FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff
Article Id 191320

Description
The purpose of this article is to aid in troubleshooting vpn connectivity between two fortigates.
In this scenario the VPN tunnel status is down between a site to site VPN between two FortiGate, the message from the ike debug logs, "could not send IKE Packet" message is observed.

ike 0:vpn:vpn: IPsec SA connect 4 10.40.51.195->10.5.25.62:500 negotiating
ike 0:vpn:53: cookie 2ae2ae5896ea5d2c/1e7553f5c32607ee:d6d107b8
ike 0:vpn:53:vpn:23: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:vpn:53: enc 2AE2AE5896EA5D2C1E7553F5C32607EE08102001D6D107B8000002240100002459E2867B3319F9D108E3FEABCF240FE46929EF771AEA9CEC5F0CBAFED5BDDFEB0A0000EC0000000100000001000000E001030407A9A8586303000020010C0000800100018002A8C08004000180060080800500028003000503000020020C0000800100018
ike 0:vpn:53: out 2AE2AE5896EA5D2C1E7553F5C32607EE08102001D6D107B80000022C26C6330BE556F5AD2A7572C7BD125FA424CC9CD1A11B3761AD613BD4848582C9F4AB9689DE373A88A7D218FD133E4A4ACE90DDE0BFB16A31DDA0CA105B3BEE2F8C073439B5D0CDEDB37628AB10FD83568947D09E611E07602903078F44AB65385DEC430E47B7F7FFF340A6A3C28C4F6622F0234CCDEEC72849A14D2BFFB2F0DD2078E66CEE0AA792F0988F739722318
ike 0:vpn:53: could not send IKE Packet(quick_i1send):10.40.51.195:500->10.5.25.62:500, len=556: error 101:Network is unreachable


Solution
"could not send IKE Packet" message states that there is no active static route from local gateway interface to remote gateway IP.

Scenario : IPSEC site to site VPN between FortiGate A to FortiGate B.

On FortiGate A configured with backup wan interface as local interface to connect the remote gateway.

config vpn ipsec phase1-interfaced
    edit "vpn"
        set interface "wan2"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.5.25.62
        set psksecret ENC aVqCYg+r5OvgOrNLYqpfMYDdLq7fJig8+PNBuw52nSpdyni9L3Z758eER059TKlppo/oZUOlpzOl9pOx0gOcvv+/2EVSGDZR9ClxVkS5MUWY02bii+V+h+tlYEZvGViMsBGDlC961iYtfpNFl2dL9yCLJTdcKH1MiBfJb65GTwt/H82eXwXPD8U0iyiTod7IMzUd+g==
    next
end
Current routing table on the FortiGate A is:
# get router info routing-table details 10.5.25.62
Routing table for VRF=0
Routing entry for 0.0.0.0/0

Known via "static", distance 10, metric 0, best
  * 10.40.31.254, via wan1 <-wan1 is active route to reach remote gateway with lesser distance.
Routing entry for 0.0.0.0/0
  Known via "static", distance 15, metric 0
    10.40.63.254, via wan2


The solution to avoid such a situation to occur is to keep the backup wan interface (wan2) distance as same as wan1 i.e 10 with higher priority.
config router static
        set gateway 10.40.63.254
        set priority 10
        set distance 10
        set device wan2
end
# get router info routing-table details 10.5.25.62
Routing table for VRF=0
Routing entry for 0.0.0.0/0
  Known via "static", distance 10, metric 0, best
  * 10.40.31.254, via wan1
  * 10.40.63.254, via wan2



Contributors