Technical Note: Configuring and verifying an IP in IP over IPsec tunnel

sha-1_FTNT · ‎03-02-2017

Description

This article describes how to configure and troubleshoot an IP-in-IP over IPsec tunnel between a FortiGate and a Cisco router

Scope

Support for IP-in-IP tunneling over IPsec is available as of FortiOS 5.2.4 and 5.4

Solution

Diagram

The following topology is used:

PC1(.1) - 10.1.1.0/24-port2-[ FGT ]-port1----(198.51.100.1) =======
             I
     (Internet)     I IP-in-IP over IPsec tunnel
         I
PC2(.2) - 10.2.2.0/24-gi0/0-[ Cisco_RTR ]-gi1/0-(192.0.2.2) =======

Design

Establish an IP-in-IP over IPsec tunnel between a FortiGate and a Cisco router to be able to reach each remote LAN 10.x.x.x
FGT’s IP in IP tunnel interface is kept unnumbered (i.e., no overlay IP address is assigned to this interface)
FGT’s IPsec tunnel interface is kept unnumbered (i.e., no overlay IP address is assigned to this interface)
Static routes are used

Limitations

The IP-in-IP traffic (inner packet inside IPsec) cannot be hardware offloaded to NPU (NP6, NP4)
IPsec in transport-mode cannot be offloaded to NPU (NP6, NP4)

Configuration

CLI configuration of the FGT

#
# Port1 is the Internet-facing interface
# Port2 is the LAN interface
#

config system interface
    edit "port1"
        set ip 198.51.100.1 255.255.255.0
        set alias "Internet"
    next
    edit "port2"
        set ip 10.1.1.254 255.255.255.0
        set alias "LAN"
    next
end

#
# IPsec VPN used to protect the IP-in-IP traffic
#

config vpn ipsec phase1-interface
    edit "ipsec"
        set interface "port1"
        set proposal aes128-sha1
        set dhgrp 14
        set remote-gw 192.0.2.2
        set psksecret fortinet
    next
end

config vpn ipsec phase2-interface
    edit "ipsec"
        set phase1name "ipsec"
        set proposal aes128-sha1
        set dhgrp 14
        set protocol 4                      // restrict traffic selectors to IP-in-IP protocol (ip/4)
        set auto-negotiate enable
        set encapsulation transport-mode    // transport-mode (IP-in-IP is already tunneled)
    next
end

#
# IP-in-IP tunnel
#

config system ipip-tunnel
    edit "toCisco"
        set interface "ipsec"      // the IP-in-IP tunnel is protected by IPsec
        set remote-gw 192.0.2.2
        set local-gw 198.51.100.1
    next
end

#
# Firewall Policies
#

config firewall address
    edit "10.1.1.0/24"
        set comment "Local LAN"
        set subnet 10.1.1.0 255.255.255.0
    next
    edit "10.2.2.0/24"
        set comment "Remote LAN"
        set subnet 10.2.2.0 255.255.255.0
    next
end

config firewall policy

    Allow traffic between the local LAN (port2) and the remote LAN (IP-in-IP)

    edit 1
        set name "to remote LAN"
        set srcintf "port2"
        set dstintf "toCisco"
        set srcaddr "10.1.1.0/24"
        set dstaddr "10.2.2.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "local LAN to remote LAN"
    next
    edit 2
        set name "from remote LAN"
        set srcintf "toCisco"
        set dstintf "port2"
        set srcaddr "10.2.2.0/24"
        set dstaddr "10.1.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "remote LAN to local LAN"
    next

    IP-in-IP traffic to be IPsec-protected is self-originated, it is not received on an interface

No forward-policy is therefore needed to allow IP-in-IP traffic to enter or leave the IPsec interface

By FortiOS design, a forward-policy is however required to allow an IPsec negotiation to take place

An arbitrary forward-policy (e.g., from and to the IPsec interface itself) is therefore used to “activate” IPsec

    edit 3
        set name "Enable IPsec"
        set srcintf "ipsec"
        set dstintf "ipsec"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "Just an \'activator\' for IPsec negotiation. No traffic flowing through this policy since IPsec is used to protect self-originated IP-in-IP traffic."
    next

    Internet Access
    edit 4
        set name "Internet Access"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "10.1.1.0/24"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "Internet Access"
        set nat enable
    next
end

#
# Static routes
#

config router static
    edit 1
        set gateway 198.51.100.254
        set device "port1"
        set comment "default-route to Internet ISP"
    next
    edit 2
        set dst 10.2.2.0 255.255.255.0
        set device "toCisco"
        set comment "Remote LAN via the IP-in-IP tunnel"
    next

    After IP-in-IP tunneling, packets must be protected by IPsec
    The remote-gw of the ipip-tunnel must therefore points toward the IPsec interface
    edit 3
        set dst 192.0.2.2 255.255.255.255
        set device "ipsec"
        set comment "Reach IP-in-IP endpoint via IPsec tunnel"
    next
end

CLI configuration of the Cisco Router

!
! IPsec configuration
!

crypto isakmp policy 10
encr aes
authentication pre-share
group 14

crypto isakmp key fortinet address 198.51.100.1

crypto ipsec transform-set aes128-sha1-transport esp-aes esp-sha-hmac
mode transport

ip access-list extended encryptionDomain
permit ipinip host 192.0.2.2 host 198.51.100.1

crypto map ip-in-ip_over_ipsec 10 ipsec-isakmp
set peer 198.51.100.1
set transform-set aes128-sha1-transport
set pfs group14
match address encryptionDomain

!
! IP-in-IP tunnel interface
!

interface Tunnel0
ip address 10.255.255.1 255.255.255.255 ! An overlay IP is mandatory for the static route over the tunnel
tunnel source GigabitEthernet1/0
tunnel destination 198.51.100.1
tunnel mode ipip

! LAN

interface GigabitEthernet0/0
ip address 10.2.2.254 255.255.255.0
ip nat inside

! Internet

interface GigabitEthernet1/0
ip address 192.0.2.2 255.255.255.0
ip nat outside
crypto map ip-in-ip_over_ipsec

! SNAT for Internet Access

ip nat inside source list natAcl interface GigabitEthernet1/0 overload

ip access-list extended natAcl
permit ip 10.2.2.0 0.0.0.255 any

! Static routes

! default-route to Internet ISP
ip route 0.0.0.0 0.0.0.0 192.0.2.253

! Remote LAN via the IP-in-IP tunnel
ip route 10.1.1.0 255.255.255.0 Tunnel0

Verification

Verify the routing table (RIB)

FGT # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 198.51.100.254, port1
C       10.1.1.0/24 is directly connected, port2
S       10.2.2.0/24 [10/0] is directly connected, toCisco
C       172.16.31.0/24 is directly connected, port10

S 192.0.2.2/32 [10/0] is directly connected, ipsec

C 198.51.100.0/24 is directly connected, port1

Verify that PC1 and PC2 can ping each other

root@PC1:~# ping -c 5 10.2.2.2
PING 10.2.2.2 (10.2.2.2) 56(84) bytes of data.
64 bytes from 10.2.2.2: icmp_seq=1 ttl=62 time=40.4 ms
64 bytes from 10.2.2.2: icmp_seq=2 ttl=62 time=53.9 ms
64 bytes from 10.2.2.2: icmp_seq=3 ttl=62 time=51.3 ms
64 bytes from 10.2.2.2: icmp_seq=4 ttl=62 time=47.4 ms
64 bytes from 10.2.2.2: icmp_seq=5 ttl=62 time=45.3 ms

--- 10.2.2.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 40.411/47.706/53.914/4.712 ms

PC2> ping 10.1.1.1
84 bytes from 10.1.1.1 icmp_seq=1 ttl=62 time=13.074 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=62 time=23.056 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=62 time=15.558 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=62 time=33.056 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=62 time=30.055 ms

5 packets transmitted, 5 received, 0% packet loss

Troubleshooting

Verify the IP-in-IP tunnel interface status

FGT # diag netlink interface list | grep -A1 "toCisco"
if=toCisco family=00 type=768 index=16 mtu=1480 link=0 master=0
ref=12 state=off start fw_flags=0 flags=up p2p run noarp multicast

FGT # get sys interface | grep -A1 "toCisco"
== [ toCisco ]
name: toCisco ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable scan-botnet-connections: disable explicit-web-proxy: disable explicit-ftp-proxy: disable wccp: disable

Verify the routing table (RIB)

FGT # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 198.51.100.254, port1
C       10.1.1.0/24 is directly connected, port2
S       10.2.2.0/24 [10/0] is directly connected, toCisco
C       172.16.31.0/24 is directly connected, port10
S       192.0.2.2/32 [10/0] is directly connected, ipsec
C       198.51.100.0/24 is directly connected, port1

Verify the kernel routes (FIB)

FGT # get router info kernel
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.1.1.0/32 pref=10.1.1.254 gwy=0.0.0.0 dev=4(port2)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.1.1.254/32 pref=10.1.1.254 gwy=0.0.0.0 dev=4(port2)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.1.1.255/32 pref=10.1.1.254 gwy=0.0.0.0 dev=4(port2)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=13(root)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=13(root)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=13(root)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=13(root)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.31.0/32 pref=172.16.31.1 gwy=0.0.0.0 dev=12(port10)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.31.1/32 pref=172.16.31.1 gwy=0.0.0.0 dev=12(port10)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.31.255/32 pref=172.16.31.1 gwy=0.0.0.0 dev=12(port10)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.51.100.0/32 pref=198.51.100.1 gwy=0.0.0.0 dev=3(port1)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.51.100.1/32 pref=198.51.100.1 gwy=0.0.0.0 dev=3(port1)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.51.100.255/32 pref=198.51.100.1 gwy=0.0.0.0 dev=3(port1)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=198.51.100.254 dev=3(port1)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.1.1.0/24 pref=10.1.1.254 gwy=0.0.0.0 dev=4(port2)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->10.2.2.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=16(toCisco)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.31.0/24 pref=172.16.31.1 gwy=0.0.0.0 dev=12(port10)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.0.2.2/32 pref=0.0.0.0 gwy=0.0.0.0 dev=15(ipsec)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.51.100.0/24 pref=198.51.100.1 gwy=0.0.0.0 dev=3(port1)

Verify the IPsec tunnel status

## phase1 IKE SA

FGT # diagnose vpn ike gateway list

vd: root/0
name: ipsec
version: 1
interface: port1 3
addr: 198.51.100.1:500 -> 192.0.2.2:500
created: 3389s ago
auto-discovery: 0
IKE SA: created 1/1 established 1/1 time 200/200/200 ms
IPsec SA: created 1/2 established 1/2 time 150/245/340 ms

id/spi: 2 2333acfcc0972dde/12d2ef47b8f2d3cc
direction: initiator
status: established 3389-3389s ago = 200ms
proposal: aes128-sha1
key: b27d380fbda71638-a938d87b22ae8406
lifetime/rekey: 86400/82710
DPD sent/recv: 00000000/00000000

## phase2 IPsec SA

FGT # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ipsec ver=1 serial=1 198.51.100.1:0->192.0.2.2:0
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=18 ilast=12 olast=12 auto-discovery=0
stat: rxp=45 txp=46 rxb=6840 txb=4784
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ipsec proto=4 sa=1 ref=2 serial=3 auto-negotiate transport-mode
src: 4:0.0.0.0/0.0.0.0:0
dst: 4:0.0.0.0/0.0.0.0:0
SA: ref=3 options=27 type=00 soft=0 mtu=1454 expire=201/0B replaywin=2048 seqno=2f esn=0 replaywin_lastseq=0000002d
life: type=01 bytes=0/0 timeout=3578/3600
dec: spi=78b0625f esp=aes key=16 3cea852814e1c4b208303722982eef2e
ah=sha1 key=20 da07a3bbf610363e176ddd97232e06777bb6cfa6
enc: spi=f29a5c47 esp=aes key=16 83e73ddfb3f7de2d8204c4476bd39766
ah=sha1 key=20 55750d4d2501012c20db0618c4691e9a813cd634
dec:pkts/bytes=45/3780, enc:pkts/bytes=46/6992

Verify the sniffer trace when PC1 attempts to ping PC2

## ICMP traffic between PC1 and PC2

FGT # diag sniffer packet any 'host 10.2.2.2 and icmp' 4
interfaces=[any]
filters=[host 10.2.2.2 and icmp]

7.724735 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
7.724955 toCisco out 10.1.1.1 -> 10.2.2.2: icmp: echo request
7.775949 toCisco in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
7.776021 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply

8.725215 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
8.725242 toCisco out 10.1.1.1 -> 10.2.2.2: icmp: echo request
8.773293 toCisco in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
8.773308 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply

9.726381 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
9.726419 toCisco out 10.1.1.1 -> 10.2.2.2: icmp: echo request
9.772241 toCisco in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
9.772262 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply

10.727905 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
10.727932 toCisco out 10.1.1.1 -> 10.2.2.2: icmp: echo request
10.770654 toCisco in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
10.770664 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply

11.729781 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
11.729829 toCisco out 10.1.1.1 -> 10.2.2.2: icmp: echo request
11.768864 toCisco in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
11.768889 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply

20 packets received by filter
0 packets dropped by kernel

## IP-in-IP traffic (protocol 4) sent and received by the FGT

FGT # diagnose sniffer packet any 'ip proto 4' 4
interfaces=[any]
filters=[ip proto 4]

3.171215 ipsec out 198.51.100.1 -> 192.0.2.2: ip-proto-4 84
3.218441 ipsec in 192.0.2.2 -> 198.51.100.1: ip-proto-4 84

4.172934 ipsec out 198.51.100.1 -> 192.0.2.2: ip-proto-4 84
4.216346 ipsec in 192.0.2.2 -> 198.51.100.1: ip-proto-4 84

5.173400 ipsec out 198.51.100.1 -> 192.0.2.2: ip-proto-4 84
5.215081 ipsec in 192.0.2.2 -> 198.51.100.1: ip-proto-4 84

6.175028 ipsec out 198.51.100.1 -> 192.0.2.2: ip-proto-4 84
6.229165 ipsec in 192.0.2.2 -> 198.51.100.1: ip-proto-4 84

7.177447 ipsec out 198.51.100.1 -> 192.0.2.2: ip-proto-4 84
7.227070 ipsec in 192.0.2.2 -> 198.51.100.1: ip-proto-4 84

10 packets received by filter
0 packets dropped by kernel

## IPsec traffic (ESP) sent and received by the FGT

FGT # diagnose sniffer packet any 'esp' 4
interfaces=[any]
filters=[esp]

3.226624 port1 out 198.51.100.1 -> 192.0.2.2: ip-proto-50 132
3.272721 port1 in 192.0.2.2 -> 198.51.100.1: ip-proto-50 132

4.228073 port1 out 198.51.100.1 -> 192.0.2.2: ip-proto-50 132
4.270525 port1 in 192.0.2.2 -> 198.51.100.1: ip-proto-50 132

5.229539 port1 out 198.51.100.1 -> 192.0.2.2: ip-proto-50 132
5.252935 port1 in 192.0.2.2 -> 198.51.100.1: ip-proto-50 132

6.231020 port1 out 198.51.100.1 -> 192.0.2.2: ip-proto-50 132
6.282938 port1 in 192.0.2.2 -> 198.51.100.1: ip-proto-50 132

7.232221 port1 out 198.51.100.1 -> 192.0.2.2: ip-proto-50 132
7.281691 port1 in 192.0.2.2 -> 198.51.100.1: ip-proto-50 132

10 packets received by filter
0 packets dropped by kernel

Verify the debug flow when PC1 attempts to ping PC2

FG1 # diag debug flow filter clear
FG1 # diag debug flow show function-name enable
show function name

FG1 # diag debug flow show iprope enable
show trace messages about iprope

FG1 # diag debug flow filter proto 1
FG1 # diag debug flow filter addr 10.2.2.2
FG1 # diag debug flow show console enable
show trace messages on console

FG1 # diag debug flow trace start 1000
FG1 # diag debug enable

## ICMP echo-request from PC1 to PC2

id=20085 trace_id=7 func=print_pkt_detail line=4793 msg="vd-root received a packet(proto=1, 10.1.1.1:639->10.2.2.2:2048) from port2. type=8, code=0, id=639, seq=1."
id=20085 trace_id=7 func=init_ip_session_common line=4944 msg="allocate a new session-000006f5"
id=20085 trace_id=7 func=iprope_dnat_check line=4659 msg="in-[port2], out-[]"
id=20085 trace_id=7 func=iprope_dnat_check line=4672 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=7 func=vf_ip_route_input_common line=2586 msg="find a route: flag=04000000 gw-10.2.2.2 via toCisco"
id=20085 trace_id=7 func=iprope_fwd_check line=636 msg="in-[port2], out-[toCisco], skb_flags-02000000, vid-0"
id=20085 trace_id=7 func=__iprope_check line=2049 msg="gnum-100004, check-ffffffffa001e70e"
id=20085 trace_id=7 func=__iprope_check_one_policy line=1823 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
id=20085 trace_id=7 func=__iprope_user_identity_check line=1648 msg="ret-matched"
id=20085 trace_id=7 func=__iprope_check line=2049 msg="gnum-4e20, check-ffffffffa001e70e"
id=20085 trace_id=7 func=__iprope_check_one_policy line=1823 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=7 func=__iprope_check_one_policy line=1823 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=7 func=__iprope_check_one_policy line=1823 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=7 func=__iprope_check line=2068 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=7 func=__iprope_check_one_policy line=2020 msg="policy-1 is matched, act-accept"
id=20085 trace_id=7 func=__iprope_check line=2068 msg="gnum-100004 check result: ret-matched, act-accept, flag-08010000, flag2-00004000"
id=20085 trace_id=7 func=iprope_fwd_auth_check line=688 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
id=20085 trace_id=7 func=fw_forward_handler line=697 msg="Allowed by Policy-1:"

id=20085 trace_id=7 func=ipsecdev_hard_start_xmit line=157 msg="enter IPsec interface-ipsec"
id=20085 trace_id=7 func=esp_output4 line=859 msg="IPsec encrypt/auth"
id=20085 trace_id=7 func=ipsec_output_finish line=498 msg="send to 198.51.100.254 via intf-port1"

## ICMP echo-reply from PC2 to PC1

id=20085 trace_id=8 func=print_pkt_detail line=4793 msg="vd-root received a packet(proto=1, 10.2.2.2:639->10.1.1.1:0) from toCisco. type=0, code=0, id=639, seq=1."
id=20085 trace_id=8 func=resolve_ip_tuple_fast line=4857 msg="Find an existing session, id-000006f5, reply direction"
id=20085 trace_id=8 func=vf_ip_route_input_common line=2586 msg="find a route: flag=04000000 gw-10.1.1.1 via port2"

Verify the session

FG1 # diag sys session filter clear

FG1 # diag sys session filter dst 10.2.2.2

FG1 # diag sys session filter proto 1

FG1 # diag sys session list

session info: proto=1 proto_state=00 duration=4 expire=55 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=ipsec/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=84/1/1 reply=84/1/1 tuples=2
tx speed(Bps/kbps): 20/0 rx speed(Bps/kbps): 20/0
orgin->sink: org pre->post, reply pre->post dev=4->16/16->4 gwy=10.2.2.2/10.1.1.1
hook=pre dir=org act=noop 10.1.1.1:639->10.2.2.2:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.2.2.2:639->10.1.1.1:0(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=000006f5 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
total session 1

Example of a decrypted IP-in-IP over IPsec packet containing PC1’s Echo-Request

## The ESP (IPsec) packet

Ethernet II, Src: MS-NLB-PhysServer-09_69:5c:04:02 (02:09:69:5c:04:02), Dst: MS-NLB-PhysServer-09_69:5c:04:01 (02:09:69:5c:04:01)

    Destination: MS-NLB-PhysServer-09_69:5c:04:01 (02:09:69:5c:04:01)
    Source: MS-NLB-PhysServer-09_69:5c:04:02 (02:09:69:5c:04:02)
    Type: IPv4 (0x0800)

Internet Protocol Version 4, Src: 198.51.100.1, Dst: 192.0.2.2

    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 152
    Identification: 0x7b83 (31619)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 64
    Protocol: Encap Security Payload (50)
    Header checksum: 0xd279 [correct]
    Source: 198.51.100.1
    Destination: 192.0.2.2

Encapsulating Security Payload
    ESP SPI: 0xf29a5c47 (4070202439)
    ESP Sequence: 47
    ESP IV: d088ca632398198233a9a070db82873e
    Pad: 0102030405060708090a
    ESP Pad Length: 10
    Next header: IPIP (0x04)
    Authentication Data [correct]

## The original IP packet carried inside the IP-in-IP packet

Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2

    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 84
    Identification: 0x5b00 (23296)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 63
    Protocol: ICMP (1)
    Header checksum: 0xc9a3 [correct]
    Source: 10.1.1.1
    Destination: 10.2.2.2

Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0
    Checksum: 0xc1c9 [correct]
    Identifier (BE): 626 (0x0272)
    Identifier (LE): 29186 (0x7202)
    Sequence number (BE): 1 (0x0001)
    Sequence number (LE): 256 (0x0100)
    Data (48 bytes)

Related Articles

Technical Tip: Configuring and verifying an IP in IP tunnel

Technical Note: Configuring and verifying an IP in IP over IPsec tunnel

You are leaving our website