[IPSec VPN] very strange behaviour

Question

Hiho,

I just got this strange issue here:

two FGT 100E with 6.0.8 running. Between both is an ipsec tunnel.

Side A says (in IPSec Monitorr) the tunnel is up

Side B say (-"-) the tunnel is down

Side B still gets new SA Requests for that tunnel from Side A

In Debug Log on Side A you see that Side A is doing the complete handshale and even sends the tunnel up snmp trap to side B.

On Side B you only see new SA Requests from Side A and then negtiation timeouts.

P1 auto negotiation is disabled on Side B but enabled on Side A

I have no clue why this happens...

localhost · Accepted Answer

You have two Fortigates running same hardware and same software release.

I guess you compared the IPSEC tunnel settings in the CLI on the Fortigates, and verified the Tunnel settings are the same on both sides?

Firewalls Policies are also correct, otherwise the tunnel would not initiate at all.

So what else could be the reason it doesn't work?

Either some network device is dropping packets in your network path. Be it the ISP or some other device.

Or you are running into a software bug on the Fortigate.

That's why I suggested setting NAT-T to forced (not just enabled) and disabling np-offload on the phase1.

localhost · Answer

Hey

I've seen a lot of ISP's doing very weird stuff to IPSEC tunnels.

So in this case I would try to:

- enable force NAT Traversal (UDP 4500 instead of ESP)

Also I ran in multiple NP offload bugs on various FortiOS releases:

- to fix: set np-offload disable on the phase1 tunnel

Sign up