Description

This article describes some common challenges of IPsec VPN.

Scope

FortiGate.

Solution

A VPN connection has multiple stages that can be confirmed to ensure the connection is working properly.
It is easiest to see if the final stage is successful first since if it is successful the other stages will be working properly.
Otherwise, it is necessary to work back through the stages to see where the problem is located.

When a VPN connection is properly established, traffic will flow from one end to the other as if both ends were physically in the same place.
If the connection is working properly then any problems are likely problems with the applications.

On some FortiGates, such as the FortiGate 94D, it is not possible to ping over the IPsec tunnel without first setting a source-IP.
In this scenario, assign an IP address to the virtual IPsec VPN interface.

Anything sourced from the FortiGate going over the VPN will use this IP address.
If the egress/outgoing interface (determined by kernel route) has an IP address, then use the IP address of the egress/outgoing interface.
Otherwise, use the IP address of the first interface from the interface list (that has an IP address).

The first diagnostic command worth running, in any IPsec VPN troubleshooting situation, is the following:

diagnose vpn tunnel list

This command is very useful for gathering statistical data such as the number of packets encrypted versus decrypted, the number of bytes sent versus received, the SPI identifier, etc.
This kind of information in the resulting output can make all the difference in determining the issue with the VPN.

Another appropriate diagnostic command worth trying is:

diag deb dis
diag deb reset
diagnose vpn ike filter clear
diag vpn ike log-filter dst-addr4 x.x.x.x <----- Starting from FortiOS 7.4.1, the 'diag vpn ike log-filter dst-addr4' command has been changed to 'diag vpn ike log-filter rem-addr4'.# diag debug console timestamp enable
diag debug application ike -1
diag debug enable

Where x.x.x.x is the public ip address of the remote vpn peer.
After capturing the output, to disable

diag deb dis
diag deb reset

To filter multiple IPv4 remote gateway addresses 'diagnose vpn ike log filter mrem-addr4' could be used. To find the list of options followed after 'diagnose vpn ike log filter ?' use a question '?' mark after the command, as shown in the example given below.

diagnose vpn ike log filter ?

list                   Display the current filter.
clear                  Erase the current filter.
vd                     Index of virtual domain. -1 matches all.
name                   Phase1 name to filter by.
ifindex                Index of the interface that IKE connection is negotiated over.
loc-addr4              IPv4 local gateway address range to filter by.
mloc-addr4             Multiple IPv4 local gateway address to filter by.
rem-addr4              IPv4 remote gateway address range to filter by.
mrem-addr4             Multiple IPv4 remote gateway address to filter by.
loc-addr6              IPv6 local gateway address range to filter by.
mloc-addr6             Multiple IPv6 local gateway address to filter by.
rem-addr6              IPv6 remote gateway address range to filter by.
mrem-addr6             Multiple IPv6 remote gateway addresses to filter by.
dst-port               Destination port range to filter by.
negate                 Negate existing setting of the specified filter parameter.

This command will inform of any lack of configuration changes that might have been the cause or it will let know if there is any communication issue in either VPN ports or reachability b/w gateway IP’s.