Description
This article explains the use of auto-negotiate and keepalive options under IPsec VPN phase2 settings.
Scope
FortiGate.
Solution
The option below can be used if there is no interesting traffic towards the tunnel. However, if there is interesting traffic towards the tunnel, the tunnel negotiation will occur automatically.
- Autokey Keep Alive: Enable the option to keep the tunnel active when no data is being processed.
The Phase-2 SA has a fixed duration. If there is traffic on the VPN as the SA nears expiry, a new SA is negotiated and the VPN switches to the new SA without interruption.
However, if there is no traffic, the SA expires (by default) and phase-2 goes down.A new SA will not be generated until there is traffic.
The Autokey Keep Alive option ensures that a new Phase 2 SA is negotiated, even if there is no traffic, so the VPN tunnel stays up.
- Auto-negotiate: Enable the option to automatically renegotiate the tunnel when the tunnel expires.
By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established.
Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user.
If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel.
Auto-negotiate initiates the phase-2 SA negotiation automatically, repeating every five seconds until the SA is established.
Automatically establishing the SA can be important for a dial-up peer. It ensures that the VPN tunnel is available for peers at the server end to initiate traffic to the dial-up peer.
If auto-negotiation is enabled at both FortiGates, either side can renegotiate the phase 2 security association (SA) to keep the IPsec VPN tunnel active. Hence, enabling auto-negotiation at both ends would be a good practice.
Auto-negotiation is necessary when setting up the tunnel for the first time, as the absence of traffic might prevent Phase 2 from being initiated. This requirement also applies to Site-to-Site tunnels.
Otherwise, the VPN tunnel does not exist until the dial-up peer initiates traffic.
To configure auto-negotiate:
Policy-based IPsec VPN.
config vpn ipsec phase2
edit <phase2_name>
set auto-negotiate enable
set keepalive enable
next
end
Route-based IPsec VPN.
config vpn ipsec phase2-interface
edit <phase2_name>
set auto-negotiate enable
set keepalive enable
next
end
To configure via GUI:
Auto-negotiation and keepalive are disabled by default on the FortiGate. However, keepalive gets implicitly enabled once auto-negotiation is enabled.
Refer below to configure Auto-negotiation and keepalive settings in v7.6 via GUI:
Note:
In v7.6, the keepalive options become visible after editing the individual selector within Phase2.
CLI Troubleshooting
For detailed IKE debug:
diagnose sniffer packet any ' port 500 or port 4500 ' 4 0 l
diagnose debug reset
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug disable
diagnose debug reset <------ Use these final two commands to stop the debugging. These can be typed while the log is filling up, and the CLI session will take the keyboard input.
For Packet flow:
diagnose sniffer packet any ' port 500 or port 4500 ' 4 0 l
Ctrl + C <----- To stop the packet capture.
Note:
Auto-negotiation cannot be enabled in the case of a Dial-up IPsec VPN tunnel because, in this scenario, the FortiGate can never be the initiator. The ISAKMP or IKE requests are always initiated from the user end when trying to connect.
Related documents:
Phase 2 configuration - FortiGate administration guide
Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
Troubleshooting Tip: IPsec VPN tunnels
Phase 2 configuration | FortiGate / FortiOS 7.6.4 | Fortinet Document Library
