Hot!tunnel traffic

Author
suthomas1
Silver Member
  • Total Posts : 67
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
2020/06/27 04:44:43 (permalink)
0

tunnel traffic

Hello everyone,
 
In an ipsec vpn, is tunnel traffic(ip addresses .eg 10.1.10./24 or 10.1.2.0/24 which communicates between both sides) neeeded for bringing the tunnel up? which phase does this parameter for both sides get checked , will it have any impact on getting the tunnel up.
#1

7 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6340
    • Scores: 533
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: tunnel traffic 2020/06/27 09:03:40 (permalink)
    3 (1)
    For a regular site-2-site tunnel, traffic from any side will trigger tunnel negotiation. In practice, these tunnels hardly ever are down.
    Phase2 selects which kind of traffic is allowed across, and will trigger negos.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    suthomas1
    Silver Member
    • Total Posts : 67
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/05/07 06:08:23
    • Status: offline
    Re: tunnel traffic 2020/06/29 04:12:51 (permalink)
    0
    Thank you, so if the two ends have different allowed subnets configured will it have problems in getting the tunnel up and running?
    #3
    ede_pfau
    Expert Member
    • Total Posts : 6340
    • Scores: 533
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: tunnel traffic 2020/06/29 04:36:12 (permalink)
    4 (1)
    Then it won't get the tunnel up at all.
    These addresses in phase2 are called Quick Mode selectors for a reason. Only matching traffic will traverse the tunnel, or lead to negotiations. (As always, policies permitting.)

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    rwpatterson
    Expert Member
    • Total Posts : 8480
    • Scores: 205
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: tunnel traffic 2020/06/29 04:52:33 (permalink)
    0
    In the phase 2 you will need to define the close end and the remote end for each side. You are allowed multiple phase 2 definitions for any phase 1 tunnel.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (3)
     
    #5
    suthomas1
    Silver Member
    • Total Posts : 67
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/05/07 06:08:23
    • Status: offline
    Re: tunnel traffic 2020/06/29 05:04:25 (permalink)
    0
    Thank you.
    I was given these details by one of our subsidiaries who had some issues.
    (IP address is all random for example)
     
    218.57.31.88 - end A Our subsidary IP 
    104.27.61.54 - end B remote party 
     
    Here, IKE SA seems to be getting fine along with some start of SA for phase2.
    What does a) no pending Quick-Mode negotiations b) no matching IPsec SPI & c) notify msg received: NO-PROPOSAL-CHOSEN mean.
     
    Is my thinking of phase2 being nearly setup to begin traffic flow & being torn for some proposal problems correct?
     
     
     
    ike 6:tunnel-kep:83909: authentication OK
    ike 6:tunnel-kep:83909: established IKE SA 7426aa4f1025/eafdf3fde32e42fd
    ike 6:tunnel-kep: HA send IKE connection add 218.57.31.88->104.27.61.54
    ike 6:tunnel-kep:83909: HA send IKE SA add 7426aa4f1025/eafdf3fde32e42fd
    ike 6:tunnel-kep: set oper up
    ike 6:tunnel-kep: schedule auto-negotiate
    ike 6:tunnel-kep:83909: no pending Quick-Mode negotiations
    ike 6:tunnel-kep:tunnel-kep: IPsec SA connect 57 218.57.31.88->104.27.61.54:0
    ike 6:tunnel-kep:tunnel-kep: using existing connection
    ike 6:tunnel-kep:tunnel-kep: config found
    ike 6:tunnel-kep:tunnel-kep: IPsec SA connect 57 218.57.31.88->104.27.61.54:500 negotiating
    ike 6:tunnel-kep:83909: cookie 7426aa4f1025/eafdf3fde32e42fd:cf5faa27
    ike 6:tunnel-kep:83909:tunnel-kep:951: initiator selectors 0 0:10.58.0.0/255.255.0.0:0:0->0:10.23.0.0/255.255.255.0:0:0
    ike 6:tunnel-kep:83909: enc 297E6247BB4E2105EA4DF3DF626233E408102001CF5FAA270000016401000018983A980123652960287ED0EF4DF8C1E44B622E140A00003800000001000000010000002C010304016E20ABF800000020010C0000800100018002708080040001800601008005000280030005040000142E76AB377A710B5EF2F996F8288CC5CF050000C4A40AD595DBDCBF552786D022307EA13822BA5CF63A9537726DD4D07F0CD120EBD4CC5517BC58AD5FE2783C5DB1E3C4286E6001687C0673DEAF41AB932B4BF65997BADA0885786BA95216C61B2A78A0CD4497B1EB2955D512D1CDEA378802E35891024C858F3528CAD2478FFDDE239338C7D87B29EF6239B14D104BAFB64F2241E176873206725A49F34EE1718E7FF58EB5D97F622076B571D5630EEB096576CFC325150D581657BA634339258D7DDD74CC3A863FFABD4179DE17CC2A2C08577705000010040000000AEA0000FFFF000000000010040000000A466600FFFFFF00
    ike 6:tunnel-kep:83909: out 297E6247BB4E2105EA4DF3DF626233E408102001CF5FAA270000016C24F382EE577A323CD0BCB0DFC049FCAB96A2B8541F031CAA687FEE5FEAEFCCAADA543BA173D9BD5FA05C87EF8F93FE2F0098A482DACC165A8229BD6887C733D955E962E7EEBFC687F9E89429F77A3095376CCD253F4437708542C200260AD8D9D9B8B1DC7F9D71DBB878D392115B755A780B14BBEF1FED17B2067B5B1EE75199861073CA5D3B36478FD29046CA08D1D778E55DC1EC88BAE14167520169DC8F54B2938ED8E4A7B3D45B3E1CC7B25043EA7A62CA39FB205CCFDBCF11F60DC498ABB4A52C4934D3331AF11672270AF22FCAD1FF49DB921F3C4FD8CC97FB074EF8CD51180CECF75033B9FE6F3EE7BBF9018A9A39053333F3A4A2B22CD8879D4697148C870B441E75EB5730A42D9BCE5FE57C1725E8ADA4B60441CEE54259F06F028C49F7BB37B7828462588C04E39BF7FBF2FACD78F17CD378CF03BF51CAAA65A80730B18BD240C1BB3CBCA389A36BEFECA4
    ike 6:tunnel-kep:83909: sent IKE msg (quick_i1send): 218.57.31.88:500->104.27.61.54:500, len=364, id=7426aa4f1025/eafdf3fde32e42fd:cf5faa27
    ike 6: comes 104.27.61.54:500->218.57.31.88:500,ifindex=57....
    ike 6: IKEv1 exchange=Informational id=7426aa4f1025/eafdf3fde32e42fd:d65138df len=92
    ike 6: in 297E6247BB4E2105EA4DF3DF626233E408100501D65138DF0000005C595963F127F9B19CDBD5BE25B6F3FB49FCBAF46DF2A298ECBDB705378FD3E91FA08BBDA73937987E2E63D2E9AA3439E08334BBDBDEC107595AA8E06E915D17F8
    ike 6:tunnel-kep:83909: dec 297E6247BB4E2105EA4DF3DF626233E408100501D65138DF0000005C0B00001879906F25E77CC65753F3956CE37F103602FE970B00000020000000010310000E297E6247BB4E2105EA4DF3DF626233E4CF5FAA270000000000000000
    ike 6:tunnel-kep:83909: notify msg received: NO-PROPOSAL-CHOSEN
    ike 6:tunnel-kep:83909:: no matching IPsec SPI
    ike 6:tunnel-kep:83909:tunnel-kep:951: delete phase2 SPI f8ab206e
    ike 6: comes 104.27.61.54:500->218.57.31.88:500,ifindex=57....
    ike 6: IKEv1 exchange=Informational id=7426aa4f1025/eafdf3fde32e42fd:ba3f1d99 len=92
    ike 6: in 297E6247BB4E2105EA4DF3DF626233E408100501BA3F1D990000005CDA3FB98FCDB82AF14CC2E246A1966CED8659CF1C9A50E786A635E032172CF900F9B0A75E70012090560C757764FAAA411D51ACF828B77252504E2EC4D90B9332
    ike 6:tunnel-kep:83909: dec 297E6247BB4E2105EA4DF3DF626233E408100501BA3F1D990000005C0C000018559492FF8670F7439217C4F5CE27F0C8A0D17CB40000001C0000000101100001297E6247BB4E2105EA4DF3DF626233E4000000000000000000000000
    ike 6:tunnel-kep:83909: recv ISAKMP SA delete 7426aa4f1025/eafdf3fde32e42fd
    ike 6:tunnel-kep: deleting
    ike 6:tunnel-kep:83909: HA send IKE SA del 7426aa4f1025/eafdf3fde32e42fd
    ike 6:tunnel-kep: deleted
    ike 6:tunnel-kep: set oper down
    #6
    rwpatterson
    Expert Member
    • Total Posts : 8480
    • Scores: 205
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: tunnel traffic 2020/06/29 06:28:22 (permalink)
    0
    I should add that the phase 2 defines the INSIDE IP subnets while the phase 1 defines the public IP addresses.
     
    Also being that this is a public forum, it is recommended that you obfuscate the IP addresses for security purposes. Placing XXX in the first couple of octets is usually good enough.
    post edited by rwpatterson - 2020/06/29 06:30:23

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (3)
     
    #7
    emnoc
    Expert Member
    • Total Posts : 5732
    • Scores: 371
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: tunnel traffic 2020/06/29 08:45:18 (permalink)
    0
    OP
     
    1> did you confirm the proposal and src?dst subnets for phase2
     
    2> you have to match your src/dst to the far dst/src
     
    or 
     
    3> use a 0.0.0.0/0s which is the default if you do not set a phase2 subnets 
     
    Can you share the tunnel subnets that should be used ? and what is the far end device?
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #8
    Jump to:
    © 2020 APG vNext Commercial Version 5.5