IPsec Tunnels spinning and spinning

kenny · ‎02-04-2020

I am building VPNs to Rackspace CO-LOs from all of our Fortigates, we have 100e's and 30e's depending on facility size.

I created our end of the tunnel this evening on a Fortigate 30e. I did what I usually do, Run the wizard for the setup and then choose convert to custom to change the phase 1 and 2 settings as needed. When I finished the wizard and clicked on the IPSec Tunnels menu under VPN, I get the green spinning thing. It just spins for eternity. I did 'get vpn ipsec tunnel summary" and I can see my Tunnel there. a.) anyone have any idea why the thinking wheel just keeps spinning? more importantly, is there a doc somewhere that I can read how to use CLI to change the local subnet in phase 2. Its listed as 192.168.2.0/24 and it needs to be 192.168.4.0/22.

I want to learn the commands to see the contents of each phase and the syntax to make the change I need to make.

Any Document that could teach me CLI syntax would be awesome.

As would any specific help with aforementioned issues

this is the result of "diagnose vpn tunnel list" ------------------------------------------------------ name=rackspace ver=1 serial=1 104.137.186.200:0->161.47.114.90:0 bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0 proxyid_num=1 child_num=0 refcnt=11 ilast=5 olast=5 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=rackspace proto=0 sa=0 ref=1 serial=1 src: 0:192.168.1.0/255.255.255.0:0 [style="background-color: #ffff00;"]dst: 0:192.168.2.0/255.255.255.0:0 [style="background-color: #ffffff;"] This is the line I need to change... if I could just change this to 192.168.4.0/22... I think the tunnel would at least be up.[/style][/style]

ShawnZA · ‎02-04-2020

Not sure about the spinning thing, what version are you on?

I usually look thorough the config file if I need to find where to config stuff in the CLI that I haven't done before:

So for the Phase 2:

config vpn ipsec phase2-interface edit "YourTunnelName" set phase1name "YourPhase1Tunnel" set proposal aes256-sha1 set dhgrp 20 set auto-negotiate enable set keylifeseconds 3600 set src-subnet 192.168.4.0 255.255.252.0 set dst-subnet 192.168.20.0 255.255.255.0

kenny · ‎02-04-2020

awesome thanks. im using 6.0.2 on a FG 30e

how do i go view the config file? That's really good advice and universally helpful for anything.

is there a CLI version of ls I can use to see config files?

ShawnZA · ‎02-04-2020

Our configs gets backed up by Solarwinds Config Manager, but you can grab one through the web UI as per the attached screenshot

Download it and open with a txt editor. Do not encrypt the file or else you can't open it

You should be able to SSH to your management IP if it has been enabled

kenny · ‎02-04-2020

nm

m0j0 · ‎02-04-2020

To get a full config file, just download from your GUI...

Go to the main Dashboard screen and on the top right, click on "admin" (or whatever the username is that you logged in with). Click Configuration => Backup. Select Local PC and click OK.

This will save a text config file that you can open in any text editor.

To view the phase 2 config in CLI once changed...

# show vpn ipsec phase2-interface

If it hasn't changed, you have to enter "next" after making your change in CLI followed by "end".

m0j0 · ‎02-04-2020

If you want a full text config that includes all the default settings, from the CLI, enter...

# show full-configuration

This will dump out something quite large. Make sure you have plenty of scroll-back buffer in your console, or use something like putty that can dump that full output straight to a text file.

kenny · ‎02-04-2020

one final question.

Since the GUI is worthless for VPN right now, how do I check if the ipsec tunnel is up in CLI?

Also, it seems i need to create a static route because the vpn says up in the monitor but I Cant ping the server through the vpn, theres something you can do where you can do a debug where I can ping the other side of the vpn from a local workstation and watch the route it takes trying to get out in the debug. Anyone know what that debugger is called? or what commands to use?

Then im done. :)

ShawnZA · ‎02-04-2020

If it says up under the monitor tab it should be up. Usually the IPSEC VPN setup adds the static route for you, but you can double check that under your static routes.

Then it could just be an case of the rules not allowing ICMP... does your firewall policy for the VPN tunnel allow all traffic? And what about the other side, also allowing all or at least ICMP?

I usually lock down the tunnels to whatever ports are needed, and ICMP as per the screenshot on the IPSEC firewall policy, SQL traffic and ICMP only for that one

Follow commands form this to troubleshoot ipsc issues in the cli:

https://help.fortinet.com...ng/Troubleshooting.htm

kenny · ‎02-05-2020

i had to write a static route on the other 30e with a tunnel to the same place, why I asked.

remember the monitor in the gui is only visible half the time, so I cant even use that to check if its up half the time, thats why im asking about the CLI, my company is too cheap to renew the support license, so the spinning in ipsec monitor and tunnels has to fix it itself.

Either way. Thanks for the advice Ill check it out.

Id still like to know the debugging trick the guy showed me earlier for watching the packets route in real time.

night all, thanks