Skip to main content
alif
Staff
alif
Staff
February 26, 2007

Technical Tip: Using the IPSec auto-negotiate and keepalive options on IPsec VPN tunnel

  • February 26, 2007
  • 0 replies
  • 252886 views

Description


This article describes the use of auto-negotiate and keepalive options under IPsec VPN phase2 settings.

 

Scope

 

FortiGate.


Solution

 

The option below can be used if there is no interesting traffic towards the tunnel. However, if there is interesting traffic towards the tunnel, the tunnel negotiation will occur automatically.

 

  • Autokey Keep Alive: Enable the option to keep the tunnel active when no data is being processed.
    The Phase-2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption.


However, if there is no traffic, the SA expires (by default) and phase-2 goes down. A new SA will not be generated until there is traffic.

The Autokey Keep Alive option ensures that a new Phase 2 SA is negotiated, even if there is no traffic, so the VPN tunnel stays up.

 

  • Auto-negotiate: Enable the option to automatically renegotiate the tunnel when the tunnel expires.
    By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established.

 

Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user.

If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel.
Auto-negotiate initiates the phase-2 SA negotiation automatically, repeating every five seconds until the SA is established.

Automatically establishing the SA can be important for a dial-up peer. It ensures that the VPN tunnel is available for peers at the server end to initiate traffic to the dial-up peer. 

If auto-negotiation is enabled at both FortiGates, either side can renegotiate the phase 2 security association (SA) to keep the IPsec VPN tunnel active. Hence, enabling auto-negotiation at both ends would be a good practice.

Auto-negotiation is necessary when setting up the tunnel for the first time, as the absence of traffic might prevent Phase 2 from being initiated. This requirement also applies to Site-to-Site tunnels.

 

Otherwise, the VPN tunnel does not exist until the dial-up peer initiates traffic.

To configure auto-negotiate:

 

Policy-based IPsec VPN.

 

config vpn ipsec phase2
    edit <phase2_name>
        set auto-negotiate enable

        set keepalive enable
    next
end

 

Route-based IPsec VPN.

 

config vpn ipsec phase2-interface
    edit <phase2_name>
        set auto-negotiate enable

        set keepalive enable
    next
end

 

To configure via GUI:


PHASE2_GUI.JPG

 

Auto-negotiation and keepalive are disabled by default on the FortiGate. However, keepalive gets implicitly enabled once auto-negotiation is enabled.

 

Refer below to configure Auto-negotiation and keepalive settings in v7.6 via GUI:

 

99.PNG

 

100.PNG

 

Note:

In v7.6, the keepalive options become visible after editing the individual selector within Phase2.

 

CLI Troubleshooting.

 

For detailed IKE debug:

diagnose debug reset
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable
 
diagnose debug disable
diagnose debug reset  <------ Use these final two commands to stop the debugging. These can be typed while the log is filling up, and the CLI session will take the keyboard input.
 
For Packet flow:
   
   diagnose sniffer packet any ' port 500 or port 4500 ' 4 0 l
 
   Ctrl + C    <----- To stop the packet capture.
 

Note:

  1. Auto-negotiation cannot be enabled in the case of a Dial-up IPsec VPN tunnel because, in this scenario, the FortiGate can never be the initiator. The ISAKMP or IKE requests are always initiated from the user end when trying to connect.

  2. In the tunnel where the device is in passive mode, auto-negotiate and autokey-keepalive in phase 2, and auto-negotiate in phase 1 cannot be enabled in phase 2. The device that is acting as an IKE initiator should be enabled for auto-negotiation.
    To justify, the tunnel has been created between two FortiGate devices. The tunnel is configured with the following Phase 1 and Phase 2 settings:


PHASE-1:


FGVM04TM25002496 # config vpn ipsec phase1-interface
FGVM04TM25002496 (phase1-interface) # ed 51.46_spoke
FGVM04TM25002496 (51.46_spoke) # sh
path=vpn.ipsec, objname=phase1-interface, tablename=51.46_spoke, size=2960
config vpn ipsec phase1-interface
    edit "51.46_spoke"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set passive-mode enable   ---> The passive mode is enabled.
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: 51.46_spoke"
        set remote-gw 10.40.51.46
        set psksecret ENC O7xCYc7Zm1VL/kIBgWbGK+uAG1Seb8xdh0I4YUhIOA6za8sQ/9kyFh41OoGzndL3ysZzGP//Eytw8vlX6UOYcAXJCdCAxZxgZZDDp9hunI/ZtxvL
    next
end


PHASE-2:


FGVM04TM25002496 (phase2-interface) # ed 51.46_spoke
FGVM04TM25002496 (51.46_spoke) # sh
path=vpn.ipsec, objname=phase2-interface, tablename=51.46_spoke, size=680
config vpn ipsec phase2-interface
    edit "51.46_spoke"
        set phase1name "51.46_spoke"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set pfs disable
        set comments "VPN: 51.46_spoke "
        set src-addr-type name
        set dst-addr-type name
        set src-name "51.46_spoke_local"
        set dst-name "51.46_spoke_remote"
    next
end


Going forward, change the passive mode from Enable to Disable and set Auto-Negotiation.


FGVM04TM25002496 (51.46_spoke) # set passive-mode dis
path=vpn.ipsec, objname=phase1-interface, size=2960, sz_attr=1

FGVM04TM25002496 # config vpn ipsec phase2-interface'

FGVM04TM25002496 (phase2-interface) # edit 51.46_spoke
change table entry '51.46_spoke'

FGVM04TM25002496 (51.46_spoke) # set auto-negotiate
enable     Enable setting.
disable    Disable setting.

FGVM04TM25002496 (51.46_spoke) # set auto-negotiate enable
path=vpn.ipsec, objname=phase2-interface, size=680, sz_attr=1

FGVM04TM25002496 (51.46_spoke) # end
cmd_clean_context 0, abort=0

 

After applying the changes:

 

FGVM04TM25002496 (51.46_spoke) # show full-configuration
path=vpn.ipsec, objname=phase1-interface, tablename=51.46_spoke, size=2960
config vpn ipsec phase1-interface
    edit "51.46_spoke"
        set type static
        set interface "port1"
        set ip-version 4
        set ike-version 2
        set local-gw 0.0.0.0
        set keylife 86400
        set authmethod psk
        unset authmethod-remote
        set peertype any
        set monitor-min 0
        set net-device disable
        set passive-mode disable          ---> The Passive mode is disabled.

    next
end


FGVM04TM25002496 # config vpn ipsec phase1-interface

FGVM04TM25002496 (phase1-interface) # set pass    ---> It will not be able to enable the passive mode.
command parse error before 'set' 

 

Related documents:

Phase 2 configuration 7.0.0

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity

Troubleshooting Tip: IPsec VPN tunnels

Phase 2 configuration 7.6.4

    Terms & ConditionsAccessibility statement