FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 189536

Description


This article explains the use of auto-negotiate and keepalive options under IPsec VPN phase2 settings.

 

Scope

 

FortiGate.


Solution

 

Autokey Keep Alive: Enable the option to remain the tunnel active when no data is being processed.
The Phase-2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption.


If there is no traffic, however, the SA expires (by default) and phase-2 goes down.
A new SA will not be generated until there is traffic.

The Autokey Keep Alive option ensures that a new Phase 2 SA is negotiated, even if there is no traffic so that the VPN tunnel stays up.


Auto-negotiate: Enable the option to automatically renegotiate the tunnel when the tunnel expires.
By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established.

Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user.

If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel.
Auto-negotiate initiates the phase-2 SA negotiation automatically, repeating every five seconds until the SA is established.

Automatically establishing the SA can be important for a dial-up peer. It ensures that the VPN tunnel is available for peers at the server end to initiate traffic to the dial-up peer. 

Otherwise, the VPN tunnel does not exist until the dial-up peer initiates traffic.

To configure auto-negotiate:

 

Policy-based IPsec VPN.

 

config vpn ipsec phase2
    edit <phase2_name>
        set auto-negotiate enable

        set keepalive enable
    next
end

 

Route-based IPsec VPN.

 

config vpn ipsec phase2-interface
    edit <phase2_name>
        set auto-negotiate enable

        set keepalive enable
    next
end

 

To configure via GUI:


PHASE2_GUI.JPG

 

Auto-negotiation and keepalive are disabled by default on the FortiGate. 

However, keepalive gets implicitly enabled once auto-negotiation is enabled.

 

CLI Troubleshooting:

 

diagnose debug application ike -1
diagnose debug enable
 
For detailed IKE debug:

diag sniffer packet any ' port 500 or port 4500 ' 4 0 l
 
For Packet flow:
 

Note:

Enabling auto-negotiation is not possible for dial-up IPsec VPN tunnels.

Related document:

Phase 2 configuration - FortiGate administration guide.