IPsec tunnel up - no traffic going through

Forum|Forum|15 years ago
November 24, 2010
5 replies
4317 views

Dear all, first of all thanks for taking your time to give me a hint on the following issue: Fortigate 80C <=> Astaro for IPsec tunnel. Tunnel is up (regarding to the " Monitor => IPSec section) - as seen in the attached screenshot of the Log in the GUI section. I created a Firewall policy (" accept" ) with the virtual IPsec interface as source and the internal net as destination and created an address range aswell. Does anyone know how I can log the incoming / outgoing packages to see if they arrive at the Fortigate or where I may have set something wrong in the setup of the tunnel. Thank you very much!

ede_pfau

SuperUser

Hi, on the console, type

diag sniffer packet MyTunnelName ' '  4

to see traffic from the remote end. If you ping from the remote end, you could use

diag sniffer packet MyTunnelName ' icmp'  4

and

diag sniffer packet wan1 ' udp port 50'  4

will show you traffic arriving at the external interface. ...get the idea? MyTunnelName is the name of the VPN interface/phase1.

A

Anonymous_UserAuthor

Contributor

First of all thank you very much for your reply! Your commands were really helpful! But I stumbled across another problem now. While trying to capture packages on the virtual IPSec interface, I got the following message:

FGT80CXXXX # diagnose sniffer packet ' tunnel' 4 interfaces=[XXXXX] filters=[4] pcap_lookupnet: XXXXX: no IPv4 address assigned pcap_compile: parse error

I can confirm that there seems to be no IP assigned when I look in System => Network GUI section. But the IPSEC guide from Fortinet explained that I generally donÂ´t have to assign an address in this section... Thanks again!

ede_pfau

SuperUser

No, the tunnel ends do not have to have an IP. In your case you suffer from a simple syntax error:

FGT80CXXXX # diagnose sniffer packet ' tunnel'  4

should read

FGT80CXXXX # diagnose sniffer packet tunnel ' service'  4

with <tunnel> being the tunnel name (phase 1 name) and <service> the protocol you would like to sniff. Use empty ticks ' ' for all traffic, ' icmp' for pings, ' tcp port 80' for HTTP, and so on.

A

Anonymous_UserAuthor

Contributor

Thanks for the quick reply. No, I didnÂ´t have a syntax error - I just replaced the " real" infos in my quote with some misunderstandable informations. Anyway - if I enter the command using the name of the virtual IPsec interface - i get the above stated error message, that there is no IP assigned. If I use a fantasy-name instead of the real interface name, i get a message that this interface is non existend - which shows me that he " accepts" my command and that there really seems to be an IP missing?! Or am I completely wrong? :D

ede_pfau

SuperUser

You can ignore the message about the missing interface IP. But you had a " pcap_compile" error and that is really an error. That' s why I re-read the debug statement and spotted the missing action field. So, to make it clear, the command needs 5 additional arguments to it.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded