FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sha-1_FTNT
Staff
Staff
Article Id 195507
Description

This article describes how to configure and troubleshoot an IP-in-IP over IPsec tunnel between a FortiGate and a Cisco router


Scope

Support for IP-in-IP tunneling over IPsec is available as of FortiOS 5.2.4 and 5.4


Solution

Diagram

 
The following topology is used:

PC1(.1) - 10.1.1.0/24-port2-[ FGT ]-port1----(198.51.100.1) =======
                                                                  I
                                                 (Internet)       I IP-in-IP over IPsec tunnel
                                                                  I
PC2(.2) - 10.2.2.0/24-gi0/0-[ Cisco_RTR ]-gi1/0-(192.0.2.2) =======  
 
 

Design

  • Establish an IP-in-IP over IPsec tunnel between a FortiGate and a Cisco router to be able to reach each remote LAN 10.x.x.x

  • FGT’s IP in IP tunnel interface is kept unnumbered (i.e., no overlay IP address is assigned to this interface)

  • FGT’s IPsec tunnel interface is kept unnumbered (i.e., no overlay IP address is assigned to this interface)

  • Static routes are used


Limitations

 

  • The IP-in-IP traffic (inner packet inside IPsec) cannot be hardware offloaded to NPU (NP6, NP4)

  • IPsec in transport-mode cannot be offloaded to NPU (NP6, NP4)

  

Configuration

 
 

CLI configuration of the FGT

 
#
# Port1 is the Internet-facing interface
# Port2 is the LAN interface
#
 
config system interface
    edit "port1"
        set ip 198.51.100.1 255.255.255.0
        set alias "Internet"
    next
    edit "port2"
        set ip 10.1.1.254 255.255.255.0
        set alias "LAN"
    next
end
 
#
# IPsec VPN used to protect the IP-in-IP traffic
#
 
config vpn ipsec phase1-interface
    edit "ipsec"
        set interface "port1"
        set proposal aes128-sha1
        set dhgrp 14
        set remote-gw 192.0.2.2
        set psksecret fortinet
    next
end
 
config vpn ipsec phase2-interface
    edit "ipsec"
        set phase1name "ipsec"
        set proposal aes128-sha1
        set dhgrp 14
        set protocol 4                      // restrict traffic selectors to IP-in-IP protocol (ip/4)
        set auto-negotiate enable
        set encapsulation transport-mode    // transport-mode (IP-in-IP is already tunneled)
    next
end
 
#
# IP-in-IP tunnel
#
 
config system ipip-tunnel
    edit "toCisco"
        set interface "ipsec"      // the IP-in-IP tunnel is protected by IPsec
        set remote-gw 192.0.2.2
        set local-gw 198.51.100.1
    next
end
 
 
#
# Firewall Policies
#
 
config firewall address
    edit "10.1.1.0/24"
        set comment "Local LAN"
        set subnet 10.1.1.0 255.255.255.0
    next
    edit "10.2.2.0/24"
        set comment "Remote LAN"
        set subnet 10.2.2.0 255.255.255.0
    next
end
 
config firewall policy
 
    Allow traffic between the local LAN (port2) and the remote LAN (IP-in-IP)

    edit 1
        set name "to remote LAN"
        set srcintf "port2"
        set dstintf "toCisco"
        set srcaddr "10.1.1.0/24"
        set dstaddr "10.2.2.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "local LAN to remote LAN"
    next
    edit 2
        set name "from remote LAN"
        set srcintf "toCisco"
        set dstintf "port2"
        set srcaddr "10.2.2.0/24"
        set dstaddr "10.1.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "remote LAN to local LAN"
    next
 
 
    IP-in-IP traffic to be IPsec-protected is self-originated, it is not received on an interface

    No forward-policy is therefore needed to allow IP-in-IP traffic to enter or leave the IPsec interface

    By FortiOS design, a forward-policy is however required to allow an IPsec negotiation to take place

    An arbitrary forward-policy (e.g., from and to the IPsec interface itself) is therefore used to “activate” IPsec

    edit 3
        set name "Enable IPsec"
        set srcintf "ipsec"
        set dstintf "ipsec"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "Just an \'activator\' for IPsec negotiation. No traffic flowing through this policy since IPsec is used to protect self-originated IP-in-IP traffic."
    next
 
    Internet Access
    edit 4
        set name "Internet Access"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "10.1.1.0/24"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "Internet Access"
        set nat enable
    next
end 
 

#
# Static routes
#
 
config router static
    edit 1
        set gateway 198.51.100.254
        set device "port1"
        set comment "default-route to Internet ISP"
    next
    edit 2
        set dst 10.2.2.0 255.255.255.0
        set device "toCisco"
        set comment "Remote LAN via the IP-in-IP tunnel"
    next
 
    After IP-in-IP tunneling, packets must be protected by IPsec
    The remote-gw of the ipip-tunnel must therefore points toward the IPsec interface
    edit 3
        set dst 192.0.2.2 255.255.255.255
        set device "ipsec"
        set comment "Reach IP-in-IP endpoint via IPsec tunnel"
    next
end

 

CLI configuration of the Cisco Router

 
!
! IPsec configuration
!
 
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 14
 
crypto isakmp key fortinet address 198.51.100.1
 
crypto ipsec transform-set aes128-sha1-transport esp-aes esp-sha-hmac
 mode transport
 
ip access-list extended encryptionDomain
 permit ipinip host 192.0.2.2 host 198.51.100.1
 
crypto map ip-in-ip_over_ipsec 10 ipsec-isakmp
 set peer 198.51.100.1
 set transform-set aes128-sha1-transport
 set pfs group14
 match address encryptionDomain
 
 
!
! IP-in-IP tunnel interface
!
 
interface Tunnel0
 ip address 10.255.255.1 255.255.255.255    ! An overlay IP is mandatory for the static route over the tunnel
 tunnel source GigabitEthernet1/0
 tunnel destination 198.51.100.1
 tunnel mode ipip
 
 
! LAN
 
interface GigabitEthernet0/0
 ip address 10.2.2.254 255.255.255.0
 ip nat inside
 
! Internet
 
interface GigabitEthernet1/0
 ip address 192.0.2.2 255.255.255.0
 ip nat outside
 crypto map ip-in-ip_over_ipsec
 
 
! SNAT for Internet Access
 
ip nat inside source list natAcl interface GigabitEthernet1/0 overload
 
ip access-list extended natAcl
 permit ip 10.2.2.0 0.0.0.255 any
 
! Static routes
 
! default-route to Internet ISP
ip route 0.0.0.0 0.0.0.0 192.0.2.253
 
! Remote LAN via the IP-in-IP tunnel
ip route 10.1.1.0 255.255.255.0 Tunnel0
 
 

Verification

 
 
Verify the routing table (RIB)
 
FGT # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
S*      0.0.0.0/0 [10/0] via 198.51.100.254, port1
C       10.1.1.0/24 is directly connected, port2
S       10.2.2.0/24 [10/0] is directly connected, toCisco
C       172.16.31.0/24 is directly connected, port10
S       192.0.2.2/32 [10/0] is directly connected, ipsec
C       198.51.100.0/24 is directly connected, port1
 
 
 
Verify that PC1 and PC2 can ping each other
 
root@PC1:~# ping -c 5 10.2.2.2
PING 10.2.2.2 (10.2.2.2) 56(84) bytes of data.
64 bytes from 10.2.2.2: icmp_seq=1 ttl=62 time=40.4 ms
64 bytes from 10.2.2.2: icmp_seq=2 ttl=62 time=53.9 ms
64 bytes from 10.2.2.2: icmp_seq=3 ttl=62 time=51.3 ms
64 bytes from 10.2.2.2: icmp_seq=4 ttl=62 time=47.4 ms
64 bytes from 10.2.2.2: icmp_seq=5 ttl=62 time=45.3 ms
 
--- 10.2.2.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 40.411/47.706/53.914/4.712 ms
 

PC2> ping 10.1.1.1
84 bytes from 10.1.1.1 icmp_seq=1 ttl=62 time=13.074 ms
84 bytes from 10.1.1.1 icmp_seq=2 ttl=62 time=23.056 ms
84 bytes from 10.1.1.1 icmp_seq=3 ttl=62 time=15.558 ms
84 bytes from 10.1.1.1 icmp_seq=4 ttl=62 time=33.056 ms
84 bytes from 10.1.1.1 icmp_seq=5 ttl=62 time=30.055 ms
 
5 packets transmitted, 5 received, 0% packet loss


Troubleshooting

 

Verify the IP-in-IP tunnel interface status
 
FGT # diag netlink interface list | grep -A1 "toCisco"
if=toCisco family=00 type=768 index=16 mtu=1480 link=0 master=0
ref=12 state=off start fw_flags=0 flags=up p2p run noarp multicast
 
FGT # get sys interface | grep -A1 "toCisco"
== [ toCisco ]
name: toCisco   ip: 0.0.0.0 0.0.0.0   status: up    netbios-forward: disable    type: tunnel   netflow-sampler: disable    sflow-sampler: disable    scan-botnet-connections: disable    explicit-web-proxy: disable    explicit-ftp-proxy: disable    wccp: disable
 
 
 
Verify the routing table (RIB)
 
FGT # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
S*      0.0.0.0/0 [10/0] via 198.51.100.254, port1
C       10.1.1.0/24 is directly connected, port2
S       10.2.2.0/24 [10/0] is directly connected, toCisco
C       172.16.31.0/24 is directly connected, port10
S       192.0.2.2/32 [10/0] is directly connected, ipsec
C       198.51.100.0/24 is directly connected, port1
 
 
 
Verify the kernel routes (FIB)
 
FGT # get router info kernel
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.1.1.0/32 pref=10.1.1.254 gwy=0.0.0.0 dev=4(port2)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.1.1.254/32 pref=10.1.1.254 gwy=0.0.0.0 dev=4(port2)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.1.1.255/32 pref=10.1.1.254 gwy=0.0.0.0 dev=4(port2)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=13(root)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=13(root)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=13(root)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=13(root)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.31.0/32 pref=172.16.31.1 gwy=0.0.0.0 dev=12(port10)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.31.1/32 pref=172.16.31.1 gwy=0.0.0.0 dev=12(port10)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.31.255/32 pref=172.16.31.1 gwy=0.0.0.0 dev=12(port10)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.51.100.0/32 pref=198.51.100.1 gwy=0.0.0.0 dev=3(port1)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.51.100.1/32 pref=198.51.100.1 gwy=0.0.0.0 dev=3(port1)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.51.100.255/32 pref=198.51.100.1 gwy=0.0.0.0 dev=3(port1)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=198.51.100.254 dev=3(port1)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.1.1.0/24 pref=10.1.1.254 gwy=0.0.0.0 dev=4(port2)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->10.2.2.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=16(toCisco)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.31.0/24 pref=172.16.31.1 gwy=0.0.0.0 dev=12(port10)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.0.2.2/32 pref=0.0.0.0 gwy=0.0.0.0 dev=15(ipsec)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->198.51.100.0/24 pref=198.51.100.1 gwy=0.0.0.0 dev=3(port1)
 
 
Verify the IPsec tunnel status
 
 

## phase1 IKE SA

 
FGT # diagnose vpn ike gateway list
 
vd: root/0
name: ipsec
version: 1
interface: port1 3
addr: 198.51.100.1:500 -> 192.0.2.2:500
created: 3389s ago
auto-discovery: 0
IKE SA: created 1/1  established 1/1  time 200/200/200 ms
IPsec SA: created 1/2  established 1/2  time 150/245/340 ms
 
  id/spi: 2 2333acfcc0972dde/12d2ef47b8f2d3cc
  direction: initiator
  status: established 3389-3389s ago = 200ms
  proposal: aes128-sha1
  key: b27d380fbda71638-a938d87b22ae8406
  lifetime/rekey: 86400/82710
  DPD sent/recv: 00000000/00000000
 

## phase2 IPsec SA

 
FGT # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ipsec ver=1 serial=1 198.51.100.1:0->192.0.2.2:0
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=18 ilast=12 olast=12 auto-discovery=0
stat: rxp=45 txp=46 rxb=6840 txb=4784
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ipsec proto=4 sa=1 ref=2 serial=3 auto-negotiate transport-mode
  src: 4:0.0.0.0/0.0.0.0:0
  dst: 4:0.0.0.0/0.0.0.0:0
  SA: ref=3 options=27 type=00 soft=0 mtu=1454 expire=201/0B replaywin=2048 seqno=2f esn=0 replaywin_lastseq=0000002d
  life: type=01 bytes=0/0 timeout=3578/3600
  dec: spi=78b0625f esp=aes key=16 3cea852814e1c4b208303722982eef2e
       ah=sha1 key=20 da07a3bbf610363e176ddd97232e06777bb6cfa6
  enc: spi=f29a5c47 esp=aes key=16 83e73ddfb3f7de2d8204c4476bd39766
       ah=sha1 key=20 55750d4d2501012c20db0618c4691e9a813cd634
  dec:pkts/bytes=45/3780, enc:pkts/bytes=46/6992
 
 
 
Verify the sniffer trace when PC1 attempts to ping PC2
 

 

## ICMP traffic between PC1 and PC2

 
FGT # diag sniffer packet any 'host 10.2.2.2 and icmp' 4
interfaces=[any]
filters=[host 10.2.2.2 and icmp]
 
7.724735 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
7.724955 toCisco out 10.1.1.1 -> 10.2.2.2: icmp: echo request
7.775949 toCisco in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
7.776021 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply
 
8.725215 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
8.725242 toCisco out 10.1.1.1 -> 10.2.2.2: icmp: echo request
8.773293 toCisco in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
8.773308 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply
 
9.726381 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
9.726419 toCisco out 10.1.1.1 -> 10.2.2.2: icmp: echo request
9.772241 toCisco in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
9.772262 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply
 
10.727905 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
10.727932 toCisco out 10.1.1.1 -> 10.2.2.2: icmp: echo request
10.770654 toCisco in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
10.770664 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply
 
11.729781 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request
11.729829 toCisco out 10.1.1.1 -> 10.2.2.2: icmp: echo request
11.768864 toCisco in 10.2.2.2 -> 10.1.1.1: icmp: echo reply
11.768889 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply
 
20 packets received by filter
0 packets dropped by kernel
 

## IP-in-IP traffic (protocol 4) sent and received by the FGT

 
FGT # diagnose sniffer packet any 'ip proto 4' 4
interfaces=[any]
filters=[ip proto 4]
 
3.171215 ipsec out 198.51.100.1 -> 192.0.2.2:  ip-proto-4 84
3.218441 ipsec in 192.0.2.2 -> 198.51.100.1:  ip-proto-4 84
 
4.172934 ipsec out 198.51.100.1 -> 192.0.2.2:  ip-proto-4 84
4.216346 ipsec in 192.0.2.2 -> 198.51.100.1:  ip-proto-4 84
 
5.173400 ipsec out 198.51.100.1 -> 192.0.2.2:  ip-proto-4 84
5.215081 ipsec in 192.0.2.2 -> 198.51.100.1:  ip-proto-4 84
 
6.175028 ipsec out 198.51.100.1 -> 192.0.2.2:  ip-proto-4 84
6.229165 ipsec in 192.0.2.2 -> 198.51.100.1:  ip-proto-4 84
 
7.177447 ipsec out 198.51.100.1 -> 192.0.2.2:  ip-proto-4 84
7.227070 ipsec in 192.0.2.2 -> 198.51.100.1:  ip-proto-4 84
 
10 packets received by filter
0 packets dropped by kernel
 

## IPsec traffic (ESP) sent and received by the FGT

 
FGT # diagnose sniffer packet any 'esp' 4
interfaces=[any]
filters=[esp]
 
3.226624 port1 out 198.51.100.1 -> 192.0.2.2:  ip-proto-50 132
3.272721 port1 in 192.0.2.2 -> 198.51.100.1:  ip-proto-50 132
 
4.228073 port1 out 198.51.100.1 -> 192.0.2.2:  ip-proto-50 132
4.270525 port1 in 192.0.2.2 -> 198.51.100.1:  ip-proto-50 132
 
5.229539 port1 out 198.51.100.1 -> 192.0.2.2:  ip-proto-50 132
5.252935 port1 in 192.0.2.2 -> 198.51.100.1:  ip-proto-50 132
 
6.231020 port1 out 198.51.100.1 -> 192.0.2.2:  ip-proto-50 132
6.282938 port1 in 192.0.2.2 -> 198.51.100.1:  ip-proto-50 132
 
7.232221 port1 out 198.51.100.1 -> 192.0.2.2:  ip-proto-50 132
7.281691 port1 in 192.0.2.2 -> 198.51.100.1:  ip-proto-50 132
 
10 packets received by filter
0 packets dropped by kernel
 
 
Verify the debug flow when PC1 attempts to ping PC2
 
FG1 # diag debug flow filter clear
FG1 # diag debug flow show function-name enable
show function name
 
FG1 # diag debug flow show iprope enable
show trace messages about iprope
 
FG1 # diag debug flow filter proto 1
FG1 # diag debug flow filter addr 10.2.2.2
FG1 # diag debug flow show console enable
show trace messages on console
 
FG1 # diag debug flow trace start 1000
FG1 # diag debug enable

## ICMP echo-request from PC1 to PC2

 
id=20085 trace_id=7 func=print_pkt_detail line=4793 msg="vd-root received a packet(proto=1, 10.1.1.1:639->10.2.2.2:2048) from port2. type=8, code=0, id=639, seq=1."
id=20085 trace_id=7 func=init_ip_session_common line=4944 msg="allocate a new session-000006f5"
id=20085 trace_id=7 func=iprope_dnat_check line=4659 msg="in-[port2], out-[]"
id=20085 trace_id=7 func=iprope_dnat_check line=4672 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=7 func=vf_ip_route_input_common line=2586 msg="find a route: flag=04000000 gw-10.2.2.2 via toCisco"
id=20085 trace_id=7 func=iprope_fwd_check line=636 msg="in-[port2], out-[toCisco], skb_flags-02000000, vid-0"
id=20085 trace_id=7 func=__iprope_check line=2049 msg="gnum-100004, check-ffffffffa001e70e"
id=20085 trace_id=7 func=__iprope_check_one_policy line=1823 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
id=20085 trace_id=7 func=__iprope_user_identity_check line=1648 msg="ret-matched"
id=20085 trace_id=7 func=__iprope_check line=2049 msg="gnum-4e20, check-ffffffffa001e70e"
id=20085 trace_id=7 func=__iprope_check_one_policy line=1823 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=7 func=__iprope_check_one_policy line=1823 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=7 func=__iprope_check_one_policy line=1823 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=7 func=__iprope_check line=2068 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=7 func=__iprope_check_one_policy line=2020 msg="policy-1 is matched, act-accept"
id=20085 trace_id=7 func=__iprope_check line=2068 msg="gnum-100004 check result: ret-matched, act-accept, flag-08010000, flag2-00004000"
id=20085 trace_id=7 func=iprope_fwd_auth_check line=688 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
id=20085 trace_id=7 func=fw_forward_handler line=697 msg="Allowed by Policy-1:"
 
id=20085 trace_id=7 func=ipsecdev_hard_start_xmit line=157 msg="enter IPsec interface-ipsec"
id=20085 trace_id=7 func=esp_output4 line=859 msg="IPsec encrypt/auth"
id=20085 trace_id=7 func=ipsec_output_finish line=498 msg="send to 198.51.100.254 via intf-port1"

## ICMP echo-reply from PC2 to PC1

 
id=20085 trace_id=8 func=print_pkt_detail line=4793 msg="vd-root received a packet(proto=1, 10.2.2.2:639->10.1.1.1:0) from toCisco. type=0, code=0, id=639, seq=1."
id=20085 trace_id=8 func=resolve_ip_tuple_fast line=4857 msg="Find an existing session, id-000006f5, reply direction"
id=20085 trace_id=8 func=vf_ip_route_input_common line=2586 msg="find a route: flag=04000000 gw-10.1.1.1 via port2"

 
 
Verify the session
 
FG1 # diag sys session filter clear
 
FG1 # diag sys session filter dst 10.2.2.2
 
FG1 # diag sys session filter proto 1
 
FG1 # diag sys session list
 
session info: proto=1 proto_state=00 duration=4 expire=55 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=ipsec/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=84/1/1 reply=84/1/1 tuples=2
tx speed(Bps/kbps): 20/0 rx speed(Bps/kbps): 20/0
orgin->sink: org pre->post, reply pre->post dev=4->16/16->4 gwy=10.2.2.2/10.1.1.1
hook=pre dir=org act=noop 10.1.1.1:639->10.2.2.2:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.2.2.2:639->10.1.1.1:0(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=000006f5 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
total session 1
 
 
 
Example of a decrypted IP-in-IP over IPsec packet containing PC1’s Echo-Request
 

 

## The ESP (IPsec) packet

 
Ethernet II, Src: MS-NLB-PhysServer-09_69:5c:04:02 (02:09:69:5c:04:02), Dst: MS-NLB-PhysServer-09_69:5c:04:01 (02:09:69:5c:04:01)

    Destination: MS-NLB-PhysServer-09_69:5c:04:01 (02:09:69:5c:04:01)
    Source: MS-NLB-PhysServer-09_69:5c:04:02 (02:09:69:5c:04:02)
    Type: IPv4 (0x0800)
 
Internet Protocol Version 4, Src: 198.51.100.1, Dst: 192.0.2.2

    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 152
    Identification: 0x7b83 (31619)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 64
    Protocol: Encap Security Payload (50)

    Header checksum: 0xd279 [correct]
    Source: 198.51.100.1
    Destination: 192.0.2.2
 
Encapsulating Security Payload
    ESP SPI: 0xf29a5c47 (4070202439)
    ESP Sequence: 47
    ESP IV: d088ca632398198233a9a070db82873e
    Pad: 0102030405060708090a
    ESP Pad Length: 10
    Next header: IPIP (0x04)

    Authentication Data [correct]
 

## The original IP packet carried inside the IP-in-IP packet

 
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2

    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 84
    Identification: 0x5b00 (23296)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 63
    Protocol: ICMP (1)

    Header checksum: 0xc9a3 [correct]
    Source: 10.1.1.1
    Destination: 10.2.2.2
 
Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0
    Checksum: 0xc1c9 [correct]
    Identifier (BE): 626 (0x0272)
    Identifier (LE): 29186 (0x7202)
    Sequence number (BE): 1 (0x0001)
    Sequence number (LE): 256 (0x0100)
    Data (48 bytes)

Related Articles

Technical Tip: Configuring and verifying an IP in IP tunnel

Contributors