FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
saleha
Staff
Staff
Article Id 333632
Description

This article describes how to resolve a scenario where ESP packets are being allowed by the ISP to the FortiGate, but there is no response back to the remote gateway that initiated this traffic, especially in the case of a VPN client contacting the Dial-up server.

Scope FortiGate - IPsec tunnels.
Solution

The reason for this issue on a FortiGate firewall can vary. Below are some recommendations for fixes and troubleshooting steps:

 

  • Make sure routing is not an issue by checking the routing table: 

get router info router-table all 

get router info routing-table details x.x.x.x <- Remote gateway.

 

  1. Check that this traffic does reach the FortiGate incoming interface by running a sniffer on the remote gateway address: 


diagnose sniffer packet any “host x.x.x.x” 4 0 l 

diagnose sniffer packet any “port 500 or port 4500” 4 0 l  

 

  • Check if the encryption or decryption is happening on the the IPsec tunnel: 

get vpn ipsec tunnel summary 

diagnose vpn tunnel list name <phase1-name>

 

  • If the packets are arriving but not being encrypted/decrypted disable the npu-offload on the ipsec tunnel: 

config vpn ipsec phase1-interface 

edit <phase1-name> 

set npu-offload disable 

end 

 

  • When deploying a VIP (Virtual IP) with specific FortiOS versions where the VIP is an external IP address to the FortiGate (see the matching releases in this article) and the following conditions apply: 
  1. The VIP’s external IP is the same as the local gateway on the IPsec tunnel.
  2. The VIP is configured with all ports, including UDP 500 and 4500. 

Modify the VIP to use port forwarding or, if applicable, to use a different external address than the IPsec tunnel local gateway/source interface IP: 

 

config firewall vip 

edit <vip> 

set extip y.y.y.y <- Different from the IPsec local gateway IP.

 

Or:

 

set portforward enable 

set portmapping-type 1-to-1 

set extport xxxx 

set mappedport xxxx 

 

  • Check with flow debug if the traffic is being blocked: 

diagnose debug reset 

diagnose debug flow filter addr x.x.x.x <- Remote gateway IP.

diagnose debug flow show function-name enable 

diagnose debug flow trace start 10 

diagnose debug console time enable 

diagnose debug enable 

 

  • Run the IKE debug as a standard troubleshooting step: 

diagnose debug reset 

diagnose vpn ike log-filter dst-addr4 x.x.x.x <- The filter is rem-addr4, starting from FortiOS 7.4.

diagnose debug application ike -1 

diagnose debug console time en 

diagnose debug enable