FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aionescu
Staff
Staff
Article Id 192495
Description
This article shows how the FortiGate manages the IPsec SAs when DPD is configured as on-demand compared to on-idle.

Related documents.
https://docs.fortinet.com/document/fortigate/6.2.8/cookbook/785501/forticlient-as-dialup-client
https://datatracker.ietf.org/doc/html/rfc3706

Solution
In this setup, FortiGate is configured as Dialup server and FortiClient is used as dialup client. 
IKE version used is IKE-v1.

The IP addresses involved in this example are:
- 10.0.4.68 – PC.
- 10.0.0.27 – FortiGate.

'When two peers communicate with IKE [2] and IPSec [3], the situation may arise in which connectivity between the two goes down unexpectedly.  This situation can arise because of routing problems, one host rebooting, etc.
In such cases, there is often no way for IKE and IPSec to identify the loss of peer connectivity. 

As such, the SAs can remain until their lifetimes naturally expire, resulting in a 'black hole' situation where packets are tunneled to oblivion'.

On the FortiGate, DPD can be configured as follows:
# set dpd
disable      <----- Disable Dead Peer Detection.
on-idle      <----- Trigger Dead Peer Detection when IPsec is idle.
on-demand    <-----
Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

In the first example, the tunnel is brought down manually using the 'Disconnect' button on the FortiClient console.
name=DIALUP_IPSEC_0 ver=1 serial=20 10.0.0.27:0->10.0.4.68:0 tun_id=10.0.4.68 dst_mtu=0 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=8 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/648 options[0288]=npu rgwy-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
parent=DIALUP_IPSEC index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=0 olast=0 ad=/0
stat: rxp=1 txp=0 rxb=16032 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=DIALUP_IPSEC proto=0 sa=1 ref=2 serial=1 add-route
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:192.168.1.1-192.168.1.1:0
  SA:  ref=4 options=2a6 type=00 soft=0 mtu=1280 expire=42902/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=43188/43200
  dec: spi=979c32d1 esp=aes key=16 a35160808c3c60ec643ce100ea8d7529
       ah=sha1 key=20 4c711e7e2de1f2e215755fe7e7bf74291c0b0f19
  enc: spi=6810c321 esp=aes key=16 6de5089206932cd48142ae26a436fe60
       ah=sha1 key=20 4d89d88df953f5e3ed304f861bf6dcba8781d171
  dec:pkts/bytes=1/15968, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=10.0.4.68 npu_lgwy=10.0.0.27 npu_selid=1f dec_npuid=1 enc_npuid=0
The log shows:
ike 0:DIALUP_IPSEC_0:115: recv IPsec SA delete, spi count 1
ike 0:DIALUP_IPSEC_0: deleting IPsec SA with SPI 6810c321
ike 0:DIALUP_IPSEC_0:DIALUP_IPSEC: deleted IPsec SA with SPI 6810c321, SA count: 0
ike 0:DIALUP_IPSEC:3344: del route 192.168.1.1/255.255.255.255 oif DIALUP_IPSEC(32) metric 15 priority 0
ike 0:DIALUP_IPSEC_0: sending SNMP tunnel DOWN trap for DIALUP_IPSEC
ike 0:DIALUP_IPSEC_0: sending tunnel down gw 192.168.1.1
ike 0:DIALUP_IPSEC_0:DIALUP_IPSEC: delete
ike 0: comes 10.0.4.68:500->10.0.0.27:500,ifindex=8,vrf=0....
ike 0: IKEv1 exchange=Informational
ike 0:DIALUP_IPSEC_0:115: recv IPsec SA delete, spi count 1
ike 0:DIALUP_IPSEC_0: deleting IPsec SA with SPI 6810c321
ike 0:DIALUP_IPSEC_0: delete dynamic
ike 0:DIALUP_IPSEC_0: deleted
In the second example, network issues or closing the PC without disconnecting the FortiClient disrupt the communication between the server and client.

The tunnel is configured with DPD on-demand.
name=DIALUP_IPSEC_0 ver=1 serial=21 10.0.0.27:0->10.0.4.68:0 tun_id=10.0.4.68 dst_mtu=0 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=8 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/648 options[0288]=npu rgwy-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
parent=DIALUP_IPSEC index=0
proxyid_num=1 child_num=0 refcnt=6 ilast=4 olast=0 ad=/0
stat: rxp=1 txp=0 rxb=15322 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=DIALUP_IPSEC proto=0 sa=1 ref=2 serial=2 add-route
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:192.168.1.1-192.168.1.1:0
  SA:  ref=4 options=2a6 type=00 soft=0 mtu=1280 expire=43116/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=43185/43200
  dec: spi=979c32d3 esp=aes key=16 74d2081be10c36927e852f9d86795e1c
       ah=sha1 key=20 6225e3f1e1be79fd4e60d5c70034fc9d78600dcb
  enc: spi=45ac1448 esp=aes key=16 b2b517ae16e013b692f231ccae0e9f2d
       ah=sha1 key=20 715659660a815bc8c7f05fe1f46e8caa9ee2c1ba
  dec:pkts/bytes=1/15258, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=10.0.4.68 npu_lgwy=10.0.0.27 npu_selid=21 dec_npuid=1 enc_npuid=0
If no traffic is sent, the tunnel will be up until the SA expires - expire=43116, no DPD probes are sent.
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
  SA:  ref=4 options=2a6 type=00 soft=0 mtu=1280 expire=43074/0B replaywin=1024
  dec:pkts/bytes=1/15258, enc:pkts/bytes=0/0
Once a ping is started from the Firewall towards the PC, packets are sent but no reply is received so DPD probes are started to be sent:
2021-09-27 01:36:08.778216 ike 0:DIALUP_IPSEC_0:117: notify msg received: R-U-THERE
2021-09-27 01:36:08.778507 ike 0:DIALUP_IPSEC_0:117: sent IKE msg (R-U-THERE-ACK): 10.0.0.27:500->10.0.4.68:500, len=108, vrf=0, id=52f18094403cc9d0/2e82598389c126dc:00d86e17
2021-09-27 01:39:29.156978 ike 0:DIALUP_IPSEC_0:117: sent IKE msg (R-U-THERE): 10.0.0.27:500->10.0.4.68:500, len=108, vrf=0, id=52f18094403cc9d0/2e82598389c126dc:d7fe0fd5
22021-09-27 01:39:49.196961 ike 0:DIALUP_IPSEC_0:117: sent IKE msg (R-U-THERE): 10.0.0.27:500->10.0.4.68:500, len=108, vrf=0, id=52f18094403cc9d0/2e82598389c126dc:b6ba4341
22021-09-27 01:40:09.236997 ike 0:DIALUP_IPSEC_0:117: sent IKE msg (R-U-THERE): 10.0.0.27:500->10.0.4.68:500, len=108, vrf=0, id=52f18094403cc9d0/2e82598389c126dc:3b9ac477

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
  SA:  ref=4 options=2a6 type=00 soft=0 mtu=1280 expire=43021/0B replaywin=1024
   dec:pkts/bytes=1/15258, enc:pkts/bytes=0/0
 
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=1 seqno=1
  SA:  ref=5 options=2a6 type=00 soft=0 mtu=1438 expire=42896/0B replaywin=1024
   dec:pkts/bytes=1/15258, enc:pkts/bytes=5/760
 
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=3 seqno=1
  SA:  ref=5 options=2a6 type=00 soft=0 mtu=1438 expire=42868/0B replaywin=1024
  dec:pkts/bytes=1/15258, enc:pkts/bytes=5/760
Eventually, after three probes sent, the tunnel is flushed:
2021-09-27 01:40:29.276680 ike 0:DIALUP_IPSEC_0: link fail 8 10.0.0.27->10.0.4.68:0 dpd=2
2021-09-27 01:40:29.276788 ike 0:DIALUP_IPSEC_0: link down 8 10.0.0.27->10.0.4.68:500
2021-09-27 01:40:29.276930 ike 0:DIALUP_IPSEC_0: deleting
2021-09-27 01:40:29.277240 ike 0:DIALUP_IPSEC_0: sent tunnel-down message to EMS: (fct-uid=0C21D6645CE84F25AE8F8314C4F42BE9, intf=DIALUP_IPSEC_0, addr=192.168.1.1, vdom=root)
2021-09-27 01:40:29.277277 ike 0:DIALUP_IPSEC_0: flushing
2021-09-27 01:40:29.277542 ike 0:DIALUP_IPSEC_0: deleting IPsec SA with SPI 45ac1448
2021-09-27 01:40:29.296494 ike 0:DIALUP_IPSEC_0: delete dynamic
2021-09-27 01:40:29.296798 ike 0:DIALUP_IPSEC_0: deleted
If the configuration of the phase1 is changed to set dpd on-idle, although there is no traffic through the tunnel, the tunnel will is flushed after 60 seconds, as per the DPD configuration:
# set dpd-retrycount 3
# set dpd-retryinterval 20
name=DIALUP_IPSEC_0 ver=1 serial=24 10.0.0.27:0->10.0.4.68:0 tun_id=10.0.4.68 dst_mtu=0 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=8 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/648 options[0288]=npu rgwy-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
parent=DIALUP_IPSEC index=0
proxyid_num=1 child_num=0 refcnt=6 ilast=17 olast=14 ad=/0
stat: rxp=1 txp=0 rxb=16414 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=DIALUP_IPSEC proto=0 sa=1 ref=2 serial=1 add-route
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:192.168.1.1-192.168.1.1:0
  SA:  ref=4 options=2a6 type=00 soft=0 mtu=1280 expire=43094/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000001 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=43191/43200
  dec: spi=979c32d6 esp=aes key=16 ae1b6153fdb8c695444ea8b8b28f50d2
       ah=sha1 key=20 eafea193dd0b6b56c137a7624c6ca1c98060646a
  enc: spi=65e7eb7d esp=aes key=16 250f06ee0c7587b5abb273f2cd9da5da
       ah=sha1 key=20 6f5288227cd03bc4c887495b1356bf21d501a21c
  dec:pkts/bytes=1/16350, enc:pkts/bytes=0/0
  npu_flag=02 npu_rgwy=10.0.4.68 npu_lgwy=10.0.0.27 npu_selid=24 dec_npuid=1 enc_npuid=0
No traffic is passing through the tunnel, and DPD probes are sent:
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=1 seqno=1
  SA:  ref=3 options=2a6 type=00 soft=0 mtu=1438 expire=43088/0B replaywin=1024
    dec:pkts/bytes=1/16350, enc:pkts/bytes=0/0
 

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=2 seqno=1
  SA:  ref=3 options=2a6 type=00 soft=0 mtu=1438 expire=43069/0B replaywin=1024
  dec:pkts/bytes=1/16350, enc:pkts/bytes=0/0
 

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=3 seqno=1
  SA:  ref=3 options=2a6 type=00 soft=0 mtu=1438 expire=43049/0B replaywin=1024
  dec:pkts/bytes=1/16350, enc:pkts/bytes=0/0
Eventually, after three probes sent, the tunnel is flushed:
2021-09-27 02:03:12.908432 ike 0:DIALUP_IPSEC_0:120: notify msg received: R-U-THERE
2021-09-27 02:03:12.908724 ike 0:DIALUP_IPSEC_0:120: sent IKE msg (R-U-THERE-ACK): 10.0.0.27:500->10.0.4.68:500, len=108, vrf=0, id=d2c1f554e479491b/3630abe3019703af:5d9b7c38
2021-09-27 02:03:32.917271 ike 0:DIALUP_IPSEC_0:120: sent IKE msg (R-U-THERE): 10.0.0.27:500->10.0.4.68:500, len=108, vrf=0, id=d2c1f554e479491b/3630abe3019703af:938725fb
2021-09-27 02:03:52.957252 ike 0:DIALUP_IPSEC_0:120: sent IKE msg (R-U-THERE): 10.0.0.27:500->10.0.4.68:500, len=108, vrf=0, id=d2c1f554e479491b/3630abe3019703af:a4cf3ec5
2021-09-27 02:04:12.997265 ike 0:DIALUP_IPSEC_0:120: sent IKE msg (R-U-THERE): 10.0.0.27:500->10.0.4.68:500, len=108, vrf=0, id=d2c1f554e479491b/3630abe3019703af:72e63275
2021-09-27 02:04:33.036999 ike 0:DIALUP_IPSEC_0: link fail 8 10.0.0.27->10.0.4.68:0 dpd=1
2021-09-27 02:04:33.037069 ike 0:DIALUP_IPSEC_0: link down 8 10.0.0.27->10.0.4.68:500
2021-09-27 02:04:33.037219 ike 0:DIALUP_IPSEC_0: deleting
2021-09-27 02:04:33.037677 ike 0:DIALUP_IPSEC_0: flushing
2021-09-27 02:04:33.037972 ike 0:DIALUP_IPSEC_0: deleting IPsec SA with SPI 65e7eb7d
2021-09-27 02:04:33.046790 ike 0:DIALUP_IPSEC_0: delete dynamic
2021-09-27 02:04:33.056835 ike 0:DIALUP_IPSEC_0: deleted

Related Articles

Technical Tip: Configuring DPD (dead peer detection) on IPsec VPN

Contributors