Skip to main content
fabs
fabs
Visitor III
December 10, 2024
Question

Fortigate 7.6.1 - FortiClientVPN - IPsec SAML - Windows 11 24H2- no incoming traffic

  • December 10, 2024
  • 1 reply
  • 4281 views

Hello all,

 

I have a problem with IPsec SAML under Windows 11 24H2 with FortiClientVPN 7.4.1.1736 free version.

The connection is established, but I don't see any bytes for incoming traffic. Therefore the routing in the internal VLAN does not work, also the routing to the outside does not work.

 

The same tunnel works perfectly with the FortiClientVPN 7.4.2.0151 and the same SAML user on the iOS iPhone 15 Pro. Except for the fact that I have to exclude the SAML application from my Microsoft CA compliant device policy.

 

Here is the debug of the VPN connection.

 

100f_serverroom # diag debug reset  100f_serverroom # diag debug console timestamp en  100f_serverroom # diag vpn ike log filter name "XXXXXX IPsec"  100f_serverroom # diag debug application ike -1 Debug messages will be on for 30 minutes.  100f_serverroom # diag debug enable  100f_serverroom # 2024-12-10 11:36:43.276210 ike V=root:0: comes 34.199.9.216:500->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=76.... 2024-12-10 11:36:43.276339 ike V=root:0: IKEv2 exchange=INFORMATIONAL id=c87c0c2ee891eeb5/0d86f6dc7c1926d8:0000006a len=76 2024-12-10 11:36:43.276379 ike 0: in C87C0C2EE891EEB50D86F6DC7C1926D82E2025080000006A0000004C0000003056374A2DDDD0DF45A3569507C0D2E64885DE998FE60CB2D93C46C6C3A9C25B2CE030E6178C6D973FBFF62D0D 2024-12-10 11:36:43.937654 ike V=root:0: comes xxx.xx.xxx.xx:24037->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=409.... 2024-12-10 11:36:43.937774 ike V=root:0: IKEv2 exchange=SA_INIT id=c1ed4e56aa50b2a2/0000000000000000 len=409 2024-12-10 11:36:43.937815 ike 0: in C1ED4E56AA50B2A200000000000000002120220800000000000001992200005C0200002C010100040300000C0100000C800E00800300000802000002030000080300000200000008040000050000002C020100040300000C0100000C80 0E01000300000802000005030000080300000C0000000804000005280000C8000500008FBE37D4CF842225961FDA0C28729E494DEE8841D11AE50B174F9C1EB763C16476DA03F93B71C82699DCC79538762E982979F1531DF0E85D02C4175ACBF6DEF6EAE7FB17989593978E93D680A 531B2FDBEC26ABBEB7CC73A324E23D90DD7510B26968DE3E7C864F70A1DDA91D8B2DD8247C942A0F23FEBA71B7A0C0FE7490EDCE9208AC40D0E070F0E0F9A9170EC6F96C69F6973EDA7137E50F9728CE211D562F10BF80E4880F0FB6C54DAE77AFDD56D5D2A0763D5AD891E29D42E30 390747CE2B000014E92174163E6DBFA060F92C7CA850D8C22B0000144C53427B6D465D1B337BB755A37A7FEF2B000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000014C1DC4350476B98A429B91781914CA43E000000090000F05000 2024-12-10 11:36:43.937922 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: responder received SA_INIT msg 2024-12-10 11:36:43.937970 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF 2024-12-10 11:36:43.938015 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E 2024-12-10 11:36:43.938060 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: VID Forticlient EAP Extension C1DC4350476B98A429B91781914CA43E 2024-12-10 11:36:43.938106 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: received notify type VPN_NETWORK_ID 2024-12-10 11:36:43.938149 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: NETWORK ID : 0 2024-12-10 11:36:43.938203 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: incoming proposal: 2024-12-10 11:36:43.938246 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: proposal id = 1: 2024-12-10 11:36:43.938279 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:   protocol = IKEv2: 2024-12-10 11:36:43.938312 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:      encapsulation = IKEv2/none 2024-12-10 11:36:43.938347 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=ENCR, val=AES_CBC (key_len = 128) 2024-12-10 11:36:43.938381 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=INTEGR, val=AUTH_HMAC_SHA_96 2024-12-10 11:36:43.938415 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=PRF, val=PRF_HMAC_SHA 2024-12-10 11:36:43.938450 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=DH_GROUP, val=MODP1536. 2024-12-10 11:36:43.938492 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: proposal id = 2: 2024-12-10 11:36:43.938525 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:   protocol = IKEv2: 2024-12-10 11:36:43.938558 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:      encapsulation = IKEv2/none 2024-12-10 11:36:43.938592 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=ENCR, val=AES_CBC (key_len = 256) 2024-12-10 11:36:43.938626 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128 2024-12-10 11:36:43.938660 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=PRF, val=PRF_HMAC_SHA2_256 2024-12-10 11:36:43.938693 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=DH_GROUP, val=MODP1536. 2024-12-10 11:36:43.938752 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: matched proposal id 2 2024-12-10 11:36:43.938795 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: proposal id = 2: 2024-12-10 11:36:43.938828 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:   protocol = IKEv2: 2024-12-10 11:36:43.938860 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:      encapsulation = IKEv2/none 2024-12-10 11:36:43.938894 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=ENCR, val=AES_CBC (key_len = 256) 2024-12-10 11:36:43.938928 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128 2024-12-10 11:36:43.938977 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=PRF, val=PRF_HMAC_SHA2_256 2024-12-10 11:36:43.939006 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459:         type=DH_GROUP, val=MODP1536. 2024-12-10 11:36:43.939036 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: lifetime=86400 2024-12-10 11:36:43.939074 ike V=root:0:c1ed4e56aa50b2a2/0000000000000000:459: SA proposal chosen, matched gateway XXXXXX IPsec 2024-12-10 11:36:43.939125 ike V=root:0:XXXXXX IPsec:XXXXXX IPsec: created connection: 0x5561e3d8c0 7 xx.xx.xx.xx->xxx.xx.xxx.xx:24037. 2024-12-10 11:36:43.939183 ike V=root:0:XXXXXX IPsec:459: FEC vendor ID received FEC but IP not set 2024-12-10 11:36:43.939214 ike 0:XXXXXX IPsec:459: FCT EAP 2FA extension vendor ID received 2024-12-10 11:36:43.939297 ike V=root:0:XXXXXX IPsec:459: responder preparing SA_INIT msg 2024-12-10 11:36:43.940519 ike V=root:0:XXXXXX IPsec:459: create NAT-D hash local xx.xx.xx.xx/500 remote xxx.xx.xxx.xx/24037 2024-12-10 11:36:43.940603 ike 0:XXXXXX IPsec:459: out C1ED4E56AA50B2A201D9466943A4A7D5212022200000000000000160220000300000002C020100040300000C0100000C800E01000300000802000005030000080300000C0000000804000005280000C800050000 F89CF402B946CB736B777E993E4D3A7DDC7D7E736E80DAF3A657EF5AE2B0C147EDFB6F42C60E403EEC1694898A55EE00B0A836A4DA57B318BEBAB5906F086807E9AA6FECB94671C76B8C038B4484960558719653B92870F369E9B82671249EAF2BE6DA20A3763D8DC146FDC0E5BBEBF 6C6836E88E4BAAD00BFEF0D8E4CA64F005DB8DC99D3A89144918B3231A0A40948899C31AA6C0442069F7A1B72E6EC6488B7B03B5CB030E2CAC54D4804BF6077EE13A7CC8E90DB4DE9F8902F9D6DABF1D6290000140C8BB31EE839FD9E4273A92E4FF965BD2900001C000040046D22C9 D3A8393140025B1151BAF155CCD1A09E330000001C0000400516FADCD3BCD1E0A647D03A0A1986FDD577E4660D 2024-12-10 11:36:43.940727 ike V=root:0:XXXXXX IPsec:459: sent IKE msg (SA_INIT_RESPONSE): xx.xx.xx.xx:500->xxx.xx.xxx.xx:24037, len=352, vrf=0, id=c1ed4e56aa50b2a2/01d9466943a4a7d5, oif=7 2024-12-10 11:36:43.940887 ike 0:XXXXXX IPsec:459: IKE SA c1ed4e56aa50b2a2/01d9466943a4a7d5 SK_ei 32:14777F25B97BCCD196D4A8D72E8F9E296C75B36695B8C164E484474BD5F4A991 2024-12-10 11:36:43.940929 ike 0:XXXXXX IPsec:459: IKE SA c1ed4e56aa50b2a2/01d9466943a4a7d5 SK_er 32:8F9481682381EDFCBCA8FA47E5C64F34E21FE5D3252F80D3589DBCA7C6983E58 2024-12-10 11:36:43.940967 ike 0:XXXXXX IPsec:459: IKE SA c1ed4e56aa50b2a2/01d9466943a4a7d5 SK_ai 32:E15AA0346C100039BD4BEC20C4D8858525D0877C6A8B64413E3578D88A3580C9 2024-12-10 11:36:43.941018 ike 0:XXXXXX IPsec:459: IKE SA c1ed4e56aa50b2a2/01d9466943a4a7d5 SK_ar 32:AAA13474C3C9C96A3366546F59EABBF8A2BC0D445F7A0E0FCED9B01FEEB36CAA 2024-12-10 11:36:43.987008 ike V=root:0: comes xxx.xx.xxx.xx:24037->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=640.... 2024-12-10 11:36:43.987099 ike V=root:0: IKEv2 exchange=AUTH id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000001 len=640 2024-12-10 11:36:43.987143 ike 0: in C1ED4E56AA50B2A201D9466943A4A7D52E202308000000010000028023000264C3AE9BD8096F81A0A63B00C0BD7300E6AC0F4120BD343FCE922A704B5245DC504E20A78323A5AAF1EE4327EC7DF686CC38DD79ADC6A7C84ABDACADF3D9 8A4729B5C78118722651F79E301756A1D228DE939D1E7D2DF31663FE03E74954DEB041A0B2A505AD35EF38B8F68C0C57F6F661B5CE1F389F5994331F7CC0E008CA51B61AE9989257D2CC0116E310A9C39670754B3422A3FE62A01A02CD516692F065B91D39F414548DE304BBD5C47FF 8B46B0E5EDB919B53869651F6C1530D9D1319E5C884B2E0530476B75FEE8B4F38B87618EDA9E1309C66C4DCE3C9C682871F9D9D2A344BCA5C175725EA4DB18E3E3905D488B1C3CCAF166BBB215E41148483F8DC341C22DE91F9104BF06C1E145DC3D1B54E3F071A94BC7A1B9D77482B A907B8B380FDB5F9D0ADE046736106BB2A334FA830519961FFF50F8E454E8D0E0561FCEBF1568CCF6FA24030F33C6523B5286054B7FC0A60A19C536A9A9FF284EF6727ED23B1BD5E267745A27C6BAD05E7400205F2E0A395A765A296356C15BB20DAD2A432AF2E2A0EDBEAFD6B62676 ECAD45777D8D0F87A50C2C021A0A2C288C642669F1896B81D7A779EEEFE59C7F7FC2326395DDFB56132E47F61D25DF631D60DD479779FCC81B32BCF0E317F6E37624E3794AC4BFF3C1AEA91DFD4A36220C0435D742E8E21A2018808EC80271F32AF5493FA142A97D81EFC19A51C6F37 D8C3CF7F92A03464576470471C208FD58EBF43D256F9531639EACE1DC0687DA25AC5B099E0BA4C48A409EB6654E439076457F394A30994C2D8A08E52AF22DA63455F78903636CA3D997C8D36EB894568CA45CC4DF4083AA11182C9097030DFC2810076AAF8 2024-12-10 11:36:43.987316 ike 0:XXXXXX IPsec:459: dec C1ED4E56AA50B2A201D9466943A4A7D52E2023080000000100000251230000042900000C01000000C0A8344629000008000040002F00013D0000F1005645523D310A4643545645523D372E342E312E313733360A 5549443D36413243394145443231354334443246383230383437413744453339364246320A49503D3139322E3136382E35322E37300A4D41433D63382D62322D39622D38382D36372D34363B63382D62322D39622D38382D36372D34323B63382D62322D39622D38382D36372D34333 B63612D62322D39622D38382D36372D34323B38342D62352D39332D35392D34372D34303B0A484F53543D5654452D50432D3035340A555345523D36413243394145443231354334443246383230383437413744453339364246320A4F535645523D4D6963726F736F66742057696E64 6F777320313120456E74657270726973652045646974696F6E2C2036342D62697420286275696C64203232363331290A5245475F5354415455533D300A002100005C01000000000700104643543830303237393039383339353100010000000200000003000000040000000D0000001 9000000080000000F0000000A0000000B000070010000540A0000540B00007000000070060000001900002C0000540200002801030403BD2BD0950300000C0100000C800E0080030000080300000200000008050000000000002802030403BD2BD0950300000C0100000C800E010003 0000080300000C00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF 2024-12-10 11:36:43.987398 ike V=root:0:XXXXXX IPsec:459: responder received AUTH msg 2024-12-10 11:36:43.987433 ike V=root:0:XXXXXX IPsec:459: processing notify type INITIAL_CONTACT 2024-12-10 11:36:43.987504 ike V=root:0:XXXXXX IPsec:459: processing notify type FORTICLIENT_CONNECT 2024-12-10 11:36:43.987556 ike V=root:0:XXXXXX IPsec:459: received FCT data len = 309, data = 'VER=1 FCTVER=7.4.1.1736 UID=6A2C9AED215C4D2F820847A7DE396BF2 IP=192.168.52.70 MAC=c8-b2-9b-88-67-46;c8-b2-9b-88-67-42;c8-b2-9b-88-67-43;ca-b2-9b-88-67-42;84-b5-93-59-47-40; HOST=VTE-PC-054 USER=6A2C9AED215C4D2F820847A7DE396BF2 OSVER=Microsoft Windows 11 Enterprise Edition, 64-bit (build 22631) REG_STATUS=0 ' 2024-12-10 11:36:43.987648 ike V=root:0:XXXXXX IPsec:459: received FCT-UID : 6A2C9AED215C4D2F820847A7DE396BF2 2024-12-10 11:36:43.987680 ike V=root:0:XXXXXX IPsec:459: received EMS SN : 2024-12-10 11:36:43.987711 ike V=root:0:XXXXXX IPsec:459: received EMS tenant ID : 2024-12-10 11:36:43.987745 ike V=root:0:XXXXXX IPsec:459: peer identifier IPV4_ADDR 192.168.52.70 2024-12-10 11:36:43.987778 ike V=root:0:XXXXXX IPsec:459: re-validate gw ID 2024-12-10 11:36:43.987823 ike V=root:0:XXXXXX IPsec:459: gw validation OK 2024-12-10 11:36:43.987859 ike V=root:0:XXXXXX IPsec:459: responder preparing EAP identity request 2024-12-10 11:36:43.988068 ike 0:XXXXXX IPsec:459: enc 2700000C01000000515A25623000002802000000157F6FB30F6E06277550958D4B2E3FDB3376601E4C0411631298B1F3320611E1000000090102000501020102 2024-12-10 11:36:43.988151 ike 0:XXXXXX IPsec:459: out C1ED4E56AA50B2A201D9466943A4A7D52E2023200000000100000080240000644427FEEDDB2F793D8C30BE54FFB9B5D9DF4EF73111D7245E5959C0A72A6E2B2C7AED7BA56F388E4851CEE7D529D0683451722323 A63A2F8F6A36D0F64C29BEEE6F83CE60730DE7276AA1E9B3072D3B70C333E259A9A70111FC9D6D538D3A8175 2024-12-10 11:36:43.988258 ike V=root:0:XXXXXX IPsec:459: sent IKE msg (AUTH_RESPONSE): xx.xx.xx.xx:500->xxx.xx.xxx.xx:24037, len=128, vrf=0, id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000001, oif=7 2024-12-10 11:36:44.026827 ike V=root:0: comes xxx.xx.xxx.xx:24037->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=112.... 2024-12-10 11:36:44.026935 ike V=root:0: IKEv2 exchange=AUTH id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000002 len=112 2024-12-10 11:36:44.026968 ike 0: in C1ED4E56AA50B2A201D9466943A4A7D52E202308000000020000007030000054D200243699A799962ED3823B560AE84E8AFE187C3CE53CDACCBC820196674897A38B19BACFFD7D0B890695810321522877234C407D61F125E197234FFB 7B2BC1813EC31F8424C82731D5EA4AD7BDDE7B 2024-12-10 11:36:44.027094 ike 0:XXXXXX IPsec:459: dec C1ED4E56AA50B2A201D9466943A4A7D52E2023080000000200000049300000040000002902020025013641324339414544323135433444324638323038343741374445333936424632 2024-12-10 11:36:44.027133 ike V=root:0:XXXXXX IPsec:459: responder received EAP msg 2024-12-10 11:36:44.027166 ike V=root:0:XXXXXX IPsec:459: send EAP message to FNBAM 2024-12-10 11:36:44.027196 ike V=root:0:XXXXXX IPsec:459: initiating EAP authentication 2024-12-10 11:36:44.027228 ike V=root:0:XXXXXX IPsec: EAP user "6A2C9AED215C4D2F820847A7DE396BF2" 2024-12-10 11:36:44.027258 ike V=root:0:XXXXXX IPsec: auth group AAD-IPSEC-VPN-USERS 2024-12-10 11:36:44.027360 ike V=root:0:XXXXXX IPsec: EAP 1400352022681 pending 2024-12-10 11:36:44.029211 ike V=root:0:XXXXXX IPsec:459 EAP 1400352022681 result FNBAM_CHALLENGED 2024-12-10 11:36:44.029303 ike V=root:0:XXXXXX IPsec: EAP challenged for user "6A2C9AED215C4D2F820847A7DE396BF2" 2024-12-10 11:36:44.029341 ike V=root:0:XXXXXX IPsec:459: responder preparing EAP pass through message 2024-12-10 11:36:44.029391 ike 0:XXXXXX IPsec:459: enc 00000025010300211A0103001C1059E129E2DEC4AA3D51231456D3DD52FE686F73746170640A0908070605040302010A 2024-12-10 11:36:44.029496 ike 0:XXXXXX IPsec:459: out C1ED4E56AA50B2A201D9466943A4A7D52E202320000000020000007030000054FF8CB3A079CD03D36CA2C385BAAE4229FAE1AD2E9E8F56D1DD0D870D965303C77AE6E79B9E8512DCABF92E99CC0FF6CDE42E6404 E36438341DB78756AADC4516702EADC8B6AD80A505563ADA88F47109 2024-12-10 11:36:44.029583 ike V=root:0:XXXXXX IPsec:459: sent IKE msg (AUTH_RESPONSE): xx.xx.xx.xx:500->xxx.xx.xxx.xx:24037, len=112, vrf=0, id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000002, oif=7 2024-12-10 11:36:44.062767 ike V=root:0: comes xxx.xx.xxx.xx:24037->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=160.... 2024-12-10 11:36:44.062862 ike V=root:0: IKEv2 exchange=AUTH id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000003 len=160 2024-12-10 11:36:44.062895 ike 0: in C1ED4E56AA50B2A201D9466943A4A7D52E20230800000003000000A030000084F86F972C0F7C62544EEDB3F7EC761DC75F932B3082956390C8788BE9D0784029B62098536056B59695EB0D3AC153B19F3864783E451C6E8D1C794ED041 94CEBC1EF430F0C11183D18DE611351877DB91910C09E6066B0832DE64179E360B92F05CA03B8E507A5C1FFF8AC629305936494AEDA78EAC247340AAADA5918884EDC8 2024-12-10 11:36:44.063025 ike 0:XXXXXX IPsec:459: dec C1ED4E56AA50B2A201D9466943A4A7D52E202308000000030000007F300000040000005F0203005B1A020300563152D9759362B69158DCA80FD2F5BA98BA00000000000000005A1792A3EF80FFF8D7C1BAD28DEE 65E0EC85DB21AA42310F003641324339414544323135433444324638323038343741374445333936424632 2024-12-10 11:36:44.063071 ike V=root:0:XXXXXX IPsec:459: responder received EAP msg 2024-12-10 11:36:44.063104 ike V=root:0:XXXXXX IPsec:459: send EAP message to FNBAM 2024-12-10 11:36:44.063152 ike V=root:0:XXXXXX IPsec: EAP 1400352022681 pending 2024-12-10 11:36:44.064626 ike V=root:0:XXXXXX IPsec:459 EAP 1400352022681 result FNBAM_CHALLENGED 2024-12-10 11:36:44.064703 ike V=root:0:XXXXXX IPsec: EAP challenged for user "6A2C9AED215C4D2F820847A7DE396BF2" 2024-12-10 11:36:44.064736 ike V=root:0:XXXXXX IPsec:459: responder preparing EAP pass through message 2024-12-10 11:36:44.064790 ike 0:XXXXXX IPsec:459: enc 0000003C010400381A03030033533D46353631464346453039434630413332394236373744424134314233344541363431304339313634204D3D4F4B03020103 2024-12-10 11:36:44.064891 ike 0:XXXXXX IPsec:459: out C1ED4E56AA50B2A201D9466943A4A7D52E202320000000030000008030000064BD39787E3232D09BF681DDBB0121DCDA1F0CB6CF705619F1D489D3592DDD9ABF92CD89D0E0E189920A050348BD100B4EE48DEBAF 8484BBFADBAA596527C83A89CA68354F316A60CFD760EFDF812342BE104C3FEDC65BEF237592AFEF1FA5C22D 2024-12-10 11:36:44.064979 ike V=root:0:XXXXXX IPsec:459: sent IKE msg (AUTH_RESPONSE): xx.xx.xx.xx:500->xxx.xx.xxx.xx:24037, len=128, vrf=0, id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000003, oif=7 2024-12-10 11:36:44.092783 ike V=root:0: comes xxx.xx.xxx.xx:24037->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=80.... 2024-12-10 11:36:44.092878 ike V=root:0: IKEv2 exchange=AUTH id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000004 len=80 2024-12-10 11:36:44.092912 ike 0: in C1ED4E56AA50B2A201D9466943A4A7D52E202308000000040000005030000034ADD216DDBB4086C44A1A467EE8A9C64ED9AA4DA5CA5912945714A7EF5E4ED629D2AE4175DD9BA9F33779B5555A899C8C 2024-12-10 11:36:44.093028 ike 0:XXXXXX IPsec:459: dec C1ED4E56AA50B2A201D9466943A4A7D52E202308000000040000002A300000040000000A020400061A03 2024-12-10 11:36:44.093067 ike V=root:0:XXXXXX IPsec:459: responder received EAP msg 2024-12-10 11:36:44.093100 ike V=root:0:XXXXXX IPsec:459: send EAP message to FNBAM 2024-12-10 11:36:44.093149 ike V=root:0:XXXXXX IPsec: EAP 1400352022681 pending 2024-12-10 11:36:44.094326 ike V=root:0:XXXXXX IPsec:459 EAP 1400352022681 result FNBAM_SUCCESS 2024-12-10 11:36:44.094393 ike V=root:0:XXXXXX IPsec: EAP succeeded for user "6A2C9AED215C4D2F820847A7DE396BF2" group "AAD-IPSEC-VPN-USERS" 2FA=no 2024-12-10 11:36:44.094486 ike V=root:0:XXXXXX IPsec:459: responder preparing EAP pass through message 2024-12-10 11:36:44.094539 ike 0:XXXXXX IPsec:459: enc 00000008030400040706050403020107 2024-12-10 11:36:44.094636 ike 0:XXXXXX IPsec:459: out C1ED4E56AA50B2A201D9466943A4A7D52E202320000000040000005030000034AAF62162C7EB0C23E18EBD27EDDE598A0E51A8FD86A770C706D83B1DAB1A4F54AABC8CA3622235139AE847F99FC15C61 2024-12-10 11:36:44.094714 ike V=root:0:XXXXXX IPsec:459: sent IKE msg (AUTH_RESPONSE): xx.xx.xx.xx:500->xxx.xx.xxx.xx:24037, len=80, vrf=0, id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000004, oif=7 2024-12-10 11:36:44.138755 ike V=root:0: comes xxx.xx.xxx.xx:24037->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=112.... 2024-12-10 11:36:44.138852 ike V=root:0: IKEv2 exchange=AUTH id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000005 len=112 2024-12-10 11:36:44.138886 ike 0: in C1ED4E56AA50B2A201D9466943A4A7D52E202308000000050000007027000054E510561CE9885ABBE8559FB553C9D3CB8C92858F0BB84710B21E965F3BF9BEFE0328DF720673AA1D6C0FC744BB1BDE2BDB1F57281F433B31CE78801504 AE10FF87405347CD20A1142B9476146BF26057 2024-12-10 11:36:44.139013 ike 0:XXXXXX IPsec:459: dec C1ED4E56AA50B2A201D9466943A4A7D52E202308000000050000004827000004000000280200000030DC53D60B6BF9245C88FF5989175A418F7B9F64D6CD8B0FD39E60156E5B5146 2024-12-10 11:36:44.139051 ike V=root:0:XXXXXX IPsec:459: responder received AUTH msg 2024-12-10 11:36:44.139136 ike V=root:0:XXXXXX IPsec:459: auth verify done 2024-12-10 11:36:44.139168 ike V=root:0:XXXXXX IPsec:459: responder AUTH continuation 2024-12-10 11:36:44.139198 ike V=root:0:XXXXXX IPsec:459: authentication succeeded 2024-12-10 11:36:44.139269 ike V=root:0:XXXXXX IPsec:459: responder creating new child 2024-12-10 11:36:44.139328 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 7 request 16:'46435438303032373930393833393531' 2024-12-10 11:36:44.139361 ike V=root:0:XXXXXX IPsec:459: mode-cfg received APPLICATION_VERSION 'FCT8002790983951' 2024-12-10 11:36:44.139392 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 1 request 0:'' 2024-12-10 11:36:44.139427 ike V=root:0:XXXXXX IPsec: mode-cfg allocate 10.72.76.61/0.0.0.0 2024-12-10 11:36:44.139458 ike V=root:0:XXXXXX IPsec:459: mode-cfg using allocated IPv4 10.72.76.61 2024-12-10 11:36:44.139487 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 2 request 0:'' 2024-12-10 11:36:44.139517 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 3 request 0:'' 2024-12-10 11:36:44.139547 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 4 request 0:'' 2024-12-10 11:36:44.139576 ike V=root:0:XXXXXX IPsec:459: mode-cfg WINS ignored, no WINS servers configured 2024-12-10 11:36:44.139605 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 13 request 0:'' 2024-12-10 11:36:44.139633 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 25 request 0:'' 2024-12-10 11:36:44.139662 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 8 request 0:'' 2024-12-10 11:36:44.139691 ike V=root:0:XXXXXX IPsec: IPv6 pool is not configured 2024-12-10 11:36:44.139720 ike V=root:0:XXXXXX IPsec:459: mode-cfg could not allocate IPv6 address 2024-12-10 11:36:44.139749 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 15 request 0:'' 2024-12-10 11:36:44.139778 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 10 request 0:'' 2024-12-10 11:36:44.139807 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 11 request 0:'' 2024-12-10 11:36:44.139836 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 11 not supported, ignoring 2024-12-10 11:36:44.139865 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 28673 request 0:'' 2024-12-10 11:36:44.139895 ike V=root:0:XXXXXX IPsec:459: mode-cfg UNITY type 28673 requested 2024-12-10 11:36:44.139924 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 21514 request 0:'' 2024-12-10 11:36:44.139953 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 21514 requested 2024-12-10 11:36:44.139981 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 21515 request 0:'' 2024-12-10 11:36:44.140010 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 21515 requested 2024-12-10 11:36:44.140038 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 28672 request 0:'' 2024-12-10 11:36:44.140066 ike V=root:0:XXXXXX IPsec:459: mode-cfg UNITY type 28672 requested 2024-12-10 11:36:44.140095 ike V=root:0:XXXXXX IPsec:459: mode-cfg no banner configured, ignoring 2024-12-10 11:36:44.140123 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 28678 request 0:'' 2024-12-10 11:36:44.140152 ike V=root:0:XXXXXX IPsec:459: mode-cfg UNITY type 28678 requested 2024-12-10 11:36:44.140180 ike V=root:0:XXXXXX IPsec:459: mode-cfg type 25 request 0:'' 2024-12-10 11:36:44.140225 ike V=root:0:XXXXXX IPsec:459:531: peer proposal: 2024-12-10 11:36:44.140259 ike V=root:0:XXXXXX IPsec:459:531: TSi_0 0:0.0.0.0-255.255.255.255:0 2024-12-10 11:36:44.140292 ike V=root:0:XXXXXX IPsec:459:531: TSr_0 0:0.0.0.0-255.255.255.255:0 2024-12-10 11:36:44.140322 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: comparing selectors 2024-12-10 11:36:44.140355 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: matched by rfc-rule-2 2024-12-10 11:36:44.140385 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: phase2 matched by subset 2024-12-10 11:36:44.140420 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: using mode-cfg override 0:10.72.76.61-10.72.76.61:0 2024-12-10 11:36:44.140452 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: accepted proposal: 2024-12-10 11:36:44.140485 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: TSi_0 0:10.72.76.61-10.72.76.61:0 2024-12-10 11:36:44.140517 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: TSr_0 0:0.0.0.0-255.255.255.255:0 2024-12-10 11:36:44.140548 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: dialup 2024-12-10 11:36:44.140600 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: incoming child SA proposal: 2024-12-10 11:36:44.140631 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: proposal id = 1: 2024-12-10 11:36:44.140661 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:   protocol = ESP: 2024-12-10 11:36:44.140690 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:      encapsulation = TUNNEL 2024-12-10 11:36:44.140721 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:         type=ENCR, val=AES_CBC (key_len = 128) 2024-12-10 11:36:44.140750 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:         type=INTEGR, val=SHA 2024-12-10 11:36:44.140780 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:         type=ESN, val=NO 2024-12-10 11:36:44.140809 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:         PFS is disabled 2024-12-10 11:36:44.140844 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: matched proposal id 1 2024-12-10 11:36:44.140872 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: proposal id = 1: 2024-12-10 11:36:44.140902 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:   protocol = ESP: 2024-12-10 11:36:44.140930 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:      encapsulation = TUNNEL 2024-12-10 11:36:44.140960 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:         type=ENCR, val=AES_CBC (key_len = 128) 2024-12-10 11:36:44.140990 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:         type=INTEGR, val=SHA 2024-12-10 11:36:44.141095 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:         type=ESN, val=NO 2024-12-10 11:36:44.141133 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531:         PFS is disabled 2024-12-10 11:36:44.141170 ike V=root:0:XXXXXX IPsec:459:IPSec VPN:531: lifetime=43200 2024-12-10 11:36:44.141254 ike V=root:0:XXXXXX IPsec:459: responder preparing AUTH msg 2024-12-10 11:36:44.141308 ike V=root:0:XXXXXX IPsec: adding new dynamic tunnel for xxx.xx.xxx.xx:24037 2024-12-10 11:36:44.144884 ike 0:XXXXXX IPsec_0:459: out C1ED4E56AA50B2A201D9466943A4A7D52E2023200000000500000150240001346424B36576F5B0A6113FEC3E8D2AE21246CF1E5F16AB700CB29859DDEAD0EF6F5435B46F24D8C2FFE2C7BC54E97FF0BD9DBDC2 65E45948EBF0F4685913FE109E95D3C5F6367815CB82F374C4D2D3DA58890A59930ADA9411943BEB7B980D05A073736F950A73CB11BB76A909723AA07E21E845C88FD3296504E6C31B66E714D2CCB68274BA1731241826238DC0A5DE4E3FA547EED34F107741ACC3DB133C39503AFE5 7180A067B1C04D2EEEDA48712C4719FF76F2DC753C959BBDDFDDC6021F0A41F154EF08F2A7DE2186AD71AD738FD9E90E9AAF92F7D8DB30CA356B7410E288526483D69EC1C369558C7A4210E18FABBCCB54BD2ECBB271B278DA1DD183EC2F5811527F9E7E79AC9DF72E0D67955DCD24E E21EEE0F0F833E9A6F93282FD9FA790C42B10A0BB1095CCC4E7B721723DF 2024-12-10 11:36:44.145039 ike V=root:0:XXXXXX IPsec_0:459: sent IKE msg (AUTH_RESPONSE): xx.xx.xx.xx:500->xxx.xx.xxx.xx:24037, len=336, vrf=0, id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000005, oif=7 2024-12-10 11:36:45.603028 ike V=root:0: comes 44.221.5.255:500->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=76.... 2024-12-10 11:36:45.603133 ike V=root:0: IKEv2 exchange=INFORMATIONAL id=efc0d18a3dc02ab3/c64ee058a45ecf72:00000097 len=76 2024-12-10 11:36:45.603166 ike 0: in EFC0D18A3DC02AB3C64EE058A45ECF722E202508000000970000004C000000309E635FD5101BE16277451C6DF4A9907176D73E5DBE09D628D646C82D4A541FEC338915D7BB1EF3B9BE40D3C1 2024-12-10 11:36:49.414823 ike V=root:0: comes xxx.xx.xxx.xx:24037->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=80.... 2024-12-10 11:36:49.414915 ike V=root:0: IKEv2 exchange=INFORMATIONAL id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000006 len=80 2024-12-10 11:36:49.414950 ike 0: in C1ED4E56AA50B2A201D9466943A4A7D52E202508000000060000005000000034DD1AE9CC6A4DD0B3D3D5CC57CD6FEB582151DBFF0C79A2FE6EC7A28691012B81BE535BD90ED70E9A790F2BE3260A7A49 2024-12-10 11:36:49.415135 ike 0:XXXXXX IPsec_0:459: out C1ED4E56AA50B2A201D9466943A4A7D52E202520000000060000005000000034039AD27F33042472CBAACDFD2354D842067F79F6925E68EE4C4C779A9DDF3EA51AC65863384B3A922F0DCB2E57E2388D 2024-12-10 11:36:49.415217 ike V=root:0:XXXXXX IPsec_0:459: sent IKE msg (INFORMATIONAL_RESPONSE): xx.xx.xx.xx:500->xxx.xx.xxx.xx:24037, len=80, vrf=0, id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000006, oif=7 2024-12-10 11:36:53.275191 ike V=root:0: comes 34.199.9.216:500->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=76.... 2024-12-10 11:36:53.275295 ike V=root:0: IKEv2 exchange=INFORMATIONAL id=c87c0c2ee891eeb5/0d86f6dc7c1926d8:0000006b len=76 2024-12-10 11:36:53.275329 ike 0: in C87C0C2EE891EEB50D86F6DC7C1926D82E2025080000006B0000004C000000309E217B52E0E4C116D5934E21FA420327118B9056A13819E575BBF891B90165358BCAE8983539BE162E306D17 2024-12-10 11:36:54.508733 ike V=root:0: comes xxx.xx.xxx.xx:24037->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=80.... 2024-12-10 11:36:54.508838 ike V=root:0: IKEv2 exchange=INFORMATIONAL id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000007 len=80 2024-12-10 11:36:54.508874 ike 0: in C1ED4E56AA50B2A201D9466943A4A7D52E202508000000070000005000000034E371737C35A60367CEFB8FADB6B0E2ECE355EB6B024CA7A31328992F961A415F62BAFE85E2045092D344217DDC34079A 2024-12-10 11:36:54.509051 ike 0:XXXXXX IPsec_0:459: out C1ED4E56AA50B2A201D9466943A4A7D52E202520000000070000005000000034160084771A7C1012C373B45AAB8A915DA25076C0A01FF29C4C0D64E3551D5BDF5E9D887492898FF1127176C61B914530 2024-12-10 11:36:54.509144 ike V=root:0:XXXXXX IPsec_0:459: sent IKE msg (INFORMATIONAL_RESPONSE): xx.xx.xx.xx:500->xxx.xx.xxx.xx:24037, len=80, vrf=0, id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000007, oif=7 2024-12-10 11:36:55.603257 ike V=root:0: comes 44.221.5.255:500->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=76.... 2024-12-10 11:36:55.603365 ike V=root:0: IKEv2 exchange=INFORMATIONAL id=efc0d18a3dc02ab3/c64ee058a45ecf72:00000098 len=76 2024-12-10 11:36:55.603399 ike 0: in EFC0D18A3DC02AB3C64EE058A45ECF722E202508000000980000004C0000003016D22DCF5CBA5AF284E6CD37B3CD0857D50E50B11E05060CEF3832854708559E28310B61AB84B00260BE41CC 2024-12-10 11:36:59.558692 ike V=root:0: comes xxx.xx.xxx.xx:24037->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=80.... 2024-12-10 11:36:59.558779 ike V=root:0: IKEv2 exchange=INFORMATIONAL id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000008 len=80 2024-12-10 11:36:59.558813 ike 0: in C1ED4E56AA50B2A201D9466943A4A7D52E202508000000080000005000000034C88843B82C85DC7AB828B9CBB1FE713144BD03208459123C5A59EAD4A818B7FCB84C08A957226001F167321041CF10FB 2024-12-10 11:36:59.558967 ike 0:XXXXXX IPsec_0:459: out C1ED4E56AA50B2A201D9466943A4A7D52E2025200000000800000050000000343FA57A7368C2402D1544F3F87AF9982DBD10BF9F61A1E097036F02038B40B4AFCC7A105AA9F0E50AC716CED0E1E63CBF 2024-12-10 11:36:59.559050 ike V=root:0:XXXXXX IPsec_0:459: sent IKE msg (INFORMATIONAL_RESPONSE): xx.xx.xx.xx:500->xxx.xx.xxx.xx:24037, len=80, vrf=0, id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000008, oif=7 2024-12-10 11:37:02.314572 ike V=root:0: comes xxx.xx.xxx.xx:24037->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=80.... 2024-12-10 11:37:02.314676 ike V=root:0: IKEv2 exchange=INFORMATIONAL id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000009 len=80 2024-12-10 11:37:02.314711 ike 0: in C1ED4E56AA50B2A201D9466943A4A7D52E20250800000009000000502A000034C5C08505E3DCE38965232B182DF9A2C80F258333AE906A904BE91A283C6DFF5AE41F03A80DE707F79709769AB959F373 2024-12-10 11:37:02.314888 ike 0:XXXXXX IPsec_0:459: out C1ED4E56AA50B2A201D9466943A4A7D52E202520000000090000005000000034EC548327AEFBA84A6BB5033621F66B9BA9BD29844DADC1703A687AE85FC2878BA7F8FE8373C1820C57A96D3586F8AB83 2024-12-10 11:37:02.314993 ike V=root:0:XXXXXX IPsec_0:459: sent IKE msg (INFORMATIONAL_RESPONSE): xx.xx.xx.xx:500->xxx.xx.xxx.xx:24037, len=80, vrf=0, id=c1ed4e56aa50b2a2/01d9466943a4a7d5:00000009, oif=7 2024-12-10 11:37:03.275750 ike V=root:0: comes 34.199.9.216:500->xx.xx.xx.xx:500,ifindex=7,vrf=0,len=76.... 2024-12-10 11:37:03.275854 ike V=root:0: IKEv2 exchange=INFORMATIONAL id=c87c0c2ee891eeb5/0d86f6dc7c1926d8:0000006c len=76 2024-12-10 11:37:03.275897 ike 0: in C87C0C2EE891EEB50D86F6DC7C1926D82E2025080000006C0000004C00000030887C2EB295D06B7277C35D049CB9415FC39C32CCF6937A0F26B8B404F9924224B27A1D18C3D6CD534A05EEE5

 

 

 

I have already researched on the internet and tried various things.

-> disable IPV6 on the WiFi/NIC Adapter

-> KB2693643 - But this update is not installed on my device.

-> RSAT is not installed on my device.

 

Best Regards
fabs

1 reply

sjoshi
Staff
sjoshi
Staff
December 10, 2024

Hi,

 

So your issue is tunnel is connected but facing issue with communication.

 

take the pcap

diag sniff packet any 'host x.x.x.x and icmp' 4 0 l >> ping any one of the srv

 

take debug flow

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/54688/debugging-the-packet-flow

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.
    fabs
    fabsAuthor
    Visitor III
    December 10, 2024

    @sjoshi 
    Yes correct, the tunnel is connected.
    Regarding the pcap I can see the incoming and outgoing packets
    10.72.76.61 is the IPsec address of my device and 192.168.10.1 is an address of the internal LAN.

    100f_serverroom # diag sniff packet any 'host 10.72.76.61 and icmp' 4 0 l  interfaces=[any] filters=[host 10.72.76.61 and icmp] 2024-12-10 14:46:16.000628 ****** IPsec in 10.72.76.61 -> 192.168.10.1: icmp: echo request 2024-12-10 14:46:16.000628 ****** IPsec in 10.72.76.61 -> 192.168.10.1: icmp: echo request 2024-12-10 14:46:16.000883 ****** IPsec out 192.168.10.1 -> 10.72.76.61: icmp: echo reply 2024-12-10 14:46:16.000883 ****** IPsec out 192.168.10.1 -> 10.72.76.61: icmp: echo reply


     

    sjoshi
    Staff
    sjoshi
    Staff
    December 11, 2024

    So one thing you can do is verify if the reply being sent from the FGT is being received on the FCT side.. Run the same pcap on the FGT and again simultaneously on the PC open wireshark and select ssl vpn adapter and it will show if the packet being sent from the FGT is being received over there on the PC 

    If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.
      Terms & ConditionsAccessibility statement