Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
suthomas1
New Contributor

tunnel traffic

Hello everyone,

 

In an ipsec vpn, is tunnel traffic(ip addresses .eg 10.1.10./24 or 10.1.2.0/24 which communicates between both sides) neeeded for bringing the tunnel up? which phase does this parameter for both sides get checked , will it have any impact on getting the tunnel up.

Suthomas
Suthomas
7 REPLIES 7
ede_pfau
Esteemed Contributor III

For a regular site-2-site tunnel, traffic from any side will trigger tunnel negotiation. In practice, these tunnels hardly ever are down.

Phase2 selects which kind of traffic is allowed across, and will trigger negos.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
suthomas1

Thank you, so if the two ends have different allowed subnets configured will it have problems in getting the tunnel up and running?

Suthomas
Suthomas
ede_pfau
Esteemed Contributor III

Then it won't get the tunnel up at all.

These addresses in phase2 are called Quick Mode selectors for a reason. Only matching traffic will traverse the tunnel, or lead to negotiations. (As always, policies permitting.)


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

In the phase 2 you will need to define the close end and the remote end for each side. You are allowed multiple phase 2 definitions for any phase 1 tunnel.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
suthomas1

Thank you.

I was given these details by one of our subsidiaries who had some issues.

(IP address is all random for example)

 

218.57.31.88 - end A Our subsidary IP 

104.27.61.54 - end B remote party 

 

Here, IKE SA seems to be getting fine along with some start of SA for phase2.

What does a) no pending Quick-Mode negotiations b) no matching IPsec SPI & c) notify msg received: NO-PROPOSAL-CHOSEN mean.

 

Is my thinking of phase2 being nearly setup to begin traffic flow & being torn for some proposal problems correct?

 

 

 

ike 6:tunnel-kep:83909: authentication OK ike 6:tunnel-kep:83909: established IKE SA 7426aa4f1025/eafdf3fde32e42fd ike 6:tunnel-kep: HA send IKE connection add 218.57.31.88->104.27.61.54 ike 6:tunnel-kep:83909: HA send IKE SA add 7426aa4f1025/eafdf3fde32e42fd ike 6:tunnel-kep: set oper up ike 6:tunnel-kep: schedule auto-negotiate ike 6:tunnel-kep:83909: no pending Quick-Mode negotiations ike 6:tunnel-kep:tunnel-kep: IPsec SA connect 57 218.57.31.88->104.27.61.54:0 ike 6:tunnel-kep:tunnel-kep: using existing connection ike 6:tunnel-kep:tunnel-kep: config found ike 6:tunnel-kep:tunnel-kep: IPsec SA connect 57 218.57.31.88->104.27.61.54:500 negotiating ike 6:tunnel-kep:83909: cookie 7426aa4f1025/eafdf3fde32e42fd:cf5faa27 ike 6:tunnel-kep:83909:tunnel-kep:951: initiator selectors 0 0:10.58.0.0/255.255.0.0:0:0->0:10.23.0.0/255.255.255.0:0:0 ike 6:tunnel-kep:83909: enc 297E6247BB4E2105EA4DF3DF626233E408102001CF5FAA270000016401000018983A980123652960287ED0EF4DF8C1E44B622E140A00003800000001000000010000002C010304016E20ABF800000020010C0000800100018002708080040001800601008005000280030005040000142E76AB377A710B5EF2F996F8288CC5CF050000C4A40AD595DBDCBF552786D022307EA13822BA5CF63A9537726DD4D07F0CD120EBD4CC5517BC58AD5FE2783C5DB1E3C4286E6001687C0673DEAF41AB932B4BF65997BADA0885786BA95216C61B2A78A0CD4497B1EB2955D512D1CDEA378802E35891024C858F3528CAD2478FFDDE239338C7D87B29EF6239B14D104BAFB64F2241E176873206725A49F34EE1718E7FF58EB5D97F622076B571D5630EEB096576CFC325150D581657BA634339258D7DDD74CC3A863FFABD4179DE17CC2A2C08577705000010040000000AEA0000FFFF000000000010040000000A466600FFFFFF00 ike 6:tunnel-kep:83909: out 297E6247BB4E2105EA4DF3DF626233E408102001CF5FAA270000016C24F382EE577A323CD0BCB0DFC049FCAB96A2B8541F031CAA687FEE5FEAEFCCAADA543BA173D9BD5FA05C87EF8F93FE2F0098A482DACC165A8229BD6887C733D955E962E7EEBFC687F9E89429F77A3095376CCD253F4437708542C200260AD8D9D9B8B1DC7F9D71DBB878D392115B755A780B14BBEF1FED17B2067B5B1EE75199861073CA5D3B36478FD29046CA08D1D778E55DC1EC88BAE14167520169DC8F54B2938ED8E4A7B3D45B3E1CC7B25043EA7A62CA39FB205CCFDBCF11F60DC498ABB4A52C4934D3331AF11672270AF22FCAD1FF49DB921F3C4FD8CC97FB074EF8CD51180CECF75033B9FE6F3EE7BBF9018A9A39053333F3A4A2B22CD8879D4697148C870B441E75EB5730A42D9BCE5FE57C1725E8ADA4B60441CEE54259F06F028C49F7BB37B7828462588C04E39BF7FBF2FACD78F17CD378CF03BF51CAAA65A80730B18BD240C1BB3CBCA389A36BEFECA4 ike 6:tunnel-kep:83909: sent IKE msg (quick_i1send): 218.57.31.88:500->104.27.61.54:500, len=364, id=7426aa4f1025/eafdf3fde32e42fd:cf5faa27 ike 6: comes 104.27.61.54:500->218.57.31.88:500,ifindex=57.... ike 6: IKEv1 exchange=Informational id=7426aa4f1025/eafdf3fde32e42fd:d65138df len=92 ike 6: in 297E6247BB4E2105EA4DF3DF626233E408100501D65138DF0000005C595963F127F9B19CDBD5BE25B6F3FB49FCBAF46DF2A298ECBDB705378FD3E91FA08BBDA73937987E2E63D2E9AA3439E08334BBDBDEC107595AA8E06E915D17F8 ike 6:tunnel-kep:83909: dec 297E6247BB4E2105EA4DF3DF626233E408100501D65138DF0000005C0B00001879906F25E77CC65753F3956CE37F103602FE970B00000020000000010310000E297E6247BB4E2105EA4DF3DF626233E4CF5FAA270000000000000000 ike 6:tunnel-kep:83909: notify msg received: NO-PROPOSAL-CHOSEN ike 6:tunnel-kep:83909:: no matching IPsec SPI ike 6:tunnel-kep:83909:tunnel-kep:951: delete phase2 SPI f8ab206e ike 6: comes 104.27.61.54:500->218.57.31.88:500,ifindex=57.... ike 6: IKEv1 exchange=Informational id=7426aa4f1025/eafdf3fde32e42fd:ba3f1d99 len=92 ike 6: in 297E6247BB4E2105EA4DF3DF626233E408100501BA3F1D990000005CDA3FB98FCDB82AF14CC2E246A1966CED8659CF1C9A50E786A635E032172CF900F9B0A75E70012090560C757764FAAA411D51ACF828B77252504E2EC4D90B9332 ike 6:tunnel-kep:83909: dec 297E6247BB4E2105EA4DF3DF626233E408100501BA3F1D990000005C0C000018559492FF8670F7439217C4F5CE27F0C8A0D17CB40000001C0000000101100001297E6247BB4E2105EA4DF3DF626233E4000000000000000000000000 ike 6:tunnel-kep:83909: recv ISAKMP SA delete 7426aa4f1025/eafdf3fde32e42fd ike 6:tunnel-kep: deleting ike 6:tunnel-kep:83909: HA send IKE SA del 7426aa4f1025/eafdf3fde32e42fd ike 6:tunnel-kep: deleted ike 6:tunnel-kep: set oper down

Suthomas
Suthomas
rwpatterson
Valued Contributor III

I should add that the phase 2 defines the INSIDE IP subnets while the phase 1 defines the public IP addresses.

 

Also being that this is a public forum, it is recommended that you obfuscate the IP addresses for security purposes. Placing XXX in the first couple of octets is usually good enough.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
emnoc
Esteemed Contributor III

OP

 

1> did you confirm the proposal and src?dst subnets for phase2

 

2> you have to match your src/dst to the far dst/src

 

or 

 

3> use a 0.0.0.0/0s which is the default if you do not set a phase2 subnets 

 

Can you share the tunnel subnets that should be used ? and what is the far end device?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors