Skip to main content
oheigl
oheigl
New Member
October 3, 2016
Question

IPsec Tunnel to FortiAnalyzer with private IP

  • October 3, 2016
  • 3 replies
  • 27719 views

Hey Guys,

 

following problem: I have a FAZ VM set up in the azure cloud, and I want to send the logs from the FortiGate to it via IPsec encryption. I configured everything accordingly, but the FAZ drops the IPsec packets from the FortiGate. The azure network settings forward all packets from on ip to the FAZ via destination NAT to it's internal private ip:

 

351.109183 port1 in 1.2.3.4.500 -> 10.10.10.10.500: udp 512 351.109211 port1 out 10.10.10.10 -> 1.2.3.4: icmp: 10.10.10.10 udp port 500 unreachable

 

The ike application debug doesn't output anything, I just see the unreachable ICMP packets in the sniffer. Is this situation even supported, or anyway I could debug the problem?

 

Many thanks!

    3 replies

    emnoc
    emnoc
    New Member
    October 3, 2016

    IKE is not open, you need to allow IKSAMP  protocol access 500/4500udp for the phase1 to pass the SAs. I would double check the  firewall filtering.

     

    oheigl
    oheiglAuthor
    New Member
    October 3, 2016

    Well that's easier said then done, it's a FAZ, it doesn't have any rules? Or am I missing something here? The trace I posted is directly from the FortiAnalzyer, so the packets arrive at the appliance, it just doesn't answer them, although I configured the device to use IPsec

    scao_FTNT
    Staff
    scao_FTNT
    Staff
    October 3, 2016

    so on FAZ, you enabled "Secure Connection" for that device and has matching ID (FGT SN) and pre-shared key as FGT side config?

     

    Thanks

     

    Simon

    oheigl
    oheiglAuthor
    New Member
    October 3, 2016

    Yes exactly, I copy pasted everything, but if I missed something there should be at least an output in the ike debug, but nothing, it's just not answering the packets, can I provide any debug logs that may help?

    scao_FTNT
    Staff
    scao_FTNT
    Staff
    October 3, 2016

    which FAZ version? you can enable below debug on FAZ

     

    diag debug enable

    diag deb app ipsec 255

     

    Thanks

     

    Simon

    scao_FTNT
    Staff
    scao_FTNT
    Staff
    October 4, 2016

    The interface of the FAZ is set to DHCP, and there is no local listening port

        -- FAZVM-AWS is special for interface config, which is DHCP, we will double check this case on AWS

     

    Thanks

     

    Simon

    scao_FTNT
    Staff
    scao_FTNT
    Staff
    October 4, 2016

    sorry, same for Azure in this ticket case, other FAZs only support manually configured IP

     

    Thanks

     

    Simon

    Terms & ConditionsAccessibility statement