|
The feature 'passive-mode' in phase1 is used to make the FortiGate act as a responder during IKE negotiation.
# config vpn ipsec phase1-interface
edit "ipsec-tunnel"
set interface "wan1"
set passive-mode enable
set proposal aes128-sha256
set dpd on-idle
set dhgrp 5
set remote-gw 10.109.17.4
set psksecret ENC 4+3hg2hZ87dUd8GTo172Hl/wT+1GiPsGYPs0trS8c1nkMPbPOT5lctqkH46x3C4v1MjygX0uBKuWq/U/+/qcbSfuU4U565C9xRSSVmu+LrcR4Zeg/81NFZXqQZ9msZ/YxPmoG65lDTds
next
end
Result:
- When the passive-mode is disabled:
FGT # di vpn ike gateway list
vd: root/0
name: ipsec-tunnel
version: 1
interface: wan1 25
addr: 10.109.16.186:500 -> 10.109.17.4:500
created: 394s ago
IKE SA: created 1/1 established 1/1 time 30/30/30 ms
IPsec SA: created 1/1 established 1/1 time 30/30/30 ms
id/spi: 6 19503eb0a35dd78d/999b40630df53284
direction: initiator
status: established 394-394s ago = 30ms
proposal: aes128-sha256
key: 5aba9233a7e7641e-d2f0c1a09162b38b
lifetime/rekey: 86400/85705
DPD sent/recv: 00000015/00000000
- After the passive-mode is enabled, the tunnel comes down locally and FortiGate sends a DELETE notification message to the remote side to re-negotiate the tunnel:
2023-01-28 22:27:43.599232 ike 0:ipsec-tunnel: update
2023-01-28 22:27:43.599240 ike 0:ipsec-tunnel: deleting
2023-01-28 22:27:43.599271 ike 0:ipsec-tunnel: flushing
2023-01-28 22:27:43.599307 ike 0:ipsec-tunnel: deleting IPsec SA with SPI 1c2b0d21
2023-01-28 22:27:43.599320 ike 0:ipsec-tunnel:ipsec-tunnel: deleted IPsec SA with SPI 1c2b0d21, SA count: 0
2023-01-28 22:27:43.599324 ike 0:ipsec-tunnel: sending SNMP tunnel DOWN trap for ipsec-tunnel
2023-01-28 22:27:43.599347 ike 0:ipsec-tunnel:6: send IPsec SA delete, spi 3b5d49b1
2023-01-28 22:27:43.599374 ike 0:ipsec-tunnel:6: enc 19503EB0A35DD78D999B40630DF532840810050134E663FC000000500C000024E818BFD367C635B2A266C60630BD0706968CC2974A02C38A8
B876A492B7C03C70000001000000001030400013B5D49B1
2023-01-28 22:27:43.599383 ike 0:ipsec-tunnel:6: out 19503EB0A35DD78D999B40630DF532840810050134E663FC0000005C00080327EAAE38E9A3FFD05E3398634A9A05D290D0052A0BD7E4632CB
DE3D04ED5504D839212B039150C954281E810A1F1BCD6E6E9C59A73669E2DDABD263F13
2023-01-28 22:27:43.599399 ike 0:ipsec-tunnel:6: sent IKE msg (IPsec SA_DELETE-NOTIFY): 10.109.16.186:500->10.109.17.4:500, len=92, id=19503eb0a35dd78d/999b40630df532
84:34e663fc
2023-01-28 22:27:43.599417 ike 0:ipsec-tunnel:ipsec-tunnel: sending SNMP tunnel DOWN trap
2023-01-28 22:27:43.599437 ike 0:ipsec-tunnel: flushed
2023-01-28 22:27:43.599456 ike 0:ipsec-tunnel:6: send IKE SA delete 19503eb0a35dd78d/999b40630df53284
2023-01-28 22:27:43.599477 ike 0:ipsec-tunnel:6: enc 19503EB0A35DD78D999B40630DF5328408100501ABF549680000005C0C000024165F22AFB564EA2AB72EF2880635A94AC1C32FFBDEF877F7F
993478C6806DCFE0000001C000000010110000119503EB0A35DD78D999B40630DF53284
2023-01-28 22:27:43.599484 ike 0:ipsec-tunnel:6: out 19503EB0A35DD78D999B40630DF5328408100501ABF549680000006CF317537B601B673B0D1B7CE3AE3F0BAD8AFE57E317D1BD9D2ADCC25C0
C8E9CBCFB33EE96960A208000CD3FADE51FE9AA32BD444D5F0B64A719C51729F313D757E455A260C2006E3FBA86AEB697F02713
2023-01-28 22:27:43.599495 ike 0:ipsec-tunnel:6: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 10.109.16.186:500->10.109.17.4:500, len=108, id=19503eb0a35dd78d/999b40630df5
3284:abf54968
2023-01-28 22:27:43.599514 ike 0:ipsec-tunnel: deleted
2023-01-28 22:27:43.599518 ike 0:ipsec-tunnel: set oper down
2023-01-28 22:27:43.599550 ike 0:ipsec-tunnel: schedule auto-negotiate
After a successful IKE negotiation, the FortiGate starts acting as a responder:
FGT # di vpn ike gateway list
vd: root/0
name: ipsec-tunnel
version: 1
interface: wan1 25
addr: 10.109.16.186:500 -> 10.109.17.4:500
created: 12s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 10/10/10 ms
id/spi: 7 22c7cbb768c4cd2b/27215118f14c5f65
direction: responder
status: established 12-12s ago = 0ms
proposal: aes128-sha256
key: 4b2bd4d8dd4fbca0-e28d4a90c513075a
lifetime/rekey: 86400/86117
DPD sent/recv: 00000000/00000000
|
