Troubleshooting Tip: Even if a policy is created only for interface 'a', the IPsec Vpn tunnel is connected

kjiye · ‎01-16-2025

Description

This article describes a situation where an IPsec VPN is connected even if only the policy for interface 'a' exists, not the interface for the tunnel.

Scope

FortiGate v7.0, v7.2, v7.4, v7.6.

Solution

When the firewall policy is srcinf 'lan', dstinf 'wan', IPsec VPN does not connect.

Policy setting:

config firewall policy
    edit 1
        set srcintf "lan"
        set dstintf "wan"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

IPsec VPN interface setting:

config vpn ipsec phase1-interface
    edit "testvpn"
        set interface "wan"
        set peertype any
        set net-device disable
        set proposal aes256-sha1
        set localid "test"
        set dhgrp 14
        set nattraversal disable
        set remote-gw x.x.x.x
        set psksecret ENC 1SJF60aUvJNhyvjv4Q7y13H3tfz6gzHBGeA0KBgM46jY61huSHe7SbYK3h5njWmVZHQdizSZLzjSkppTERJTmt+dL+YDKvMnIhiw4v3e+xIUIr/zkHJ5HeRLa1IjoYm6QgfOJHZwe7ARPA/9cjXGo5UWdMzfHJR+TUfYrFIhKCmQMSeDaxa8hD5bjWzK6GDZYpd92w==
    next
end

config vpn ipsec phase2-interface
    edit "testvpn"
        set phase1name "testvpn"
        set proposal aes256-sha256
        set pfs disable
        set replay disable
        set auto-negotiate enable
        set src-subnet 192.168.1.0 255.255.255.0
    next
end

IKE debug:

ike 0:testvpn:testvpn: IPsec SA connect 5 x.x.x.y->x.x.x.x:0
ike 0:testvpn: ignoring request to establish IPsec SA, no policy configured
ike 0:testvpn: gw negotiation timeout
ike 0:testvpn:testvpn: IPsec SA connect 5 x.x.x.y->x.x.x.x:0
ike 0:testvpn: ignoring request to establish IPsec SA, no policy configured

Changing the srcinf in the firewall policy from LAN to A interface (rather than IPsec VPN interface) establishes the VPN:

Policy setting:

config firewall policy
    edit 1
        set uuid c34e5230-c96f-51ef-3cb3-a40da69c7a46
        set srcintf "a" //edit 'lan' to 'a'
        set dstintf "wan"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

IKE debug (IPsecvpn connect):

ike change cfg 1 interface 0 router 0 certs 0
ike config update start
ike ike_embryonic_conn_limit = 1000
ike ikecrypt DH multi-process enabled
ike 0: sync=no FGCP:disabled role:master, FGSP:disabled id:0 slave-add-routes:disabled
ike 0:testvpn: local-addr x.x.x.y
ike 0:testvpn: oif 5, vrf 0
ike 0:testvpn: schedule auto-negotiate
ike config update done
ike 0:testvpn:testvpn: IPsec SA connect 5 x.x.x.y->x.x.x.x:0
ike 0: cache rebuild start
ike 0:testvpn: local:x.x.x.y, remote:x.x.x.x
ike 0:testvpn: cached as static-ddns.
ike 0: cache rebuild done
ike 0:testvpn:testvpn: config found
ike 0:testvpn: created connection: 0x8db63c0 5 x.x.x.y->x.x.x.x:500.
ike 0:testvpn: IPsec SA connect 5 x.x.x.y->x.x.x.x:500 negotiating
ike 0:testvpn: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:testvpn:3: initiator: main mode is sending 1st message...
ike 0:testvpn:3: cookie 0753808dc38fd111/0000000000000000
ike 0:testvpn:3: out 0753808DC38FD11100000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:testvpn:3: sent IKE msg (ident_i1send): x.x.x.y:500->x.x.x.x:500, len=172, vrf=0, id=0753808dc38fd111/0000000000000000
ike 0: comes x.x.x.x:500->x.x.x.y:500,ifindex=5,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=0753808dc38fd111/c2e0aa44a6e4223c len=172 vrf=0
ike 0: in 0753808DC38FD111C2E0AA44A6E4223C0110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:testvpn:3: initiator: main mode get 1st response...
ike 0:testvpn:3: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:testvpn:3: DPD negotiated
ike 0:testvpn:3: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:testvpn:3: peer is FortiGate/FortiOS (v0 b0)
ike 0:testvpn:3: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:testvpn:3: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:testvpn:3: negotiation result
ike 0:testvpn:3: proposal id = 1:
ike 0:testvpn:3: protocol id = ISAKMP:
ike 0:testvpn:3: trans_id = KEY_IKE.
ike 0:testvpn:3: encapsulation = IKE/none
ike 0:testvpn:3: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:testvpn:3: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:testvpn:3: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:testvpn:3: type=OAKLEY_GROUP, val=MODP2048.
ike 0:testvpn:3: ISAKMP SA lifetime=86400
ike 0:testvpn:3: generate DH public value request queued
ike 0:testvpn:3: out 0753808DC38FD111C2E0AA44A6E4223C0410020000000000000001340A00010466B83F2A1EBFC5C92DFFCC8986D9053D96EA6C9AC8C192B1C6D02E5008CBDC765AEB7BB2B2D90777C6D3D4A42689D6F5912AD9CB77E65F1141A132E2B12FB74A6441BE944F0094466B83B092EFE88BBC08A9E6E443065BC26C15310C6DE9AE80271D476989705A79AD54B8C99AFCE72AB424BEEBD42C5D3F11773B1F518404CF04444E2A5889E43ED28C7C9BECFCBA83CC74607957F1FCC62A85D1D3969FB828DD05DCBC9DA5E749B203D675B075311D1E0F3BDAB3E7B409AF82DE59A42077D64499A93F82B23BC2965AF024545EDE5DBB25B41A77484EDBCDBACABBECD3FC1B8CADDFD411D3DC9BED92C2B5C0239D2F4D4122C9C9BF3D344E1D0078BD3B67B20000001409CA9BFB30DD1B65C619AB47E4FDCB74
ike 0:testvpn:3: sent IKE msg (ident_i2send): x.x.x.y:500->x.x.x.x:500, len=308, vrf=0, id=0753808dc38fd111/c2e0aa44a6e4223c
ike 0: comes x.x.x.x:500->x.x.x.y:500,ifindex=5,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=0753808dc38fd111/c2e0aa44a6e4223c len=308 vrf=0
ike 0: in 0753808DC38FD111C2E0AA44A6E4223C0410020000000000000001340A000104EE05BACF16A6AA6DF497EC456728483E531158B096F4FB4DF7BE3D4DCFFF9A46059CCFA6C95988940B2B62CBCDABE5CC154503F40F3FF091E0ECD0CEE68C493A273EFC643F18E41B3F363D9AF6D0BC88A30F2885394148F2A4334965C565C26AA16BBA045FCA33A36F554C700E249496BE9F15F4909D361B4C9177023F15CF4CC55299AE8442F9D0F397630CEB8212369F7500602E1E2D0DBAA950D2F48E667CF3AE726F29242D9FB7779D3A7FB334BB9EBC3A86D57B418A57FF51BF17FCE98000248BA7BF9BB74ADFADEFCE822150BAFDCD032B59D0E58298191CEE5A39CCB1370F49BA31E5A8DD477496DB1A7639D79AAE631095AA552E2837ACFE677E5A5400000014DB7C22891082050F4D444FD22F956746
ike 0:testvpn:3: initiator: main mode get 2nd response...
ike 0:testvpn:3: nat unavailable
ike 0:testvpn:3: compute DH shared secret request queued
ike 0:testvpn:3: ISAKMP SA 0753808dc38fd111/c2e0aa44a6e4223c key 32:3BAE9165C1816E6D51D332253B6122097C50D4B75DDF76289F21C5FF0E3707ED
ike 0:testvpn:3: add INITIAL-CONTACT
ike 0:testvpn:3: enc 0753808DC38FD111C2E0AA44A6E4223C05100201000000000000005B0800000B02000000736A770B00001825D77867FE53EC5165D686AA5B3833B09E3487640000001C00000001011060020753808DC38FD111C2E0AA44A6E4223C
ike 0:testvpn:3: out 0753808DC38FD111C2E0AA44A6E4223C05100201000000000000005CA63E6D490E28E57263FC0BD3663F5558D87C9B54BFDB9B31B87AF1A1D2BAA58E5A3C5509BB1F013AF18CA11ADE70F92CC1B699934A1D7C9B233E1F8184CA1166
ike 0:testvpn:3: sent IKE msg (ident_i3send): x.x.x.y:500->x.x.x.x:500, len=92, vrf=0, id=0753808dc38fd111/c2e0aa44a6e4223c
ike 0: comes x.x.x.x:500->x.x.x.y:500,ifindex=5,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=0753808dc38fd111/c2e0aa44a6e4223c len=76 vrf=0
ike 0: in 0753808DC38FD111C2E0AA44A6E4223C05100201000000000000004CCBCBCE6A3604769BE50BD6B1C20B7F0C33696AFC3DAF2F41F30F8553948311056F958A22864403DE1115ABC67DF5E516
ike 0:testvpn:3: initiator: main mode get 3rd response...
ike 0:testvpn:3: dec 0753808DC38FD111C2E0AA44A6E4223C05100201000000000000004C0800000C01000000AC100A010000001821D677AE8FAE906F636992EFDAE6E6629D040AD47B9D0465AB9F185516AFF90B
ike 0:testvpn:3: peer identifier IPV4_ADDR x.x.x.x
ike 0:testvpn:3: PSK authentication succeeded
ike 0:testvpn:3: authentication OK
ike 0:testvpn:3: established IKE SA 0753808dc38fd111/c2e0aa44a6e4223c
ike 0:testvpn:3: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:testvpn: set oper up
ike 0:testvpn:3: initiating pending Quick-Mode negotiations
ike 0:testvpn:3: cookie 0753808dc38fd111/c2e0aa44a6e4223c:834fae33
ike 0:testvpn:3:testvpn:5: initiator selectors 0 0:192.168.1.0/255.255.255.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:testvpn:3: enc 0753808DC38FD111C2E0AA44A6E4223C08102001834FAE330000009C010000187B70BD7D10521B5B250313A28105E9D6C5A0D6C90A000034000000010000000100000028010304010868CF740000001C010C0000800100018002A8C08004000180060100800500050500001476331CC5BB918851A23D5A63CCE133630500001004000000C0A80100FFFFFF0000000010040000000000000000000000
ike 0:testvpn:3: out 0753808DC38FD111C2E0AA44A6E4223C08102001834FAE33000000AC5831D2C097920C3BB60A936BE182331A1E6246A2D38BD4BAE8A7C5E2D2353C493A46E236F15AF98BB3420EBFDD70C5A47B87C9750FA2ABE72F20890E949E75A34B0EB18743A4757FDE592DEF9B2527AB48D005BC82C081DD7484A0F94F5E9783802993CC0ED2352564A09ED838FEFEB18912571D315F33236E2F92D882DC7F65764805C4DFDE7F26229CC3D53F8A7281
ike 0:testvpn:3: sent IKE msg (quick_i1send): x.x.x.y:500->x.x.x.x:500, len=172, vrf=0, id=0753808dc38fd111/c2e0aa44a6e4223c:834fae33
ike 0: comes x.x.x.x:500->x.x.x.y:500,ifindex=5,vrf=0....
ike 0: IKEv1 exchange=Quick id=0753808dc38fd111/c2e0aa44a6e4223c:834fae33 len=172 vrf=0
ike 0: in 0753808DC38FD111C2E0AA44A6E4223C08102001834FAE33000000AC288308AF45579ADEB86B3D0DBE0C399F7AB1101F7487F02DF94E3BC5ED7157FF7D32B049289E01E68C8E6B1E9C8EF20B6FF96640AC901AA7E7442C16DEAAB46848E82CCDE7A4E844968863E69AC031BFDFE82AFF31458ABF5EA9FC0FBD14D8F9576B85D40648D35C0A9F7BE7A60C6E6BD9E2D474F3B14D017D62345062CDAC2833629AA499483A93D0302B571C83D696
ike 0:testvpn:3: dec 0753808DC38FD111C2E0AA44A6E4223C08102001834FAE33000000AC010000188DB22BA01FDA454D4E9F0C10F0DF60DEDAB4B7370A000034000000010000000100000028010304019E5E0D230000001C010C0000800100018002A8C0800400018006010080050005050000149C14F4ACF97A20D083DF7C577D653BA70500001004000000C0A80100FFFFFF00000000100400000000000000000000007FB4373560A234EBD82786951215110F
ike 0:testvpn:3:testvpn:5: responder selectors 0:192.168.1.0/255.255.255.0:0->0:0.0.0.0/0.0.0.0:0
ike 0:testvpn:3:testvpn:5: my proposal:
ike 0:testvpn:3:testvpn:5: proposal id = 1:
ike 0:testvpn:3:testvpn:5: protocol id = IPSEC_ESP:
ike 0:testvpn:3:testvpn:5: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:testvpn:3:testvpn:5: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:testvpn:3:testvpn:5: type = AUTH_ALG, val=SHA2_256
ike 0:testvpn:3:testvpn:5: incoming proposal:
ike 0:testvpn:3:testvpn:5: proposal id = 1:
ike 0:testvpn:3:testvpn:5: protocol id = IPSEC_ESP:
ike 0:testvpn:3:testvpn:5: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:testvpn:3:testvpn:5: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:testvpn:3:testvpn:5: type = AUTH_ALG, val=SHA2_256
ike 0:testvpn:3:testvpn:5: SA life soft seconds=42898.
ike 0:testvpn:3:testvpn:5: SA life hard seconds=43200.
ike 0:testvpn:3:testvpn:5: IPsec SA selectors #src=1 #dst=1
ike 0:testvpn:3:testvpn:5: src 0 4 0:192.168.1.0/255.255.255.0:0
ike 0:testvpn:3:testvpn:5: dst 0 4 0:0.0.0.0/0.0.0.0:0
ike 0:testvpn:3:testvpn:5: add IPsec SA: SPIs=0868cf74/9e5e0d23
ike 0:testvpn:3:testvpn:5: IPsec SA dec spi 0868cf74 key 32:F36ADF6A2BBDDDB7EF5E8DE760B294FD936ACBDDED30CCECE95E6861F36B828C auth 32:9C7BACB0FAA7FB8961CAB6D1193E698155A1191A304FFEE761E09FEE07A10870
ike 0:testvpn:3:testvpn:5: IPsec SA enc spi 9e5e0d23 key 32:4233AECB54C5F4FF7E4F38FCCE43BF1BC906E1DCD3E081697E2BF093076AC264 auth 32:07028B19E3694EDA3E8618C0E769DFCD427578CD2CFD4CBA52124CB9ED96DCB9
ike 0:testvpn:3:testvpn:5: added IPsec SA: SPIs=0868cf74/9e5e0d23
ike 0:testvpn:3:testvpn:5: sending SNMP tunnel UP trap
ike 0:testvpn: static tunnel up event 0.0.0.0 (dev=22)
ike 0:testvpn: static tunnel up event :: (dev=22)
ike 0:testvpn:3: enc 0753808DC38FD111C2E0AA44A6E4223C08102001834FAE33000000340000001822D3AAE2DE190CA679017853F06E222D1456A81D
ike 0:testvpn:3: out 0753808DC38FD111C2E0AA44A6E4223C08102001834FAE330000003C1BA9E98043657E678D2CA852A60922A3759F65DF9482F1C8C1140AA4D0C16E47
ike 0:testvpn:3: sent IKE msg (quick_i2send): x.x.x.y:500->x.x.x.x:500, len=60, vrf=0, id=0753808dc38fd111/c2e0aa44a6e4223c:834fae33
ike shrank heap by 118784 bytes

Reason:

There is a special case in IKE for a policy that contains 'any' as an interface. While it will correctly match 'any', it will also match 'a' or 'an'.

Workaround:

Do not configure IPsec VPN using the 'a' interface

Troubleshooting Tip: Even if a policy is created only for interface 'a', the IPsec Vpn tunnel is connected

You are leaving our website