Description
This article describes that to allow the tunnel to work properly in both directions, it is mandatory to add a firewall policy to allow the traffic from external (port1) to the loopback interface.
If this firewall policy is missing, the tunnel will be able to initiate only from the FortiGate 5001B with the loopback interface. The attempts to open the tunnel from the remote unit FortiGate 5001D will fail, also the rekey.
Note: If there is no firewall policy, eventually, the tunnel could be opened from the remote FortiGate 5001D if there is a session already created by the FortiGate 5001B in the session table. This will provide a random behavior.
If this firewall policy is missing, the tunnel will be able to initiate only from the FortiGate 5001B with the loopback interface. The attempts to open the tunnel from the remote unit FortiGate 5001D will fail, also the rekey.
Note: If there is no firewall policy, eventually, the tunnel could be opened from the remote FortiGate 5001D if there is a session already created by the FortiGate 5001B in the session table. This will provide a random behavior.
Scope
Up to FortiOS v5.2.
Solution
Diagram:
Configuration:
FortiGate 5001B configuration: IPsec terminate on Loopback interface:
Configuration:
FortiGate 5001B configuration: IPsec terminate on Loopback interface:
FG-5KB-5144-E-9 # show sys interface port1
config system interface
edit "port1"
set vdom "root"
set ip 10.5.17.119 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 1
next
end
FG-5KB-5144-E-9 # show sys interface port2
config system interface
edit "port2"
set vdom "root"
set ip 10.70.1.119 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 2
next
end
FG-5KB-5144-E-9 # show sys interface loopback
config system interface
edit "loopback"
set vdom "root"
set ip 10.11.11.11 255.255.255.255
set type loopback
set snmp-index 23
next
end
FG-5KB-5144-E-9 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "p1"
set interface "loopback"
set proposal 3des-sha1 aes128-sha1
set remote-gw 10.5.17.126
set psksecret ENC /////wOryimsvxup8kppZG5xRecwB+Az
set auto-negotiate disable
next
end
FG-5KB-5144-E-9 # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "p2"
set phase1name "p1"
set proposal 3des-sha1 aes128-sha1
set src-subnet 10.70.0.0 255.255.240.0
set dst-subnet 10.134.0.0 255.255.240.0
next
end
FG-5KB-5144-E-9 # show firewall address local70
config firewall address
edit "local70"
set uuid 8a967910-a58b-51e6-b971-75521301d770
set subnet 10.70.0.0 255.255.240.0
next
end
FG-5KB-5144-E-9 # show firewall address remote134
config firewall address
edit "remote134"
set uuid 8a967910-a58b-51e6-b971-75521301d780
set subnet 10.134.0.0 255.255.240.0
next
end
FG-5KB-5144-E-9 # show firewall address loopback11
config firewall address
edit "loopback11"
set uuid 8ab68336-a58b-51e6-0542-ae24ae5418a5
set subnet 10.11.11.11 255.255.255.255
next
end
FG-5KB-5144-E-9 # show firewall policy
config firewall policy
edit 1
set uuid a2b6b672-a58b-51e6-3fd6-8dc39312bef1
set srcintf "port2"
set dstintf "p1"
set srcaddr "local70"
set dstaddr "remote134"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid a3060b78-a58b-51e6-1a1d-5ae5d4c4584b
set srcintf "p1"
set dstintf "port2"
set srcaddr "remote134"
set dstaddr "local70"
set action accept
set schedule "always"
set service "ALL"
next
The following firewall policy is mandatory to allow traffic from the remote IPsec tunnel, to initiate the tunnel, and to allow a rekey.
edit 3
set uuid a35563c6-a58b-51e6-5ee0-67578f665355
set srcintf "port1"
set dstintf "loopback"
set srcaddr "all"
set dstaddr "loopback11"
set action accept
set schedule "always"
set service "IKE"
set logtraffic all
set logtraffic-start enable
next
end
FortiGate 5001D configuration.
config system interface
edit "mgmt1"
set vdom "root"
set ip 10.5.17.126 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 10
next
end
config system interface
edit "phase1"
set vdom "root"
set type tunnel
set snmp-index 22
set interface "mgmt1"
next
end
config vpn ipsec phase1-interface
edit "phase1"
set interface "mgmt1"
set proposal 3des-sha1 aes128-sha1
set remote-gw 10.11.11.11
set psksecret ENC dmFyL8GXi28fONH6tP4+
set auto-negotiate disable
next
end
config vpn ipsec phase2-interface
edit "phase2"
set phase1name "phase1"
set proposal 3des-sha1 aes128-sha1
set src-subnet 10.134.0.0 255.255.240.0
set dst-subnet 10.70.0.0 255.255.240.0
next
config firewall address
edit "remote70"
set subnet 10.70.0.0 255.255.240.0
next
edit "local134"
set subnet 10.134.0.0 255.255.240.0
next
end
config firewall policy
edit 1
set uuid f19f4ada-a2d2-51e6-86c7-b655bc7acc90
set srcintf "phase1"
set dstintf "port3"
set srcaddr "remote70"
set dstaddr "local134"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid 2ad09f98-a2d3-51e6-194e-7de97d90d457
set srcintf "port3"
set dstintf "phase1"
set srcaddr "local134"
set dstaddr "remote70"
set action accept
set schedule "always"
set service "ALL"
next
end
config router static
edit 2
set dst 10.70.0.0 255.255.240.0
set device "phase1"
next
edit 4
set dst 10.11.11.11 255.255.255.255
set gateway 10.5.17.119
set device "mgmt1"
next
end
Troubleshooting.
If firewall policy id 3 is created, it allows the IPsec traffic initiated by the remote unit to reach the loopback interface of the FortiGate 5001B.
FortiGate 5001D:
If firewall policy id 3 is created, it allows the IPsec traffic initiated by the remote unit to reach the loopback interface of the FortiGate 5001B.
FortiGate 5001D:
FG-5KD-5144C-ORA-6 # get ro info ro all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
C 10.5.16.0/20 is directly connected, mgmt1
C 10.134.0.0/20 is directly connected, port3
S 10.11.11.11/32 [10/0] via 10.5.17.119, mgmt1
S 10.70.0.0/20 [10/0] is directly connected, phase1
FortiGate 5001B:
FG-5KB-5144-E-9 # get ro info ro all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
C 10.5.16.0/20 is directly connected, port1
C 10.70.0.0/20 is directly connected, port2
C 10.11.11.11/32 is directly connected, loopback
S 10.134.0.0/20 [10/0] is directly connected, p1
FG-5KB-5144-E-9 # diagnose debug flow show console enable
show trace messages on console
FG-5KB-5144-E-9 # diagnose debug flow filter dport 500
FG-5KB-5144-E-9 # diagnose debug flow trace start 50
FG-5KB-5144-E-9 # di debug enable
FG-5KB-5144-E-9 # diagnose debug console timestamp enable
FG-5KB-5144-E-9 # diagnose debug sniffer packet any "udp port 500" 4
interfaces=[any]
filters=[udp port 500]
2016-11-08 14:19:13 id=20085 trace_id=172 func=print_pkt_detail line=4476 msg="vd-root received a packet(proto=17, 10.5.17.126:500->10.11.11.11:500) from port1. "
2016-11-08 14:19:13 id=20085 trace_id=172 func=init_ip_session_common line=4629 msg="allocate a new session-00023e24"
85.413252 port1 in 10.5.17.126.500 -> 10.11.11.11.500: udp 404
2016-11-08 14:19:13 id=20085 trace_id=173 func=print_pkt_detail line=4476 msg="vd-root received a packet(proto=17, 10.11.11.11:500->10.5.17.126:500) from local. "
85.413447 port1 out 10.11.11.11.500 -> 10.5.17.126.500: udp 188
2016-11-08 14:19:13 id=20085 trace_id=173 func=resolve_ip_tuple_fast line=4539 msg="Find an existing session, id-00023e24, reply direction"
2016-11-08 14:19:13 id=20085 trace_id=174 func=print_pkt_detail line=4476 msg="vd-root received a packet(proto=17, 10.5.17.126:500->10.11.11.11:500) from port1. "
85.414237 port1 in 10.5.17.126.500 -> 10.11.11.11.500: udp 356
If there is no firewall policy 3 from the external interface to the loopback interface, the traffic is rejected by the FortiGate policy check.
2016-11-08 17:21:18 id=13 trace_id=101 func=print_pkt_detail line=4307 msg="vd-BM0FWIRR01 received a packet(proto=17, 10.5.17.126:500->10.11.11.11:500) from port1. "
2016-11-08 17:21:18 id=13 trace_id=101 func=init_ip_session_common line=4463 msg="allocate a new session-d75bd206"
2016-11-08 17:21:18 id=13 trace_id=101 func=__iprope_tree_check line=534 msg="use addr/intf hash, len=2"
2016-11-08 17:21:18 id=13 trace_id=101 func=fw_local_in_handler line=360 msg="iprope_in_check() check failed on policy 0, drop"
If 'set local-in-deny-unicast' is enabled (under the config log setting), FortiGate will generate logs for the denied IKE requests (the allowed traffic will also be displayed with the corresponding policy ID). See 'Sample Logging Screenshot.PNG' for an example of logs that FortiGate will generate with this setting in place.
Take into consideration that terminating an IPSEC tunnel on a loopback interface, does not allow the IPSEC traffic to be offloaded for NP6 based Platforms, this can impact the tunnel performance:
NP7 Network Processor does allow traffic to be offloaded when terminated on a loopback interface:
