Description
This article describes how to fix an issue where FortiGate does not send at least the initial IKE negotiation packets, as observed in debug or sniffer output.
Scope
FortiGate.
Solution
In some situations, FortiGate does not send at least the initial IKE negotiation packets on the debug or sniffer output.
This issue occurs due to an incomplete IPsec configuration.
Though the entire IPsec configuration is completed and successfully saved, FortiGate does not send IKE packets.
It additionally drops the responder IKE packets.
A successful IPsec configuration must include the IPsec config itself, as well as a static routing policy and an IPv4 policy.
It may not be obvious why an IPv4 policy is necessary for IKE negotiation as IPv4 policies are designed to allow or deny pass-through traffic.
Administrators should know that FortiGate will not successfully negotiate the IKE traffic to avoid later troubleshooting issues as FortiGate needs to allow the users' traffic later.
The following is the example debug and sniffer output when there is no IPv4 policy configured on FortiGate (2.2.2.2. is used as an example remote IP).
Sniffer output:
diag sniffer packet any "host 2.2.2.2 and udp port 500" 4 a
interfaces=[any]
filters=[host 2.2.2.2 and udp port 500] <---- NO packets captured.
Debug output:
diagnose debug application ike -1
FG101F-2 # ike 0:sts2: gw negotiation timeout
ike 0:sts2:sts2: IPsec SA connect 6 10.5.54.242->2.2.2.2:0
ike 0:sts2: ignoring request to establish IPsec SA, no policy configured <----- Showing that no policy exists.
ike 0:sts2: gw negotiation timeout
After configuring the IPv4 policies, the following output is seen.
Sniffer output:
diag sniffer packet any "host 2.2.2.2 and udp port 500" 4 a
interfaces=[any]
filters=[host 2.2.2.2 and udp port 500]
235.436336 mgmt out 10.5.54.242.500 -> 2.2.2.2.500: udp 572 <---- Outgoing packets.
238.446036 mgmt out 10.5.54.242.500 -> 2.2.2.2.500: udp 572
Debug output
ike 0:sts2: created connection: 0x18fce2d0 6 10.5.54.242->2.2.2.2:500.
ike 0:sts2:0: initiator: main mode is sending 1st message... <----- Sending the IKE message to peer.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.