Description
This article explains the use of auto-negotiate and keepalive options under IPsec VPN phase2 settings.
Scope
FortiGate.
Solution
The option below can be used if there is no interesting traffic towards the tunnel. However, if there is interesting traffic towards the tunnel, the tunnel negotiation will occur automatically.
Autokey Keep Alive: Enable the option to keep the tunnel active when no data is being processed.
The Phase-2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption.
However, if there is no traffic, the SA expires (by default) and phase-2 goes down.
A new SA will not be generated until there is traffic.
The Autokey Keep Alive option ensures that a new Phase 2 SA is negotiated, even if there is no traffic, so the VPN tunnel stays up.
Auto-negotiate: Enable the option to automatically renegotiate the tunnel when the tunnel expires.
By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established.
Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user.
If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel.
Auto-negotiate initiates the phase-2 SA negotiation automatically, repeating every five seconds until the SA is established.
Automatically establishing the SA can be important for a dial-up peer. It ensures that the VPN tunnel is available for peers at the server end to initiate traffic to the dial-up peer.
If auto-negotiation is enabled at both FortiGates, either side can renegotiate the phase 2 security association (SA) to keep the IPsec VPN tunnel active. Hence, enabling auto-negotiation at both ends would be a good practice.
Otherwise, the VPN tunnel does not exist until the dial-up peer initiates traffic.
To configure auto-negotiate:
Policy-based IPsec VPN.
config vpn ipsec phase2
edit <phase2_name>
set auto-negotiate enable
set keepalive enable
next
end
Route-based IPsec VPN.
config vpn ipsec phase2-interface
edit <phase2_name>
set auto-negotiate enable
set keepalive enable
next
end
To configure via GUI:
Auto-negotiation and keepalive are disabled by default on the FortiGate.
However, keepalive gets implicitly enabled once auto-negotiation is enabled.
CLI Troubleshooting:
diagnose debug application ike -1
diagnose debug enable
For detailed IKE debug:
diag sniffer packet any ' port 500 or port 4500 ' 4 0 l
For Packet flow:
Note:
Auto-negotiation cannot be enabled in the case of a Dial-up IPsec VPN tunnel because, in this scenario, the FortiGate can never be the initiator. The ISAKMP or IKE requests are always initiated from the user end when they try to connect.
Related document:
