Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FrankY1
Staff
Staff

Created on ‎10-23-2024 10:21 PM

Article Id 350024

Technical Tip: ADVPN Shortcut For Spokes Connected on 3G/4G/5G Internet Requires Static Public IP

Description This article provides a solution for ADVPN shortcut between spokes connected to broadband cellular networks.  
Scope FortiGate.
Solution

From v6.4.0, ADVPN supports UDP hole-punching. However, when both spokes are on a cellular network (3G/4G/5G) with dynamic public IPs, the shortcut tunnel cannot come up due to the IKE INIT message from the initiating spoke being unable to reach the other. 

 

To resolve this problem, a static public IP is required on each spoke's internet link.

This issue can be verified by running the IKE debug on the hub and both spokes. In the debug output, the below process can be observed:

  1. The shortcut-offer is sent from the hub and received on spoke1.
  2. 'shortcut-query' is sent from spoke1, and received on spoke2.
  3. 'shortcut-reply' is sent from spoke2, and received on spoke1.
  4. spoke1 creates a new shortcut tunnel, IKE message (SA_INIT) is sent to spoke2.
  5. The SA_INIT is never received on spoke2.
  6. spoke1 retransmits the SA_INIT message until the timeout is reached and the tunnel is deleted. 

 

Below is an example output from spoke1:

 

Spoke1 # diagnose vpn ike log-filter mdst-addr4 <spoke2-public-ip> <hub-public-ip>

Spoke1 # diagnose debug application ike -1
Debug messages will be on for 30 minutes.

Spoke1 # diagnose debug console time enable

Spoke1 # diagnose debug enable

Spoke1 # 2024-10-10 10:35:19.001716 ike shrank heap by 159744 bytes
2024-10-10 10:35:30.921747 ike 0: comes <hub-public-ip>:4500->10.248.215.223:4500,ifindex=46,vrf=0....
...
2024-10-10 10:35:30.922026 ike 0:vpn5G-TID:141509: received informational request
2024-10-10 10:35:30.922051 ike 0:vpn5G-TID:141509: processing notify type SHORTCUT_OFFER
2024-10-10 10:35:30.922124 ike 0:vpn5G-TID: shortcut-offer 10.230.1.2->10.230.24.12 0 psk 64 ppk 0 ver 2 mode 0, peer-addr <spoke2-public-ip>:1044
2024-10-10 10:35:30.922154 ike 0 looking up shortcut by addr 10.230.24.12, name vpn5G-TID, peer-addr <spoke2-public-ip>:1044
2024-10-10 10:35:30.922212 ike 0:vpn5G-TID: send shortcut-query 8618648811703324262 f3d57897888e75ce/0000000000000000 10.248.21
5.223 10.230.1.2->10.230.24.12 0 psk 64 ttl 32 nat 1 ver 2 mode 0 network-id 2
...
2024-10-10 10:35:31.016395 ike 0:vpn5G-TID:141509: received informational request
2024-10-10 10:35:31.016416 ike 0:vpn5G-TID:141509: processing notify type SHORTCUT_REPLY
2024-10-10 10:35:31.016499 ike 0:vpn5G-TID: recv shortcut-reply 8618648811703324262 f3d57897888e75ce/0fda4e0f5646bff8 10.249.130.215 to 10.230.1.2 0 psk 64 ppk 0 ver 2 mode 0 ext-mapping <spoke2-public-ip>:1044, network-id 2/2
2024-10-10 10:35:31.016594 ike 0:vpn5G-TID: iif 55 10.230.24.12->10.230.1.2 0 route lookup oif 49 VLAN_200 gwy 0.0.0.0
2024-10-10 10:35:31.016624 ike 0:vpn5G-TID: shortcut-reply received from <spoke2-public-ip>:1044, local-nat=yes, peer-nat=yes
2024-10-10 10:35:31.016645 ike 0:vpn5G-TID: NAT hole punching to peer at <spoke2-public-ip>:1044
2024-10-10 10:35:31.016692 ike 0:vpn5G-TID: created connection: 0x9614f80 46 10.248.215.223-><spoke2-public-ip>:1044.
2024-10-10 10:35:31.016717 ike 0:vpn5G-TID: adding new dynamic tunnel for <spoke2-public-ip>:1044
2024-10-10 10:35:31.016787 ike 0:vpn5G-TID_0: tunnel created tun_id <spoke2-public-ip>/::<spoke2-public-ip> remote_location 0.0.0.0
2024-10-10 10:35:31.018302 ike 0:vpn5G-TID_0: added new dynamic tunnel for <spoke2-public-ip>:1044
2024-10-10 10:35:31.018391 ike 0:vpn5G-TID_0: shortcut health check selector added for 10.33.99.2, new serial 1
2024-10-10 10:35:31.018449 ike 0:vpn5G-TID_0: shortcut selector added, new serial 2
2024-10-10 10:35:31.018497 ike 0:vpn5G-TID:141509: enc 0F0E0D0C0B0A0908070605040302010F
2024-10-10 10:35:31.018582 ike 0:vpn5G-TID:141509: out DD579AF5D5E08FAF1A7A3DEDA896F4F82E202528000000040000005000000034019B0E23
587EE82184593C3EF68D9C3F81C43BC085B795D08BD39B7CFEE636983905188C1806F7CC0D230A27EB5A1078
2024-10-10 10:35:31.018675 ike 0:vpn5G-TID:141509: sent IKE msg (INFORMATIONAL_RESPONSE): 10.248.215.223:4500-><hub-public-ip>:4
500, len=80, vrf=0, id=dd579af5d5e08faf/1a7a3deda896f4f8:00000004
2024-10-10 10:35:31.018705 ike 0:vpn5G-TID_0:vpn5G-TID: chosen to populate IKE_SA traffic-selectors
2024-10-10 10:35:31.018750 ike 0:vpn5G-TID_0: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
2024-10-10 10:35:31.018799 ike 0:vpn5G-TID_0:141575: generate DH public value request queued
2024-10-10 10:35:31.018874 ike 0:vpn5G-TID_0:141575: create NAT-D hash local 10.248.215.223/4500 remote <spoke2-public-ip>/1044
...
2024-10-10 10:35:31.019053 ike 0:vpn5G-TID_0:141575: sent IKE msg (SA_INIT): 10.248.215.223:4500-><spoke2-public-ip>:1044, len=465,
vrf=0, id=f3d57897888e75ce/0fda4e0f5646bff8
...
2024-10-10 10:35:34.021819 ike 0:vpn5G-TID_0:141575: sent IKE msg (RETRANSMIT_SA_INIT:( 10.248.215.223:4500-><spoke2-public-ip>:1044
, len=465, vrf=0, id=f3d57897888e75ce/0fda4e0f5646bff8
2024-10-10 10:35:36.021726 ike 0:vpn5G-TID_0:vpn5G-TID: IPsec SA connect 46 10.248.215.223-><spoke2-public-ip>:0
2024-10-10 10:35:36.021779 ike 0:vpn5G-TID_0:vpn5G-TID: using existing connection
2024-10-10 10:35:36.021798 ike 0:vpn5G-TID:vpn5G-TID: config found
2024-10-10 10:35:36.021817 ike 0:vpn5G-TID: request is on the queue
2024-10-10 10:35:36.021849 ike 0:vpn5G-TID_0:vpn5G-TID: IPsec SA connect 46 10.248.215.223-><spoke2-public-ip>:0
2024-10-10 10:35:36.021869 ike 0:vpn5G-TID_0:vpn5G-TID: using existing connection
2024-10-10 10:35:36.021886 ike 0:vpn5G-TID:vpn5G-TID: config found
2024-10-10 10:35:36.021903 ike 0:vpn5G-TID: request is on the queue
...
2024-10-10 10:35:40.031831 ike 0:vpn5G-TID_0:141575: sent IKE msg (RETRANSMIT_SA_INIT:( 10.248.215.223:4500-><spoke2-public-ip>:1044
, len=465, vrf=0, id=f3d57897888e75ce/0fda4e0f5646bff8
2024-10-10 10:35:41.031711 ike 0:vpn5G-TID_0:vpn5G-TID: IPsec SA connect 46 10.248.215.223-><spoke2-public-ip>:0
2024-10-10 10:35:41.031773 ike 0:vpn5G-TID_0:vpn5G-TID: using existing connection
2024-10-10 10:35:41.031797 ike 0:vpn5G-TID:vpn5G-TID: config found
2024-10-10 10:35:41.031818 ike 0:vpn5G-TID: request is on the queue
2024-10-10 10:35:41.031853 ike 0:vpn5G-TID_0:vpn5G-TID: IPsec SA connect 46 10.248.215.223-><spoke2-public-ip>:0
2024-10-10 10:35:41.031877 ike 0:vpn5G-TID_0:vpn5G-TID: using existing connection
2024-10-10 10:35:41.031897 ike 0:vpn5G-TID:vpn5G-TID: config found
2024-10-10 10:35:41.031916 ike 0:vpn5G-TID: request is on the queue
2024-10-10 10:35:46.041707 ike 0:vpn5G-TID_0:vpn5G-TID: IPsec SA connect 46 10.248.215.223-><spoke2-public-ip>:0
2024-10-10 10:35:46.041783 ike 0:vpn5G-TID_0:vpn5G-TID: using existing connection
...
2024-10-10 10:36:01.031696 ike 0:vpn5G-TID_0:141575: negotiation timeout, deleting
2024-10-10 10:36:01.031860 ike 0:vpn5G-TID_0: connection expiring due to phase1 down
2024-10-10 10:36:01.031886 ike 0:vpn5G-TID_0: deleting
2024-10-10 10:36:01.031911 ike 0:vpn5G-TID_0: delete dynamic
2024-10-10 10:36:01.191714 ike 0:vpn5G-TID_0: deleted
2024-10-10 10:36:01.191769 ike 0:vpn5G-TID: schedule auto-negotiate
111
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.