Skip to main content
mello_03
mello_03
New Member
May 26, 2014
Question

IPSEC problem

  • May 26, 2014
  • 3 replies
  • 50176 views
Hi i have a problem with vpn between 2 fortigate site A is a fortigate 100A 4.0 MR3 patch 15 site B is a fortigate 50B 4.0 MR3 patch 15 After 16 hour vpn stop responding, i lose ping until restarting fortigate 50B (site B) Bring down-bring up vpn from web interface in both site don' t resolve the problem. After restarting, during day, vpn work well, without any lost packet. The problem occour always during night, when there are not active connection in site B. Site A is the head office, and are connected other ipsec with the same configurations as site B, that works without problems. IPSEc is policy based configuration: In both site A and site B vpn are configured with these paramenters: PHASE 1 MODE: main Encryption: AES128/MD5 - AES128/SHA1 - DES/MD5 Dh group: 2 Key life: 28800 seconds XAUTH: disabled Dead Peer Detection: Enabled PHASE 2 Encryption: AES128/MD5 - AES128/SHA1 Enable repaly detection: disabled Enable perfect forward secrecy: enabled DH Group: 2 Keylife: 28800 seconds Autokey Keep Alive: enabled Quick mode selector: on site A: soure 0.0.0.0/0 destination: 192.168.3.0/24 on site B: soure 192.168.3.0/24 destination: 0.0.0.0/0 Policy: site A: source (all vlan in site A) destination (lan site B: 192.168.3.0/24) Action IPSEC site B: source (lan site B: 192.168.3.0/24) destination (vlan in site A) Action IPSEC Log on site B whe the problem occurred: I found these line msg=" delete IPsec phase 2 SA" action=" delete_ipsec_sa" msg=" delete IPsec phase 1 SA" action=" delete_phase1_sa" What can I try to resolve the problem? Thanks Andrea

    3 replies

    emnoc
    emnoc
    New Member
    May 26, 2014
    What I would do before resetting anything, I would execute the diag sniffer packet command and specify ports 500 or 4500 between the 2 vpn peers. See if IKE or even ESP is being passed Qs: Have you ensure that NAT is not an issues and if any NAT-transversal timeout? execution of diag vpn ike gateway will provide details on if IKE std or NAT-T extension is being used Next, have you ensure that DPD is actively being used? Once again execution of the diag vpn ike gateway cmd, will provide details on DPD and counters and you can monitor the interval I would also issues the diag debug app ike -1 when all stops and to try to identify what side is causing the issues. You can use my link at the following blog for L2L vpn t-shooting. http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
    mello_03
    mello_03Author
    New Member
    May 26, 2014
    Thank you for your answer I try to execute diag vpn ike gateway: On site B i have vd: root/0 name: Montecchio version: 1 interface: wan1 5 addr: 172.16.10.2:500 -> public ip site A:500 created: 24652s ago IKE SA: created 1/1 established 1/1 time 6340/6340/6340 ms IPsec SA: created 1/1 established 1/1 time 140/140/140 ms id/spi: 0 3b4a487011db8c3a/2e520d79e9b7fe32 direction: initiator status: established 24652-24646s ago = 6340ms proposal: aes128-md5 key: 8f547fadea7ff48d-191e45bed97c224c lifetime/rekey: 28800/3853 DPD sent/recv: 00000000/00000000 On site A: vd: root/0 name: Spagna version: 1 interface: wan1 2 addr: public IP site A:500 -> public IP site B:500 created: 24712s ago IKE SA: created 1/2 established 1/1 time 250/250/250 ms IPsec SA: created 1/2 established 1/1 time 120/120/120 ms id/spi: 1108 3b4a487011db8c3a/2e520d79e9b7fe32 direction: responder status: established 24700-24700s ago = 250ms proposal: aes128-md5 key: 8f547fadea7ff48d-191e45bed97c224c lifetime/rekey: 28800/3829 DPD sent/recv: 00000000/00000000 Vpn restart this morning. the DPD is showing 0000000/0000000, for other vpn is enhanced Can be DPD issue?
    emnoc
    emnoc
    New Member
    May 26, 2014
    That could be a big issue. I would enable dpd on the policy and use ikev2 e.g edit Montecchio set dpd enable set dpd-retryinterval 20 end I also rfc1918 address but is this output sanitized? Or are you using NAT anywhere on the peer-vpn src address?
    mello_03
    mello_03Author
    New Member
    May 26, 2014
    Mmmm... I don' t understand very well In site A fortigate has public ip and connect to site B to public IP In site B, public ip is on provider' s router. Fortigate is connected to this router with wan port configured like " internal" for provider' s router. Wan1 in fortigate is 172.16.10.2 that is internal lan of provider' s router. To do this in fortigate, I also configured a static route from 0.0.0.0/0 to 172.16.10.1 (provider' s router, that is gateway) On this router I configure port forwarding rules from any to fortigate, port 500 and 4500 udp. No NAT configured in policy rules in both sites. In policy rule is configured allow inbound and allow outbound No NAT Traversal configured DPD is enabled on both fortigate!! Maybe provider router issue?
    emnoc
    emnoc
    New Member
    May 26, 2014
    If your being NAT' than you need to enable NAT-T and possible adjust any Nat timeouts. Do you have NAT-T enabled? set nattraversal enable
    mello_03
    mello_03Author
    New Member
    May 27, 2014
    enabled nat traversal but DPD won' t work. I recreate phase 1 and phase 2 and policy too. The strange thing is that with other vpn site, with identical firewall (fortigate 50B) and configurations, i have no problems. I think that the problem is the provider router. I have to check with another router.
    Terms & ConditionsAccessibility statement