Hot!FortiGate to StrongSWAN: "Failed to find IPSec Common"

Author
jmillican
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/09 14:54:22
  • Status: offline
2018/11/13 08:52:28 (permalink)
0

FortiGate to StrongSWAN: "Failed to find IPSec Common"

I have created a tunnel from StrongSWAN (AWS) to FortiGate. The tunnel is up but when I try to ping between the private networks a diag debug flow filter addr 10.50.255.10 shows "Failed to find IPSec Common". I have been unable to find any information about this message on the internet including these forums. The issue seems to be with the FortiGate trying to forward traffic out of the tunnel to AWS.
 
StrongSWAN Private Network: 10.50.254.0/23
FortiGate Private Network: 10.110.0.0/16
 
FortiGate # diag debug flow addr 10.50.255.10
 
When trying to ping internal IP's from FortiGate 10.110.254.254 to StrongSWAN 10.50.255.10
id=20085 trace_id=26 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 10.110.254.254:3584->10.50.255.10:2048) from local. type=8, code=0, id=3584, seq=0."
id=20085 trace_id=26 func=init_ip_session_common line=5390 msg="allocate a new session-139660bb"
id=20085 trace_id=26 func=ipsecdev_hard_start_xmit line=578 msg="enter IPsec interface-VOK-to-AWS"
id=20085 trace_id=26 func=ipsecdev_hard_start_xmit line=592 msg="Failed to find IPsec Common: VOK-to-AWS"
 
When trying to ping internal IP's from StrongSWAN 10.50.255.10 to FortiGate 10.110.254.254 the traffic makes it in but does not go back out.
id=20085 trace_id=17 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 10.50.255.10:24599->10.110.0.9:2048) from VOK-to-AWS. type=8, code=0, id=24599, seq=1."
id=20085 trace_id=17 func=init_ip_session_common line=5390 msg="allocate a new session-139453eb"
id=20085 trace_id=17 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-10.110.0.9 via port21"
id=20085 trace_id=17 func=fw_forward_handler line=737 msg="Allowed by Policy-22:"
id=20085 trace_id=18 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 10.110.0.9:24599->10.50.255.10:0) from port21. type=0, code=0, id=24599, seq=1."
id=20085 trace_id=18 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-139453eb, reply direction"
id=20085 trace_id=18 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-10.50.255.10 via VOK-to-AWS"
id=20085 trace_id=18 func=npu_handle_session44 line=917 msg="Trying to offloading session from port21 to VOK-to-AWS, skb.npu_flag=00000000 ses.state=00010204 ses.npu_state=0x00000000"
id=20085 trace_id=18 func=ipsecdev_hard_start_xmit line=578 msg="enter IPsec interface-VOK-to-AWS"
id=20085 trace_id=18 func=ipsecdev_hard_start_xmit line=592 msg="Failed to find IPsec Common: VOK-to-AWS"
#1

5 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5124
    • Scores: 326
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: FortiGate to StrongSWAN: "Failed to find IPSec Common" 2018/11/13 10:15:18 (permalink)
    0
    It would help to id if  you have  diag vpn tunnel output and proxy proxy-id between the two  private-Networks
     
    Also , if ( and it looks like a yes ) this is a route base, you can dump on the interface directly in  FortiOS to look for  traffic entering and leaving the  interfaces. I would also  triple check SNAT is not been mistakenly added to the mix and if the  two private-Networks are not be masked behind a nat'd address 
     
    Good to see others using StrongSwan ;)
     
    Ken Felix
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    jmillican
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/09 14:54:22
    • Status: offline
    Re: FortiGate to StrongSWAN: "Failed to find IPSec Common" 2018/11/13 11:31:31 (permalink)
    0
    Thank you for the quick response! I am new to FortiGate and appreciate the help.
    On the IPv4 Policy for forwarding to the internal network there is no NAT enabled. Are you talking about a different option?
     
    Below is the output from
    FortiGate # diag vpn tunnel list
    name=VOK-to-AWS ver=1 serial=1 (Forti-PublicIP):4500->(StrongSWAN-PublicIP):4500
    bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
    proxyid_num=1 child_num=0 refcnt=4 ilast=14 olast=14 ad=/0 itn-status=0
    stat: rxp=1949 txp=0 rxb=366788 txb=0
    dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0
    natt: mode=silent draft=32 interval=30 remote_port=4500
    proxyid=VOK-to-AWS proto=0 sa=1 ref=2 serial=15 auto-negotiate
    src: 0:10.110.0.0/255.255.0.0:0
    dst: 0:10.50.254.0/255.255.254.0:0
    SA: ref=3 options=18227 type=00 soft=0 mtu=1406 expire=39312/0B replaywin=2048
    seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
    life: type=01 bytes=0/0 timeout=42928/43200
    dec: spi=d7a860bf esp=aes key=32 c89bd6ac7901da699bd9d5aee7be592e0ad13fdd6029dd2638197a0205b1f030
    ah=sha512 key=64 24d93cf36a9eb78706142d0a63d89394ac2b67e50e365e0fad77c3bda650e2b15109613f3a5de37ccc89b4fb64ce0dc1b2005c6c50c624cac43b087af38d7f8f
    enc: spi=cbd4c870 esp=aes key=32 1b59c35a0e6105024e9e9514b5adc7a34fdccad58a249dd01ed0eadd444461d9
    ah=sha512 key=64 6d1f35a062847b788aa3e1073a6cad659186839a97053cba7c5f35867ba47a8b4bf49a3e38cac4793efdbfc17a0e9d80092969b09b64c4f41bcd43dd159b8aa5
    dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
    npu_flag=00 npu_rgwy=(StrongSWAN-PublicIP) npu_lgwy=(Forti-PublicIP) npu_selid=e
     
    FortiGate # diag sniffer packet VOK-to-AWS none 4 4
    name=VOK-to-AWS ver=1 serial=1 (Forti-PublicIP):4500->(StrongSWAN-PublicIP):4500
    interfaces=[VOK-to-AWS]
    filters=[none]
    pcap_lookupnet: VOK-to-AWS: no IPv4 address assigned
    33.099623 VOK-to-AWS -- 10.50.255.10 -> 10.110.254.254: icmp: echo request
    33.099920 VOK-to-AWS -- 10.110.254.254 -> 10.50.255.10: icmp: echo reply
    34.099751 VOK-to-AWS -- 10.50.255.10 -> 10.110.254.254: icmp: echo request
    34.100028 VOK-to-AWS -- 10.110.254.254 -> 10.50.255.10: icmp: echo reply
     
    #3
    jmillican
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/09 14:54:22
    • Status: offline
    Re: FortiGate to StrongSWAN: "Failed to find IPSec Common" 2018/11/14 10:16:59 (permalink)
    0
    Looking at the IPSec VPN Tunnel Network, should local gateway be active with the Fortigate Public IP address. Image attached.
     
    Also, if adding the local gateway will this stop internet traffic from users going out the same interface?
    post edited by jmillican - 2018/11/14 10:18:10

    Attached Image(s)

    #4
    jmillican
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/09 14:54:22
    • Status: offline
    Re: FortiGate to StrongSWAN: "Failed to find IPSec Common" 2018/11/16 07:54:46 (permalink)
    0
    Anyone have any ideas for this route based VPN? Still struggling with it.
    #5
    jellesallaerts
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/15 01:52:19
    • Status: offline
    Re: FortiGate to StrongSWAN: "Failed to find IPSec Common" 2019/04/15 01:54:28 (permalink)
    0
    Hi jmilican,
     
    I realy hope you figured it out by now.
     
    For those that experience the same issue and cannot find a solution, you need to configure peer-id's on the spokes of the dial-up vpn.
     
    The HUB cannot define which spoke to use if there's more then 1 with the same name or no name.
     
    Goodluck!
    #6
    Jump to:
    © 2019 APG vNext Commercial Version 5.5