Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎01-29-2023 09:53 PM Edited on ‎10-28-2024 11:20 AM By Moderator

Article Id 244166

Technical Tip: How to make sure the FortiGate will act as a responder in site-to-site IPsec VPN

Description

This article describes how to make sure the FortiGate will act as a responder in site-to-site IPsec VPN

Generally, in Client to site VPN IPsec, FortiGate always acts as an initiator and the hub acts as a responder.

But in site-to-site IPsec VPN, FortiGate can act as a responder or initiator, using the passive-mode feature FortiGate will act always as a responder.
Scope FortiGate.
Solution

The feature 'passive-mode' in phase1 is used to make the FortiGate act as a responder during IKE negotiation.

 

config vpn ipsec phase1-interface
    edit "ipsec-tunnel"
        set interface "wan1"
        set passive-mode enable
        set proposal aes128-sha256
        set dpd on-idle
        set dhgrp 5
        set remote-gw 192.168.17.4
        set psksecret ENC 4+3hg2hZ87dUd8GTo172Hl/wT+1GiPsGYPs0trS8c1nkMPbPOT5lctqkH46x3C4v1MjygX0uBKuWq/U/+/qcbSfuU4U565C9xRSSVmu+LrcR4Zeg/81NFZXqQZ9msZ/YxPmoG65lDTds
    next
end

 

Result:

 

When the passive-mode is disabled:

 

di vpn ike gateway list

vd: root/0
name: ipsec-tunnel
version: 1
interface: wan1 25
addr: 192.168.16.186:500 -> 192.168.17.4:500
created: 394s ago
IKE SA: created 1/1 established 1/1 time 30/30/30 ms
IPsec SA: created 1/1 established 1/1 time 30/30/30 ms

id/spi: 6 19503eb0a35dd78d/999b40630df53284
direction: initiator
status: established 394-394s ago = 30ms
proposal: aes128-sha256
key: 5aba9233a7e7641e-d2f0c1a09162b38b
lifetime/rekey: 86400/85705
DPD sent/recv: 00000015/00000000


After the passive-mode is enabled, the tunnel comes down locally and FortiGate sends a DELETE notification message to the remote side to re-negotiate the tunnel:

 

2023-01-28 22:27:43.599232 ike 0:ipsec-tunnel: update
2023-01-28 22:27:43.599240 ike 0:ipsec-tunnel: deleting
2023-01-28 22:27:43.599271 ike 0:ipsec-tunnel: flushing
2023-01-28 22:27:43.599307 ike 0:ipsec-tunnel: deleting IPsec SA with SPI 1c2b0d21
2023-01-28 22:27:43.599320 ike 0:ipsec-tunnel:ipsec-tunnel: deleted IPsec SA with SPI 1c2b0d21, SA count: 0
2023-01-28 22:27:43.599324 ike 0:ipsec-tunnel: sending SNMP tunnel DOWN trap for ipsec-tunnel
2023-01-28 22:27:43.599347 ike 0:ipsec-tunnel:6: send IPsec SA delete, spi 3b5d49b1
2023-01-28 22:27:43.599374 ike 0:ipsec-tunnel:6: enc 19503EB0A35DD78D999B40630DF532840810050134E663FC000000500C000024E818BFD367C635B2A266C60630BD0706968CC2974A02C38A8
B876A492B7C03C70000001000000001030400013B5D49B1
2023-01-28 22:27:43.599383 ike 0:ipsec-tunnel:6: out 19503EB0A35DD78D999B40630DF532840810050134E663FC0000005C00080327EAAE38E9A3FFD05E3398634A9A05D290D0052A0BD7E4632CB
DE3D04ED5504D839212B039150C954281E810A1F1BCD6E6E9C59A73669E2DDABD263F13
2023-01-28 22:27:43.599399 ike 0:ipsec-tunnel:6: sent IKE msg (IPsec SA_DELETE-NOTIFY): 192.168.16.186:500->192.168.17.4:500, len=92, id=19503eb0a35dd78d/999b40630df532
84:34e663fc
2023-01-28 22:27:43.599417 ike 0:ipsec-tunnel:ipsec-tunnel: sending SNMP tunnel DOWN trap
2023-01-28 22:27:43.599437 ike 0:ipsec-tunnel: flushed
2023-01-28 22:27:43.599456 ike 0:ipsec-tunnel:6: send IKE SA delete 19503eb0a35dd78d/999b40630df53284
2023-01-28 22:27:43.599477 ike 0:ipsec-tunnel:6: enc 19503EB0A35DD78D999B40630DF5328408100501ABF549680000005C0C000024165F22AFB564EA2AB72EF2880635A94AC1C32FFBDEF877F7F
993478C6806DCFE0000001C000000010110000119503EB0A35DD78D999B40630DF53284
2023-01-28 22:27:43.599484 ike 0:ipsec-tunnel:6: out 19503EB0A35DD78D999B40630DF5328408100501ABF549680000006CF317537B601B673B0D1B7CE3AE3F0BAD8AFE57E317D1BD9D2ADCC25C0
C8E9CBCFB33EE96960A208000CD3FADE51FE9AA32BD444D5F0B64A719C51729F313D757E455A260C2006E3FBA86AEB697F02713
2023-01-28 22:27:43.599495 ike 0:ipsec-tunnel:6: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 192.168.16.186:500->192.168.17.4:500, len=108, id=19503eb0a35dd78d/999b40630df5
3284:abf54968
2023-01-28 22:27:43.599514 ike 0:ipsec-tunnel: deleted
2023-01-28 22:27:43.599518 ike 0:ipsec-tunnel: set oper down
2023-01-28 22:27:43.599550 ike 0:ipsec-tunnel: schedule auto-negotiate

 

After a successful IKE negotiation, the FortiGate starts acting as a responder:

 

di vpn ike gateway list

vd: root/0
name: ipsec-tunnel
version: 1
interface: wan1 25
addr: 192.168.16.186:500 -> 192.168.17.4:500
created: 12s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 10/10/10 ms

id/spi: 7 22c7cbb768c4cd2b/27215118f14c5f65
direction: responder
status: established 12-12s ago = 0ms
proposal: aes128-sha256
key: 4b2bd4d8dd4fbca0-e28d4a90c513075a
lifetime/rekey: 86400/86117
DPD sent/recv: 00000000/00000000

IPsec SA for phase2 would be created by the initiator only and if the interesting traffic initiated by the responder, IPsec SA will not be created with the following IKE debug message.

ike V=root:0:ipsec-tunnel: ignoring request to establish IPsec SA, gateway is in passive mode
15377
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.