The feature 'passive-mode' in phase1 is used to make the FortiGate act as a responder during IKE negotiation.
# config vpn ipsec phase1-interface edit "ipsec-tunnel" set interface "wan1" set passive-mode enable set proposal aes128-sha256 set dpd on-idle set dhgrp 5 set remote-gw 10.109.17.4 set psksecret ENC 4+3hg2hZ87dUd8GTo172Hl/wT+1GiPsGYPs0trS8c1nkMPbPOT5lctqkH46x3C4v1MjygX0uBKuWq/U/+/qcbSfuU4U565C9xRSSVmu+LrcR4Zeg/81NFZXqQZ9msZ/YxPmoG65lDTds next end
Result:
- When the passive-mode is disabled:
FGT # di vpn ike gateway list
vd: root/0 name: ipsec-tunnel version: 1 interface: wan1 25 addr: 10.109.16.186:500 -> 10.109.17.4:500 created: 394s ago IKE SA: created 1/1 established 1/1 time 30/30/30 ms IPsec SA: created 1/1 established 1/1 time 30/30/30 ms
id/spi: 6 19503eb0a35dd78d/999b40630df53284 direction: initiator status: established 394-394s ago = 30ms proposal: aes128-sha256 key: 5aba9233a7e7641e-d2f0c1a09162b38b lifetime/rekey: 86400/85705 DPD sent/recv: 00000015/00000000
- After the passive-mode is enabled, the tunnel comes down locally and FortiGate sends a DELETE notification message to the remote side to re-negotiate the tunnel:
2023-01-28 22:27:43.599232 ike 0:ipsec-tunnel: update 2023-01-28 22:27:43.599240 ike 0:ipsec-tunnel: deleting 2023-01-28 22:27:43.599271 ike 0:ipsec-tunnel: flushing 2023-01-28 22:27:43.599307 ike 0:ipsec-tunnel: deleting IPsec SA with SPI 1c2b0d21 2023-01-28 22:27:43.599320 ike 0:ipsec-tunnel:ipsec-tunnel: deleted IPsec SA with SPI 1c2b0d21, SA count: 0 2023-01-28 22:27:43.599324 ike 0:ipsec-tunnel: sending SNMP tunnel DOWN trap for ipsec-tunnel 2023-01-28 22:27:43.599347 ike 0:ipsec-tunnel:6: send IPsec SA delete, spi 3b5d49b1 2023-01-28 22:27:43.599374 ike 0:ipsec-tunnel:6: enc 19503EB0A35DD78D999B40630DF532840810050134E663FC000000500C000024E818BFD367C635B2A266C60630BD0706968CC2974A02C38A8 B876A492B7C03C70000001000000001030400013B5D49B1 2023-01-28 22:27:43.599383 ike 0:ipsec-tunnel:6: out 19503EB0A35DD78D999B40630DF532840810050134E663FC0000005C00080327EAAE38E9A3FFD05E3398634A9A05D290D0052A0BD7E4632CB DE3D04ED5504D839212B039150C954281E810A1F1BCD6E6E9C59A73669E2DDABD263F13 2023-01-28 22:27:43.599399 ike 0:ipsec-tunnel:6: sent IKE msg (IPsec SA_DELETE-NOTIFY): 10.109.16.186:500->10.109.17.4:500, len=92, id=19503eb0a35dd78d/999b40630df532 84:34e663fc 2023-01-28 22:27:43.599417 ike 0:ipsec-tunnel:ipsec-tunnel: sending SNMP tunnel DOWN trap 2023-01-28 22:27:43.599437 ike 0:ipsec-tunnel: flushed 2023-01-28 22:27:43.599456 ike 0:ipsec-tunnel:6: send IKE SA delete 19503eb0a35dd78d/999b40630df53284 2023-01-28 22:27:43.599477 ike 0:ipsec-tunnel:6: enc 19503EB0A35DD78D999B40630DF5328408100501ABF549680000005C0C000024165F22AFB564EA2AB72EF2880635A94AC1C32FFBDEF877F7F 993478C6806DCFE0000001C000000010110000119503EB0A35DD78D999B40630DF53284 2023-01-28 22:27:43.599484 ike 0:ipsec-tunnel:6: out 19503EB0A35DD78D999B40630DF5328408100501ABF549680000006CF317537B601B673B0D1B7CE3AE3F0BAD8AFE57E317D1BD9D2ADCC25C0 C8E9CBCFB33EE96960A208000CD3FADE51FE9AA32BD444D5F0B64A719C51729F313D757E455A260C2006E3FBA86AEB697F02713 2023-01-28 22:27:43.599495 ike 0:ipsec-tunnel:6: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 10.109.16.186:500->10.109.17.4:500, len=108, id=19503eb0a35dd78d/999b40630df5 3284:abf54968 2023-01-28 22:27:43.599514 ike 0:ipsec-tunnel: deleted 2023-01-28 22:27:43.599518 ike 0:ipsec-tunnel: set oper down 2023-01-28 22:27:43.599550 ike 0:ipsec-tunnel: schedule auto-negotiate
After a successful IKE negotiation, the FortiGate starts acting as a responder:
FGT # di vpn ike gateway list
vd: root/0 name: ipsec-tunnel version: 1 interface: wan1 25 addr: 10.109.16.186:500 -> 10.109.17.4:500 created: 12s ago IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 10/10/10 ms
id/spi: 7 22c7cbb768c4cd2b/27215118f14c5f65 direction: responder status: established 12-12s ago = 0ms proposal: aes128-sha256 key: 4b2bd4d8dd4fbca0-e28d4a90c513075a lifetime/rekey: 86400/86117 DPD sent/recv: 00000000/00000000
|