Hot!site to site vpn tunnel is up but no traffic flowing

Page: 12 > Showing page 1 of 2
Author
fortinoy
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/14 01:33:31
  • Status: offline
2019/08/14 01:42:01 (permalink)
0

site to site vpn tunnel is up but no traffic flowing

setup site to site vpn using the ipsec wizard. tunnel is already up but keeps on getting the error "progress ipsec phase 1 negotiate failure" in vpn events log. need your help where and what to check.
 
note: i initially setup ssl vpn on the same fortigate and it works well. trying to setup the site to site vpn now. the setup on the ipsec wizard is easy and fast. but it is not working.
 
please advise. thanks.
#1

31 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1648
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/14 09:37:55 (permalink)
    0
    I'm assuming your tunnel is working fine. Then take a close look at the log detail. Does the remote IP match the IP of the other side of your VPN? Chances are somebody else is trying to set up VPN to your FGT.
    #2
    fortinoy
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/14 01:33:31
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/14 16:48:30 (permalink)
    0
    The IPs on both sides are correct. What do you mean when you say "Chances are somebody else is trying to set up VPN to your FGT."? I have setup SSL VPN too on the same Fortigate on both sides. Will that affect the site to site vpn i'm trying to setup? Thanks.
    #3
    OneOfUs
    Bronze Member
    • Total Posts : 30
    • Scores: 6
    • Reward points: 0
    • Joined: 2019/07/16 06:32:59
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/14 17:33:29 (permalink)
    0
    This is the best article I've found to troubleshoot IPSEC VPNs, some of the GUI information has changed over the years:
     
    To get diagnose information for the VPN connection - CLI
    1.Log into the CLI as admin with the output being logged to a file.
    2.Stop any diagnose debug sessions that are currently running with the CLI command
    diagnose debug disable
    3.Clear any existing log-filters by running
    diagnose vpn ike log-filter clear
    4.Set the log-filter to the IP address of the remote computer (Remote Gateway). This filters out all VPN connections except ones to the IP address we are concerned with. The command is
    diagnose vpn ike log-filter dst-addr4 <remote gateway>
    5.Set up the commands to output the VPN handshaking. The commands are:
    diagnose debug app ike 63
    diagnose debug enable
    6.Have the remote FortiGate initiate the VPN connection in the web-based manager by going to VPN > Monitor and selecting Bring up.
    This makes the remote FortiGate the initiator and the local FortiGate becomes the responder. Establishing the connection in this manner means the local FortiGate will have its configuration information as well as the information the remote computer sends. Having both sets of information locally makes it easier to troubleshoot your VPN connection.
    7.Watch the screen for output, and after roughly 15 seconds enter the following CLI command to stop the output.
    diagnose debug disable
    8.If needed, save the log file of this output to a file on your local computer. Saving the output to a file can make it easier to search for a particular phrase, and is useful for comparisons.
     
    From <http://docs-legacy.fortinet.com/fos50hlp/50/FortiOS%205.0%20Help/TestandMonitor.129.08.html>
    #4
    fortinoy
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/14 01:33:31
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/15 17:50:11 (permalink)
    0
    Thanks for the steps. Please help me to check the result of the debug below. I replaced the ips and the vpn names for security.
     
    LEGEND:
    “local FG public ip”
    "remote FG public ip"
    "local vpn name"
    "remote vpn name"
    "remote FG LAN ip"
    "local FG LAN ip"
     
    FGT60ETK180999ZJ # ike shrank heap by 126976 bytes
    ike 0: comes "remote FG public ip:"500“local FG public ip”:500,ifindex=6....
    ike 0: IKEv1 exchange=Informational id=1bb17d97025b7eba/126b50d856d51ce4:c40c60a2 len=92
    ike 0: "local vpn name":327: recv IPsec SA delete, spi count 1
    ike 0: "local vpn name": deleting IPsec SA with SPI 4d6c1357
    ike 0: "local vpn name":"local vpn name": deleted IPsec SA with SPI 4d6c1357, SA count: 0
    ike 0: "local vpn name": sending SNMP tunnel DOWN trap for "local vpn name"
    ike 0: comes "remote FG public ip":500->“local FG public ip”:500,ifindex=6....
    ike 0: IKEv1 exchange=Quick id=1bb17d97025b7eba/126b50d856d51ce4:25461b74 len=588
    ike 0: "local vpn name":327:19: responder received first quick-mode message
    ike 0: "local vpn name":327:19: peer proposal is: peer:0: "remote FG LAN ip"-"remote FG LAN ip", me:0: "local FG LAN ip"-"local FG LAN ip"
    ike 0: "local vpn name":327: "local vpn name":19: trying
    ike 0: "local vpn name":327: "local vpn name":19: matched phase2
    ike 0: "local vpn name":327: "local vpn name":19: autokey
    ike 0: "local vpn name":327: "local vpn name":19: my proposal:
    ike 0: "local vpn name":327: "local vpn name":19: proposal id = 1:
    ike 0: "local vpn name":327: "local vpn name":19:   protocol id = IPSEC_ESP:
    ike 0: "local vpn name":327: "local vpn name":19:   PFS DH group = 14
    ike 0: "local vpn name":327: "local vpn name":19:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0: "local vpn name":327: "local vpn name":19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0: "local vpn name":327: "local vpn name":19:         type = AUTH_ALG, val=SHA1
    ike 0: "local vpn name":327: "local vpn name":19:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0: "local vpn name":327: "local vpn name":19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0: "local vpn name":327: "local vpn name":19:         type = AUTH_ALG, val=SHA1
    ike 0: "local vpn name":327: "local vpn name":19:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 128)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 256)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: proposal id = 2:
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   protocol id = IPSEC_ESP:
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   PFS DH group = 5
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 128)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_GCM_16 (key_len = 256)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: incoming proposal:
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: proposal id = 1:
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   protocol id = IPSEC_ESP:
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   PFS DH group = 14
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_3DES
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_3DES
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: negotiation result
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: proposal id = 1:
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   protocol id = IPSEC_ESP:
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:   PFS DH group = 14
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: set pfs=MODP2048
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: using tunnel mode.
    ike 0:”LOCAL VPN NAME”: schedule auto-negotiate
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: replay protection enabled
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: SA life soft seconds=42929.
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: SA life hard seconds=43200.
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: IPsec SA selectors #src=1 #dst=1
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: src 0 4 0:”local FG LAN ip”/255.255.255.0:0
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: dst 0 4 0:”remote FG LAN ip”/255.255.255.0:0
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: add IPsec SA: SPIs=0c219574/4d6c1358
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: added IPsec SA: SPIs=0c219574/4d6c1358
    ike 0:”LOCAL VPN NAME”:327:”LOCAL VPN NAME”:19: sending SNMP tunnel UP trap
    ike 0:”LOCAL VPN NAME”:327: sent IKE msg (quick_r1send): “local FG public ip”:500->“remote FG public ip”:500, len=444, id=1bb17d97025b7eba/126b50d856d51ce4:25461b74
    ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6....
    ike 0: IKEv1 exchange=Quick id=1bb17d97025b7eba/126b50d856d51ce4:25461b74 len=76
    ike 0:”LOCAL VPN NAME”:”LOCAL VPN NAME”:19: send SA_DONE SPI 0x4d6c1358
     
    FGT60ETK180999ZJ # diagnose debug disable===========
    ================================================

    FGT60ETK180999ZJ # ike shrank heap by 126976 bytes
    ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6....
    ike 0: IKEv1 exchange=Informational id=936e3ddcaaec9ef2/af17441d730dc067:ebcb47ca len=92
    ike 0:”LOCAL VPN NAME”:330: recv IPsec SA delete, spi count 1
    ike 0:”LOCAL VPN NAME”: deleting IPsec SA with SPI 4d6c1359
    ike 0:”LOCAL VPN NAME”:”LOCAL VPN NAME”: deleted IPsec SA with SPI 4d6c1359, SA count: 0
    ike 0:”LOCAL VPN NAME”: sending SNMP tunnel DOWN trap for “LOCAL VPN NAME”
    ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6....
    ike 0: IKEv1 exchange=Quick id=936e3ddcaaec9ef2/af17441d730dc067:42eb0de9 len=588
    ike 0:”LOCAL VPN NAME”:330:21: responder received first quick-mode message
    ike 0:”LOCAL VPN NAME”:330:21: peer proposal is: peer:0:”remote FG LAN ip”-192.168.100.255:0, me:0:”local FG LAN ip”-192.168.17.255:0
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trying
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: matched phase2
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: autokey
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: my proposal:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 14
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 256)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 2:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 5
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_GCM_16 (key_len = 256)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=NULL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: incoming proposal:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 14
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_3DES
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_3DES
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA2_256
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: negotiation result
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   protocol id = IPSEC_ESP:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:   PFS DH group = 14
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:         type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: set pfs=MODP2048
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: using tunnel mode.
    ike 0:”LOCAL VPN NAME”: schedule auto-negotiate
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: replay protection enabled
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: SA life soft seconds=42930.
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: SA life hard seconds=43200.
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: IPsec SA selectors #src=1 #dst=1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: src 0 4 0:”local FG LAN ip”/255.255.255.0:0
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: dst 0 4 0:”remote FG LAN ip”/255.255.255.0:0
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: add IPsec SA: SPIs=0c219576/4d6c135a
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: added IPsec SA: SPIs=0c219576/4d6c135a
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: sending SNMP tunnel UP trap
    ike 0:”LOCAL VPN NAME”:330: sent IKE msg (quick_r1send): “local FG public ip”:500->“remote FG public ip”:500, len=444, id=936e3ddcaaec9ef2/af17441d730dc067:42eb0de9
    ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6....
    ike 0: IKEv1 exchange=Quick id=936e3ddcaaec9ef2/af17441d730dc067:42eb0de9 len=76
    ike 0:”LOCAL VPN NAME”:”LOCAL VPN NAME”:21: send SA_DONE SPI 0x4d6c135a

    FGT60ETK180999ZJ # ike 0:”LOCAL VPN NAME”:326: expiring IKE SA e8819280293ca8bf/f0e01864a2ffc7c3
    ike 0:”LOCAL VPN NAME”:326: send IKE SA delete e8819280293ca8bf/f0e01864a2ffc7c3
    ike 0:”LOCAL VPN NAME”:326: sent IKE msg (ISAKMP SA DELETE-NOTIFY): “local FG public ip”:500->“remote FG public ip”:500, len=108, id=e8819280293ca8bf/f0e01864a2ffc7c3:0bb860e3
    ike 0:”LOCAL VPN NAME”: schedule auto-negotiate
    ike 0: comes “remote FG public ip”:500->“local FG public ip”:500,ifindex=6....
    ike 0: IKEv1 exchange=Informational id=e8819280293ca8bf/f0e01864a2ffc7c3:439f8810 len=108
    ike 0: no established IKE SA for exchange-type Informational from “remote FG public ip”:500->“local FG public ip” 6 cookie e8819280293ca8bf/f0e01864a2ffc7c3, drop
    ike 0:”LOCAL VPN NAME”:327: expiring IKE SA 1bb17d97025b7eba/126b50d856d51ce4
    ike 0:”LOCAL VPN NAME”:327: send IKE SA delete 1bb17d97025b7eba/126b50d856d51ce4
    ike 0:”LOCAL VPN NAME”:327: sent IKE msg (ISAKMP SA DELETE-NOTIFY): “local FG public ip”:500->“remote FG public ip”:500, len=108, id=1bb17d97025b7eba/126b50d856d51ce4:c9c0f7d6
    ike 0:”LOCAL VPN NAME”: schedule auto-negotiate


     


    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1648
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/15 21:50:01 (permalink)
    0
    For the log you saw was "IPsec". Nothing to do with SSL VPN or other types of VPNs. If somebody from other country  is trying to set up a VPN to exploit your network at the public IP on the interface, you would see those logs. It actually happens quite often than not. That's why I asked if the remote IP in the log is the IP for your VPN's remote IP.
    #6
    sw2090
    Gold Member
    • Total Posts : 396
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/16 00:28:16 (permalink)
    0
    Well Ipsec is cool when it works but its a pain in the a** to debug :/
    That's not on Fortinet but something to blame ipsec itself for.
     
    Accoarding to the logs I see no negotiation errors or timeouts. Just the tunnel going up and then down again sending the specific smtp trap.
    Did you check if your Key TTLS in phase1 AND 2 do match on both sides? 
     
    #7
    fortinoy
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/14 01:33:31
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/16 00:58:43 (permalink)
    0
    Yes, TTLS in phase 1 and 2 have the same settings.
    #8
    fortinoy
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/14 01:33:31
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/16 01:27:19 (permalink)
    0
    Can you guys send me a sample debug of a working site to site vpn on two Fortigates? I really don't know what and where to check to fix this. Thanks.
     
    #9
    fortinoy
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/14 01:33:31
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/16 01:52:18 (permalink)
    0
    Here is another debug from the local Fortigate:
     
    ike config update start
    ike config update done
    ike 0: cache rebuild done
    ike 0: comes LOCAL PUBLIC IP:500->REMOTE PUBLIC IP:500,ifindex=6....
    ike 0: IKEv2 exchange=INFORMATIONAL id=a4d297da840a9b86/8dcfd5a5eb102e38:00000002 len=80
    ike 0:LOCAL  VPN NAME:1091: received informational request
    ike 0:LOCAL  VPN NAME:1091: processing delete request (proto 3)
    ike 0:LOCAL  VPN NAME: deleting IPsec SA with SPI 4d6c140e
    ike 0:LOCAL  VPN NAME:LOCAL  VPN NAME: deleted IPsec SA with SPI 4d6c140e, SA count: 0
    ike 0:LOCAL  VPN NAME: sending SNMP tunnel DOWN trap for LOCAL  VPN NAME
    ike 0:LOCAL  VPN NAME:1091: sending delete ack
    ike 0:LOCAL  VPN NAME:1091: sent IKE msg (INFORMATIONAL_RESPONSE): REMOTE PUBLIC IP:500->LOCAL PUBLIC IP:500, len=80, id=a4d297da840a9b86/8dcfd5a5eb102e38:00000002
    ike 0: comes LOCAL PUBLIC IP:500->REMOTE PUBLIC IP:500,ifindex=6....
    ike 0: IKEv2 exchange=CREATE_CHILD id=a4d297da840a9b86/8dcfd5a5eb102e38:00000003 len=192
    ike 0:LOCAL  VPN NAME:1091: received create-child request
    ike 0:LOCAL  VPN NAME:1091: responder received CREATE_CHILD exchange
    ike 0:LOCAL  VPN NAME:1091: responder creating new child
    ike 0:LOCAL  VPN NAME:1091:63: peer proposal:
    ike 0:LOCAL  VPN NAME:1091:63: TSi_0 0:REMOTE  LAN IP-REMOTE  LAN IP:0
    ike 0:LOCAL  VPN NAME:1091:63: TSr_0 0:LOCAL LAN IP-LOCAL  LAN IP:0
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: comparing selectors
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: matched by rfc-rule-2
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: phase2 matched by subset
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: accepted proposal:
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: TSi_0 0:REMOTE  LAN IP-REMOTE  LAN IP:0
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: TSr_0 0:LOCAL LAN IP-LOCAL  LAN IP:0
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: autokey
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: incoming child SA proposal:
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: proposal id = 1:
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:   protocol = ESP:
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:      encapsulation = TUNNEL
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ENCR, val=AES_CBC (key_len = 256)
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=INTEGR, val=SHA256
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ESN, val=NO
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         PFS is disabled
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: matched proposal id 1
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: proposal id = 1:
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:   protocol = ESP:
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:      encapsulation = TUNNEL
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ENCR, val=AES_CBC (key_len = 256)
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=INTEGR, val=SHA256
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         type=ESN, val=NO
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63:         PFS is disabled
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: lifetime=28800
    ike 0:LOCAL  VPN NAME: schedule auto-negotiate
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: set sa life soft seconds=28528.
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: set sa life hard seconds=28800.
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: IPsec SA selectors #src=1 #dst=1
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: src 0 7 0:LOCAL LAN IP-LOCAL  LAN IP:0
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: dst 0 7 0:REMOTE  LAN IP-REMOTE  LAN IP:0
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: add IPsec SA: SPIs=0c219592/4d6c1410
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: added IPsec SA: SPIs=0c219592/4d6c1410
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: sending SNMP tunnel UP trap
    ike 0:LOCAL  VPN NAME:1091:LOCAL  VPN NAME:63: responder preparing CREATE_CHILD message
    ike 0:LOCAL  VPN NAME:1091: sent IKE msg (CREATE_CHILD_RESPONSE): REMOTE PUBLIC IP:500->LOCAL PUBLIC IP:500, len=192, id=a4d297da840a9b86/8dcfd5a5eb102e38:00000003
     
    #10
    ede_pfau
    Expert Member
    • Total Posts : 6050
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/16 06:21:03 (permalink)
    0
    Do you enable NAT-Traversal on both sides? NAT is used.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #11
    rwpatterson
    Expert Member
    • Total Posts : 8414
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/16 08:31:04 (permalink)
    0
    Do you have a static route with a lower distance than the default defined pointing down the tunnel? This is needed on both ends.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #12
    OneOfUs
    Bronze Member
    • Total Posts : 30
    • Scores: 6
    • Reward points: 0
    • Joined: 2019/07/16 06:32:59
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/16 19:11:42 (permalink)
    0
    Based on this:
    ike 0:”LOCAL VPN NAME”: sending SNMP tunnel DOWN trap for “LOCAL VPN NAME”
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21:[<font] my proposal:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [<font]proposal id = 1:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS DH group = 14
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [<font]proposal id = 2:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS DH group = 5
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: incoming proposal:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS DH group = 14
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [<font]negotiation result
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: proposal id = 1:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: protocol id = IPSEC_ESP:
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: PFS [<font]DH group = [<font]14
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: trans_id = ESP_[<font]AES_CBC (key_len = [<font]128)
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: type = AUTH_ALG, val=[<font]SHA1
    ike 0:”LOCAL VPN NAME”:330:”LOCAL VPN NAME”:21: [<font]sending SNMP tunnel UP trap
     
    It appears the phase 1 (IKE) is coming up and the issue is with the phase 2 (IPSEC) negotiation.  The only thing I saw odd in the debug is that you appear to have two phase 2 selectors however the remote only has one.  It may help to eliminate the 2nd phase 2 selector and additional (unneeded) encryption / authentication protocols.  Make sure the phase 2 local / remote addresses match.
     
    The phase 2 negotiation appears to complete using: AES-128 SHA1 DH 14 Keylife 43200.  
     
    If you look at the IPSEC VPN monitor does the tunnel appear to bounce?
    #13
    fortinoy
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/14 01:33:31
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/18 21:37:25 (permalink)
    0
    Yes NAT traversal is enabled on both Fortinet
    #14
    fortinoy
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/14 01:33:31
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/18 21:47:43 (permalink)
    0
    The administrative distance of the static route for the tunnel is 10. We have a static route with a lower administrative distance than the tunnel at both ends.
    #15
    fortinoy
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/14 01:33:31
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/18 23:20:32 (permalink)
    0
    I changed the phase 2 proposal to AES 128, SHA 1 and 43200 lifeseconds on both Fortinet. Nothing happens. Tunnel is still up but can't ping devices on LAN. Can only ping the public IP of the wan interface on both Fortinet. Really frustrating.
    #16
    zaphod
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/19 01:42:28
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/19 01:46:31 (permalink)
    0
    Hi,
    just to be sure... do you have policies which allow the traffic through the vpn-tunnel?
     
    which networks are defined in the phase 2 to speak with each other? 
    with forti to forti you can define 0.0.0.0 (any) so you can control which traffic with policies only... 
     
    zaphod
     
    #17
    rwpatterson
    Expert Member
    • Total Posts : 8414
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/19 05:04:48 (permalink)
    0
    fortinoy
    The administrative distance of the static route for the tunnel is 10. We have a static route with a lower administrative distance than the tunnel at both ends.

    That makes no sense. The static route for the tunnel needs to have a lower administrative distance than the DEFAULT route, which was not mentioned.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #18
    fortinoy
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/14 01:33:31
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/19 23:39:28 (permalink)
    0
    yes two policies were setup. from local LAN subnet to tunnel, from tunnel to local LAN subnet. this is setup on the other fortinet too. the static route's destination is the remote local LAN subnet and the source interface is the tunnel with an administrative distance of 10. a static route to the internet with administrative distance of 1 is also setup.
    #19
    fortinoy
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/14 01:33:31
    • Status: offline
    Re: site to site vpn tunnel is up but no traffic flowing 2019/08/19 23:44:05 (permalink)
    0
    the route to the internet is 0.0.0.0/0 via sd wan which has an administrative distance of 1. the route of the tunnel is remote LAN subnet via tunnel interface with an administrative distance of 10. so should we put a 1 on the route to the tunnel and 10 on the route to the internet?
    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5