Skip to main content
Phillor
Phillor
Visitor III
March 14, 2022
Question

Supposedly wrongly negotiated IPsec Phase 2 SA

  • March 14, 2022
  • 1 reply
  • 3299 views

Hello together,

 

I have a strange behaviour with one of our S2S IPsec tunnel.

First things first: Tunnel Phase1 and Phase2 is up. Routing and Policies are configured. Everything is working fine.

 

Then every other day one of the remote networks is not reachable anymore (the Logs show that the FortiGate is sending the traffic into the tunnel but there is no packet coming back as an answer).

This network is then not reachable for exactly one our (Phase2 Key lifetime) and then everything works again.

 

For me it looks like the FortiGate in this cases is not able to negotiate the SA with the remote gateway correctly. On the remote site there is a CheckPoint Firewall.

I was not able yet to get a deeper look at what happens in those cases under the hood because mostly everything is back to normal as soon as I'm connected to the FortiGate.

 

Maybe one of you knows this bevahiour and can tell me what the cause of this could be.

 

Thank you very much in advance!

1 reply

vtsonev
Staff
vtsonev
Staff
March 14, 2022

Hi,

 

Is your IPsec bounded to an loopback interface on the Fortigate ? If so, please make sure you have IPv4 policy to allow traffic between the loopback and the wan interface. Maybe would be easier if you can share with us the phase1 and phase2 configuration of the tunnel in question.

 

Another useful output will be:

 

# diag vpn ike log-filter name (phase1 name of the tunnel)
# diag debug app ike -1
# diag debug enable

 

Best regards,

Vasil

    Phillor
    PhillorAuthor
    Visitor III
    March 14, 2022

    Thank you for your answer!

     

    I think i found the problem...

    I just saw 5 Minutes ago, that there are a lot of ESP errors. But only on this one VPN Tunnel. All the other tunnels are working fine without any errors.

      Terms & ConditionsAccessibility statement