Description
This article describes how to configure and debug VPN connectivity issues on FortiExtender (FEX)
Refer admin guide and release notes on: FortiExtender 4.1.
Scope
FortiExtender.
Solution
Standalone FortiExtender-201E establishing IPSec VPN connection with FortiGate as shown below:
Modes of operation: Depending on the way it is managed, FortiExtender can operate in IP pass-through or NAT mode. Refer Page #15:
FortiExtender - Admin Guide Version 4.1.3
FortiExtender - Admin Guide Version 4.1.3
VPN and other features listed in the below link are supported ONLY when FEX 'Modes of operation' is set to 'NAT Mode'. Refer Page #17:
FortiExtender - Admin Guide Version 4.1.3
FortiExtender - Admin Guide Version 4.1.3
config system management
config <management_mode>
set mode nat
config <management_mode>
set mode nat
end
To ensure VPN Tunnel connection is stable and maintained, ensure FEX 3G/4G LTE connection link is also stable.
Use the FortiExtender ping command towards Internet address such as Google DNS IP address 8.8.8.8 to test FortiExtender Internet uplink stability:
execute ping <Internet_IP_address>
Configuration:
VPN configuration has to be done on both FortiExtender (FEX) and FortiGate .
FortiExtender side VPN config:
FortiExtender uses IPsec VPN to connect branch offices.
VPN configuration has to be done on both FortiExtender (FEX) and FortiGate .
FortiExtender side VPN config:
FortiExtender uses IPsec VPN to connect branch offices.
It only supports the site-to-site VPN tunnel mode and below are FEX VPN sample config GUI screenshots:
- FortiExtender IPSec Phase-1 config:
- FortiExtender IPSec Phase-2 config:
Note: For FortiExtender VPN configuration details and CLI commands, refer Page #36:
FortiExtender - Admin Guide Version 4.1.3
FortiGate phase-1 and phase-2 VPN sample config:
FortiExtender - Admin Guide Version 4.1.3
FortiGate phase-1 and phase-2 VPN sample config:
show vpn ipsec phase1-interface <VPN_Name>
config vpn ipsec phase1-interface
edit "<phase1_name>"
set interface "<Interface_Name>"
set ike-version 2
set keylife 8000
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set dhgrp 5
set remote-gw 10.13.151.226
set psksecret ENC <secret_key>
next
end
show vpn ipsec phase2-interface <VPN_Name>
config vpn ipsec phase2-interface
edit "<phase2_name>"
set phase1name "<phase1_name>"
set proposal aes128-sha1
set dhgrp 5
set comments "<comments>"
set keylifeseconds 86400
next
end
config vpn ipsec phase1-interface
edit "<phase1_name>"
set interface "<Interface_Name>"
set ike-version 2
set keylife 8000
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set dhgrp 5
set remote-gw 10.13.151.226
set psksecret ENC <secret_key>
next
end
show vpn ipsec phase2-interface <VPN_Name>
config vpn ipsec phase2-interface
edit "<phase2_name>"
set phase1name "<phase1_name>"
set proposal aes128-sha1
set dhgrp 5
set comments "<comments>"
set keylifeseconds 86400
next
end
For FortiGate side VPN configuration details and CLI commands, refer Page #962:
FortiOS - Cookbook Version 6.2.3
FortiOS - Cookbook Version 6.2.3
Debugging:
To check FortiExtender VPN tunnel status, and various other FortiExtender VPN related debug commands refer below commands:
To check FortiExtender VPN tunnel status, and various other FortiExtender VPN related debug commands refer below commands:
To get to the FortiExtender CLI from FGT CLI, run these commands:
execute ssh admin@192.168.24.241 <-- Here admin is the admin name and then the IP address of FortiExtender.
admin@192.168.24.241's password: <-- Then it will prompt for password, enter admin's password.
- A tunnel interface is created in the system interface list when an IPSec Phase-1 is successfully created and to check VPN Tunnel status use below commands on FEX CLI:
get system interface
get vpn ipsec configurations
get vpn ipsec tunnel details
- If VPN Tunnel is not established then check if there is any IPsec negotiation error using the below command on FortiExtender CLI:
get vpn ipsec negotiation error
To check if FortiExtender is responding to 'init' message from FortiGate use below tcpdump CLI commands on FortiExtender CLI, here 'lte1' is FEX interface via which IPSec traffic traverse:
execute tcpdump -n -i lte1
execute tcpdump -n -i lte1
- Note: Use 'ctrl+c' keys to stop traces.
Sample tcpdump logs: Here FortiExtender logs indicate that FEX (10.13.151.226) is NOT responding to 'init' message from FortiGate (10.12.0.4) as shown below:
00:15:27.355754 IP 10.12.0.4.500 > 10.13.151.226.500: isakmp: parent_sa ikev2_init[I]
00:15:37.345172 IP 10.12.0.4.500 > 10.13.151.226.500: isakmp: parent_sa ikev2_init[I]
00:15:40.335761 IP 10.12.0.4.500 > 10.13.151.226.500: isakmp: parent_sa ikev2_init[I]
Possible causes of this issue can be as follows:
- VPN config mismatch on FortiExtender or Remote server. Check the configuration w.r.t proposal and ike-version on both FortiExtender and FortiGate.
- Ensure FortiExtender 'Modes of operation' is set to “NAT Mode' - depending on the way FortiExtender is managed - 'Modes of operation' may vary. Refer Page #15:
FortiExtender - Admin Guide Version 4.1.3
- FortiExtender 'IPSECD' logging can be enabled using the below commands:
execute debug IPSECD all
execute debug IPSECD <----- To check which IPSECD submodes are turned-on.
execute debug log-to-console on <----- To print IPSECD logs.
execute debug clear <----- To disable logging.
execute debug log-to-console off <----- To turn-off console logs.
- Other FortiExtender VPN related CLI commands:
get vpn certificate ca details
get vpn certificate local details
show config
Note: It is recommended to run FortiExtender on one of the latest version (v4.1.5 GA or v4.2 and higher version) as there is a bug fix (Bug 0620533) where 'ESP traffic dropped every 1 hour, requiring FEX reboot to fix it' – causing FortiExtender VPN Tunnel to go down. Refer Page #12:
