FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff
Article Id 192814

Description

 

This article describes how to fix an issue where FortiGate does not send at least the initial IKE negotiation packets, as observed in debug or sniffer output.

 

Scope

 

FortiGate.

Solution


In some situations, FortiGate does not send at least the initial IKE negotiation packets on the debug or sniffer output.
This issue occurs due to an incomplete IPsec configuration.
Though the entire IPsec configuration is completed and successfully saved, FortiGate does not send IKE packets.
It additionally drops the responder IKE packets.

A successful IPsec configuration must include the IPsec config itself, as well as a static routing policy and an IPv4 policy.

 

It may not be obvious why an IPv4 policy is necessary for IKE negotiation as IPv4 policies are designed to allow or deny pass-through traffic.
Administrators should know that FortiGate will not successfully negotiate the IKE traffic to avoid later troubleshooting issues as FortiGate needs to allow the users' traffic later.


The following is the example debug and sniffer output when there is no IPv4 policy configured on FortiGate (2.2.2.2. is used as an example remote IP).

Sniffer output:

 

diag sniffer packet any "host 2.2.2.2 and udp port 500" 4 a
interfaces=[any]
filters=[host 2.2.2.2 and udp port 500]                                                              <---- NO packets captured.

 

Debug output:

 

diagnose debug application ike -1
FG101F-2 # ike 0:sts2: gw negotiation timeout
ike 0:sts2:sts2: IPsec SA connect 6 10.5.54.242->2.2.2.2:0
ike 0:sts2: ignoring request to establish IPsec SA, no policy configured      <----- Showing that no policy exists.
ike 0:sts2: gw negotiation timeout

 

After configuring the IPv4 policies, the following output is seen.

Sniffer output:

 

diag sniffer packet any "host 2.2.2.2 and udp port 500" 4 a
interfaces=[any]
filters=[host 2.2.2.2 and udp port 500]
235.436336 mgmt out 10.5.54.242.500 -> 2.2.2.2.500: udp 572                   <---- Outgoing packets.
238.446036 mgmt out 10.5.54.242.500 -> 2.2.2.2.500: udp 572

 

Debug output

 

ike 0:sts2: created connection: 0x18fce2d0 6 10.5.54.242->2.2.2.2:500.
ike 0:sts2:0: initiator: main mode is sending 1st message...                  <----- Sending the IKE message to peer.