|
Follow these steps:
- Verify the IPSec ports being used on FortiGate using the following commands.
diagnose vpn ike gateway list name <tunnel_name>
diagnose vpn tunnel list name <tunnel_name>
- If port 500 is being used, try to switch the connectivity to port 4500.
config vpn ipsec phase1-interface
edit "VPN-Phase1"
set nattraversal forced
end
Make sure NAT-Traversal is also enabled on the remote end on a Third-party device.
- Flush the tunnel.
diagnose vpn tunnel flush <tunnel_name>
diagnose vpn ike gateway flush name <tunnel_name>
Or:
diagnose vpn ike gateway clear name <tunnel_name>
- Verify if the connectivity is established on port 4500 using the same commands in the first step.
Note: In Cloud platforms like Azure, it is suggested to use NAT-T for the IPsec VPN so that the traffic will pass through the Azure load balancer.
Refer to this article: Technical Tip: IPSec tunnel is established but unable to pass the traffic on Azure.
-
Check if the traffic is sent/received over the VPN tunnel on both ends. Perform debug flow and packet captures on both FortiGates for the end host IP addresses.
Host X (x.x.x.x) -> FGT-A (IPsec VPN) FGT-B -> (y.y.y.y) Host Y.
For debug flow, run the following commands:
diag debug reset
diag debug console timestamp enable
diag debug flow filter addr x.x.x.x y.y.y.y and
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug flow trace start 1000
diag debug enable
For packet capture, run the command:
diagnose sniffer packet any "host x.x.x.x and host y.y.y.y" 4 0 l
Related article:
Troubleshooting Tip: First steps to troubleshoot connectivity problems to or through a FortiGate wit...
|
