FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This articles describes some common challenges of IPsec VPN.
Solution A VPN connection has multiple stages that can be confirmed to ensure the connection is working properly. It is easiest to see if the final stage is successful first since if it is successful the other stages will be working properly. Otherwise, it is necessary to work back through the stages to see where the problem is located.
When a VPN connection is properly established, traffic will flow from one end to the other as if both ends were physically in the same place. If the connection is working properly then any problems are likely problems with the applications.
On some FortiGates, such as the FortiGate 94D, it is not possible to ping over the IPsec tunnel without first setting a source-IP. In this scenario, assign an IP address to the virtual IPsec VPN interface.
Anything sourced from the FortiGate going over the VPN will use this IP address. If the egress/outgoing interface (determined by kernel route) has an IP address, then use the IP address of the egress/outgoing interface. Otherwise, use the IP address of the first interface from the interface list (that has an IP address).
The first diagnostic command worth running, in any IPsec VPN troubleshooting situation, is the following:
# diagnose vpn tunnel list
This command is very useful for gathering statistical data such as the number of packets encrypted versus decrypted, the number of bytes sent versus received, the SPI identifier, etc. This kind of information in the resulting output can make all the difference in determining the issue with the VPN.
Another appropriate diagnostic command worth trying is:
# diag deb dis # diag deb reset # diagnose vpn ike filter clear # diag vpn ike log-filter dst-addr4 x.x.x.x # diag debug console timestamp enable # diag debug application ike -1 # diag debug enable
Where x.x.x.x is the public ip address of the remote vpn peer. After capturing the output, to disable
# diag deb dis # diag deb reset
This command will inform of any lack of configuration changes that might have been the cause or it would let you know if there is any communication issue in either VPN ports or reachability b/w gateway IP’s.
