowed by Policy-22:" id=20085 trace_id=18 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 10.110.0.9:24599->10.50.255.10:0) from port21. type=0, code=0, id=24599, seq=1." id=20085 trace_id=18 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-139453eb, reply direction" id=20085 trace_id=18 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-10.50.255.10 via VOK-to-AWS" id=20085 trace_id=18 func=npu_handle_session44 line=917 msg="Trying to offloading session from port21 to VOK-to-AWS, skb.npu_flag=00000000 ses.state=00010204 ses.npu_state=0x00000000" id=20085 trace_id=18 func=ipsecdev_hard_start_xmit line=578 msg="enter IPsec interface-VOK-to-AWS" id=20085 trace_id=18 func=ipsecdev_hard_start_xmit line=592 msg="Failed to find IPsec Common: VOK-to-AWS"

emnoc · ‎11-13-2018

It would help to id if you have diag vpn tunnel output and proxy proxy-id between the two private-Networks

Also , if ( and it looks like a yes ) this is a route base, you can dump on the interface directly in FortiOS to look for traffic entering and leaving the interfaces. I would also triple check SNAT is not been mistakenly added to the mix and if the two private-Networks are not be masked behind a nat'd address

Good to see others using StrongSwan ;)

Ken Felix

PCNSE

NSE

StrongSwan

jmillican · ‎11-13-2018

Thank you for the quick response! I am new to FortiGate and appreciate the help.

On the IPv4 Policy for forwarding to the internal network there is no NAT enabled. Are you talking about a different option?

Below is the output from

FortiGate # diag vpn tunnel list
name=VOK-to-AWS ver=1 serial=1 (Forti-PublicIP):4500->(StrongSWAN-PublicIP):4500 bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=4 ilast=14 olast=14 ad=/0 itn-status=0 stat: rxp=1949 txp=0 rxb=366788 txb=0 dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=silent draft=32 interval=30 remote_port=4500 proxyid=VOK-to-AWS proto=0 sa=1 ref=2 serial=15 auto-negotiate src: 0:10.110.0.0/255.255.0.0:0 dst: 0:10.50.254.0/255.255.254.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1406 expire=39312/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 life: type=01 bytes=0/0 timeout=42928/43200 dec: spi=d7a860bf esp=aes key=32 c89bd6ac7901da699bd9d5aee7be592e0ad13fdd6029dd2638197a0205b1f030 ah=sha512 key=64 24d93cf36a9eb78706142d0a63d89394ac2b67e50e365e0fad77c3bda650e2b15109613f3a5de37ccc89b4fb64ce0dc1b2005c6c50c624cac43b087af38d7f8f enc: spi=cbd4c870 esp=aes key=32 1b59c35a0e6105024e9e9514b5adc7a34fdccad58a249dd01ed0eadd444461d9 ah=sha512 key=64 6d1f35a062847b788aa3e1073a6cad659186839a97053cba7c5f35867ba47a8b4bf49a3e38cac4793efdbfc17a0e9d80092969b09b64c4f41bcd43dd159b8aa5 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=(StrongSWAN-PublicIP) npu_lgwy=(Forti-PublicIP) npu_selid=e

FortiGate # diag sniffer packet VOK-to-AWS none 4 4
name=VOK-to-AWS ver=1 serial=1 (Forti-PublicIP):4500->(StrongSWAN-PublicIP):4500
interfaces=[VOK-to-AWS] filters=[none] pcap_lookupnet: VOK-to-AWS: no IPv4 address assigned 33.099623 VOK-to-AWS -- 10.50.255.10 -> 10.110.254.254: icmp: echo request 33.099920 VOK-to-AWS -- 10.110.254.254 -> 10.50.255.10: icmp: echo reply 34.099751 VOK-to-AWS -- 10.50.255.10 -> 10.110.254.254: icmp: echo request 34.100028 VOK-to-AWS -- 10.110.254.254 -> 10.50.255.10: icmp: echo reply

jmillican · ‎11-14-2018

Looking at the IPSec VPN Tunnel Network, should local gateway be active with the Fortigate Public IP address. Image attached.

Also, if adding the local gateway will this stop internet traffic from users going out the same interface?

jmillican · ‎11-16-2018

Anyone have any ideas for this route based VPN? Still struggling with it.

jellesallaerts · ‎04-15-2019

Hi jmilican,

I realy hope you figured it out by now.

For those that experience the same issue and cannot find a solution, you need to configure peer-id's on the spokes of the dial-up vpn.

The HUB cannot define which spoke to use if there's more then 1 with the same name or no name.

Goodluck!