Created on 04-02-2019 06:33 AM Edited on 12-16-2021 02:57 AM By Anonymous
Description
The purpose of this article is to aid in troubleshooting vpn connectivity between two fortigates.
In this scenario the VPN tunnel status is down between a site to site VPN between two FortiGate, the message from the ike debug logs, "could not send IKE Packet" message is observed.
ike 0:vpn:vpn: IPsec SA connect 4 10.40.51.195->10.5.25.62:500 negotiating
ike 0:vpn:53: cookie 2ae2ae5896ea5d2c/1e7553f5c32607ee:d6d107b8
ike 0:vpn:53:vpn:23: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:vpn:53: enc 2AE2AE5896EA5D2C1E7553F5C32607EE08102001D6D107B8000002240100002459E2867B3319F9D108E3FEABCF240FE46929EF771AEA9CEC5F0CBAFED5BDDFEB0A0000EC0000000100000001000000E001030407A9A8586303000020010C0000800100018002A8C08004000180060080800500028003000503000020020C0000800100018
ike 0:vpn:53: out 2AE2AE5896EA5D2C1E7553F5C32607EE08102001D6D107B80000022C26C6330BE556F5AD2A7572C7BD125FA424CC9CD1A11B3761AD613BD4848582C9F4AB9689DE373A88A7D218FD133E4A4ACE90DDE0BFB16A31DDA0CA105B3BEE2F8C073439B5D0CDEDB37628AB10FD83568947D09E611E07602903078F44AB65385DEC430E47B7F7FFF340A6A3C28C4F6622F0234CCDEEC72849A14D2BFFB2F0DD2078E66CEE0AA792F0988F739722318
ike 0:vpn:53: could not send IKE Packet(quick_i1send):10.40.51.195:500->10.5.25.62:500, len=556: error 101:Network is unreachable
Solution
"could not send IKE Packet" message states that there is no active static route from local gateway interface to remote gateway IP.
Scenario : IPSEC site to site VPN between FortiGate A to FortiGate B.
On FortiGate A configured with backup wan interface as local interface to connect the remote gateway.
config vpn ipsec phase1-interfaced
edit "vpn"
set interface "wan2"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 10.5.25.62
set psksecret ENC aVqCYg+r5OvgOrNLYqpfMYDdLq7fJig8+PNBuw52nSpdyni9L3Z758eER059TKlppo/oZUOlpzOl9pOx0gOcvv+/2EVSGDZR9ClxVkS5MUWY02bii+V+h+tlYEZvGViMsBGDlC961iYtfpNFl2dL9yCLJTdcKH1MiBfJb65GTwt/H82eXwXPD8U0iyiTod7IMzUd+g==
next
end
Current routing table on the FortiGate A is:
# get router info routing-table details 10.5.25.62Known via "static", distance 10, metric 0, best
Routing table for VRF=0
Routing entry for 0.0.0.0/0
* 10.40.31.254, via wan1 <-wan1 is active route to reach remote gateway with lesser distance.
Routing entry for 0.0.0.0/0
Known via "static", distance 15, metric 0
10.40.63.254, via wan2
The solution to avoid such a situation to occur is to keep the backup wan interface (wan2) distance as same as wan1 i.e 10 with higher priority.
config router static
set gateway 10.40.63.254
set priority 10
set distance 10
set device wan2
end
# get router info routing-table details 10.5.25.62
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* 10.40.31.254, via wan1
* 10.40.63.254, via wan2
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.