- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- [solved] strange behaviour in ipsec site2site (was...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[solved] strange behaviour in ipsec site2site (was a p1 auto-negotiation issue)
Hi,
I have the following setup here:
Side A:
FGT 100E with 6.0.9
lan subnet is xx.xx.xx.0/24
Side B:
FGT 80C with 5.6.12 (latest available for 80C)
lan subnet is yy.yy.yy.0/24
IPSec Site2Site between A and B is set up.
The Tunnel is up (green in monitor) and monitor does show there is traffic in both directions on this one.
now when I ping xx.xx.xx.10 from client yy.yy.yy.50 on Side B I get no response.
Flow Trace on Side B shows that the traffic goes out to side A over the IPsec as it should.
Flow Trace on Side A shows that the traffic coming from my client does reach side A and is routed on correctly
Flow Trace on Side A also shows me that there is traffic from xx.xx.xx.10 to my client and that it is routed over the Ipsec correctly.
However: Flow Trace on Side B with Filter saddr xx.xx.xx.10 and daddr yy.yy.yy.50 shows just nothing.
So looks to me as if the traffic coming back to my client on side B gets lost somewhere on the ipsec?
Did anyone here have this? Any clues?
Thnx in advance!
Sebastian
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hm it looks like as if i solved it myself.
first I found that NAT-T was not enabled on one side but enabled on the opposite side.
So I enabled it and brought the tunnel down on this side to have it re-establish itself automagically which it did.
The behaviour was still the same...
Then I found some hint on Mike's Fortinet Guru Page. The was a paragraph about restarting ike and clearing old gateways.
So I did
diag vpn ike restart
diag vpn ike gateway clear
and after those:
diag vpn ike status
this showed me that one ipsec tunnel was up again. There is two others but those have different policies and routes etc so they don't affect this one. Those are not up yet because I still have to create their remote end ;)
after this I tried pinging again and...magically...it works now....
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hm it works from B to A now. Even remote desktop works from Client on Side B to Server on Side A.
But if I try to ping from A to B my traffic gets dropped (denied by forward policy check (Policy #0) even though there devinitely is a matching policy in place (it showed me it matched it in flow debug before).
It finds the correct route but seems not to match my policy anymore...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to double check policy and possible "diag sniffer packet <tunnel_name>"
BTW NAT-T is negotiated at phase1 and HAS NOTHING to do with phase2 which are SA ....i.e layer3 proxy-ids
I would double check policy , routes and ensure NAT is off if not required.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
never said NAT-T had to do something with phase 2. p2 was up fine all the time accoarding to the output of diag vpn ike status...
I just noticed it wasn't turned on on Side B but should be since this is behind a LTE Router so I turned it on...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
correction again :)
That it worked in one direction only was due to the client on side A which i used to ping side B.
This client is in two subnets and so has two default routes and their metric struck me this time ;)
On that client that is wanted behaviour ;)
I tried on one that is only in xx.xx.xx.0/24 and it worked from there as it should ;)
I consider this last one to be a layer-8-fail :D
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right,
new problem now:
ipsec is up and working fine so far.
Now if I reboot remote end (side B) tunnel goes down (of course)..ok so far :)
remote end comes up again but tunnel is still down and takes ages until it comes up again.
Once it is back up again it works fine again.
When it goes down the FGT on side A shows it is down in ipsec monitor on gui.
When side B comes up again I see p1 connection requests from it on side A FGT in diag debug app ike -1 output.
It does match p1 proposals and the right tunnel but then don't go further.
To mee it looks as if when the ipsec goes down when side B reboots it does get this (I assume either via DPD oder NAT Keepalive - its shown down in ipsec monitor) something is leftover and that prevents side B from establishing a new vpn conncetion until it gets removed by timeout.
Maybe it does establish P1 but then tries to re-establish old p2 which will not work until some timeout kicks it?
Does anyone have any tip or idea for me?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enable auto-negotiation on the phase2 definitions and the ipsec tunnel will always come up. You do it from the cli
https://kb.fortinet.com/kb/documentLink.do?externalID=12069
The diag vpn tunnel list will show you want ones are not enable in the output.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ken,
auto negation is always on on all my ipsec tunnels here on both side. I see in the logs that both sides try to auto negotiate. Also once that Tunnel finally has come up and I bring it down with the button in ipsec manager on gui it does go down and re-auto-negotiates within some sec.
It just does not do this when I reboot side B.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you determine that in the logs? If one side goes down, does the other side clears the ike and ipsec SAs?
diag vpn tunnel list | grep spi
diag vpn ike gateway
If you still see IKE/IPSEC SAs than one side is stuck. I would suggest diagnose DPD if you suspect DPD
diag debug reset
diag debug enable
diag debug application ike -1
diag debug enable
Monitor R U THERE messages
Alternative, run diag sniffer packet on wan interface and just for the interval and packets
e.g
diag sniffer packet wan "host 192.0.2.1 and port 500 or 4500"
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.